OpenSSL v3 support (#22)

* Initial draft of OpenSSL v3 support

* Fix version_number() on Windows

* Rearrange code for loading

* Attempt to shim for Windows

* Use libcrypto, symbols are not reexported on Windows

* Introduce _ossl_modules_path

* Fix typo, WORD to WORD_SIZE

* Fix tests to use libcrypto for version number check

* Cleanup

* Add docstring for version

* Check version_number against regex extraction

* Add test for OpenSSL v1.1

* Test OpenSSL v1.1

* Relax version number testing for OpenSSL v1.1

* Also run IntegrationTest with OpenSSL v1.1

* Split integration tests

* Pin OpenSSL v1.1 in CI

Author: mkitti

.github/workflows/CI.yml

@@ -57,6 +57,24 @@ jobs:
             ${{ runner.os }}-
       - uses: julia-actions/julia-buildpkg@v1
       - uses: julia-actions/julia-runtest@v1
+      - name: Test with OpenSSL v1.1
+        shell: julia --project=openssl_1_1 {0}
+        run: |
+          using Pkg
+          try
+            spec = PackageSpec(name="OpenSSL_jll", version="1.1")
+            Pkg.add(spec)
+            Pkg.pin(spec)
+            Pkg.develop(PackageSpec(path="."))
+            Pkg.test("OpenSSL")  # resolver may fail with test time deps
+          catch err
+            err isa Pkg.Resolve.ResolverError || rethrow()
+            # If we can't resolve that means this is incompatible by SemVer and this is fine;
+            # it means we marked this as a breaking change, so we don't need to worry about
+            # mistakenly introducing a breaking change, as we have intentionally made one
+            @info "Not compatible with this release. No problem." exception=err
+            exit(0)  # Exit immediately as a success.
+          end
       - uses: julia-actions/julia-processcoverage@v1
       - uses: codecov/codecov-action@v1
         with:

.github/workflows/IntegrationTest.yml

@@ -31,7 +31,7 @@ jobs:
           arch: x64
       - uses: julia-actions/julia-buildpkg@latest
       - name: Clone Downstream
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: ${{ matrix.package.user }}/${{ matrix.package.repo }}
           path: downstream
@@ -51,4 +51,4 @@ jobs:
             # mistakenly introducing a breaking change, as we have intentionally made one
             @info "Not compatible with this release. No problem." exception=err
             exit(0)  # Exit immediately as a success.
-          end
+          end

.github/workflows/IntegrationTest_OpenSSL_v1_1.yml

@@ -0,0 +1,57 @@
+name: IntegrationTestOpenSSL_v1_1
+on:
+  push:
+    branches: [main]
+    tags: [v*]
+  pull_request:
+
+concurrency:
+  # Skip intermediate builds: always.
+  # Cancel intermediate builds: only if it is a pull request build.
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  test:
+    name: ${{ matrix.package.repo }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        julia-version: [1]
+        os: [ubuntu-latest]
+        package:
+          - {user: JuliaWeb, repo: HTTP.jl}
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: julia-actions/setup-julia@v1
+        with:
+          version: ${{ matrix.julia-version }}
+          arch: x64
+      - uses: julia-actions/julia-buildpkg@latest
+      - name: Clone Downstream
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ matrix.package.user }}/${{ matrix.package.repo }}
+          path: downstream
+      - name: Load this and run the downstream tests with OpenSSL v1.1
+        shell: julia --project=downstream {0}
+        run: |
+          using Pkg
+          try
+            # Force downstream tests to use this PR's version of the package.
+            spec = PackageSpec(name="OpenSSL_jll", version="1.1")
+            Pkg.add(spec)
+            Pkg.pin(spec)
+            Pkg.develop(PackageSpec(path="."))  # resolver may fail with main deps
+            Pkg.update()
+            Pkg.test()  # resolver may fail with test time deps
+          catch err
+            err isa Pkg.Resolve.ResolverError || rethrow()
+            # If we can't resolve that means this is incompatible by SemVer and this is fine;
+            # it means we marked this as a breaking change, so we don't need to worry about
+            # mistakenly introducing a breaking change, as we have intentionally made one
+            @info "Not compatible with this release. No problem." exception=err
+            exit(0)  # Exit immediately as a success.
+          end

Project.toml

@@ -11,10 +11,10 @@ OpenSSL_jll = "458c3c95-2e84-50aa-8efc-19380b2a3a95"
 Sockets = "6462fe0b-24de-5631-8697-dd941f90decc"
 
 [compat]
-julia = "1.6"
 BitFlags = "0.1"
 MozillaCACerts_jll = ">= 2020"
-OpenSSL_jll = "1.1"
+OpenSSL_jll = "1.1, 3.0"
+julia = "1.6"
 
 [extras]
 Test = "8dfed614-e22c-5e08-85e1-65c5234f0b40"

src/OpenSSL.jl

@@ -466,6 +466,141 @@ struct OpenSSLError <: Exception
     OpenSSLError(x::SSLErrorCode) = new(string(x))
 end
 
+"""
+    version(; [version_type::OpenSSLVersion])
+
+Obtain the version as a `String`. See [`OpenSSLVersion`](@ref) to select
+the version type.
+
+See also [`version_number`](@ref) to obtain a `VersionNumber`.
+"""
+function version(; version_type::OpenSSLVersion=OPENSSL_VERSION)::String
+    version = ccall(
+        (:OpenSSL_version, libcrypto),
+        Cstring,
+        (Cint,),
+        version_type)
+
+    return unsafe_string(version)
+end
+
+"""
+    version_number()::VersionNumber
+
+Return the version number of the OpenSSL C library.
+This uses `OpenSSL_version_num()`.
+"""
+function version_number()
+    # This works on OpenSSL v1.1
+    vn = ccall((:OpenSSL_version_num, libcrypto), Culong, ())
+
+    # 0xMNN00PP0L
+    # M: major
+    # NN: minor
+    # PP: patch
+    major = vn >> 28
+    minor = vn >> 20 & 0xff
+    patch = vn >> 4 & 0xff
+
+    return VersionNumber(major, minor, patch)
+end
+
+@static if version_number() ≥ v"3"
+    # In OpenSSL v3, macros redirect these symbols
+    const SSL_get_peer_certificate = :SSL_get1_peer_certificate
+    const EVP_PKEY_base_id = :EVP_PKEY_get_base_id
+    const EVP_CIPHER_key_length = :EVP_CIPHER_get_key_length
+    const EVP_CIPHER_iv_length = :EVP_CIPHER_get_iv_length
+    const EVP_CIPHER_block_size = :EVP_CIPHER_get_block_size
+    const EVP_CIPHER_CTX_block_size = :EVP_CIPHER_CTX_get_block_size
+    const EVP_CIPHER_CTX_key_length = :EVP_CIPHER_CTX_get_key_length
+    const EVP_CIPHER_CTX_iv_length = :EVP_CIPHER_CTX_get_iv_length
+else
+    const SSL_get_peer_certificate = :SSL_get_peer_certificate
+    const EVP_PKEY_base_id = :EVP_PKEY_base_id
+    const EVP_CIPHER_key_length = :EVP_CIPHER_key_length
+    const EVP_CIPHER_iv_length = :EVP_CIPHER_iv_length
+    const EVP_CIPHER_block_size = :EVP_CIPHER_block_size
+    const EVP_CIPHER_CTX_block_size = :EVP_CIPHER_CTX_block_size
+    const EVP_CIPHER_CTX_key_length = :EVP_CIPHER_CTX_key_length
+    const EVP_CIPHER_CTX_iv_length = :EVP_CIPHER_CTX_iv_length
+end
+
+# Locate oss-modules, which contains legacy shared library
+function _ossl_modules_path()
+    @static if Sys.iswindows()
+        bin_dir = dirname(OpenSSL_jll.libssl_path)
+        lib_dir = joinpath(dirname(bin_dir), "lib")
+        if Sys.WORD_SIZE == 64
+            return joinpath(lib_dir * "64", "ossl-modules")
+        else
+            return joinpath(lib_dir, "ossl-modules")
+        end
+    else
+        return joinpath(dirname(OpenSSL_jll.libssl), "ossl-modules")
+    end
+end
+
+"""
+    ossl_provider_set_default_search_path([libctx], [path])
+
+Set the default search path for providers. If no arguments are given,
+the global context will be configured for the ossl-modules directory
+in the OpenSSL_jll artifact.
+
+This is called with no arguments in OpenSSL.jl `__init__` when
+OpenSSL v3 is used.
+
+!!! compat "OpenSSL v3" `ossl_provider_set_default_search_path` is only available with version 3 of the OpenSSL_jll
+"""
+function ossl_provider_set_default_search_path(libctx = C_NULL, path = _ossl_modules_path())
+    result = ccall(
+        (:OSSL_PROVIDER_set_default_search_path, libcrypto),
+        Cint,
+        (Ptr{Nothing}, Cstring),
+        libctx,
+        path
+    )
+    if result == 0
+        throw(OpenSSLError())
+    end
+    return result
+end
+
+"""
+    load_provider([libctx], provider_name)
+
+Load a provider. If libctx is omitted, the provider will be loaded into the
+global context.
+
+!!! compat "OpenSSL v3" `load_provider` is only available with version 3 of the OpenSSL_jll
+"""
+function load_provider(libctx, provider_name)
+    result = ccall(
+        (:OSSL_PROVIDER_load, libcrypto),
+        Ptr{Nothing},
+        (Ptr{Nothing}, Cstring),
+        libctx,
+        provider_name
+    )
+    if result == C_NULL
+        throw(OpenSSLError())
+    end
+    return nothing
+end
+load_provider(provider_name) = load_provider(C_NULL, provider_name)
+
+"""
+    load_legacy_provider()
+
+Load the legacy provider. This loads legacy ciphers such as Blowfish.
+
+See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
+
+!!! compat "OpenSSL v3" `load_legacy_provider` is only available with version 3 of the OpenSSL_jll
+"""
+load_legacy_provider() = load_provider(C_NULL, "legacy")
+
 """
     Random bytes.
 """
@@ -718,19 +853,19 @@ mutable struct EvpCipher
 end
 
 get_block_size(evp_cipher::EvpCipher)::Int32 = ccall(
-    (:EVP_CIPHER_block_size, libcrypto),
+    (EVP_CIPHER_block_size, libcrypto),
     Int32,
     (EvpCipher,),
     evp_cipher)
 
 get_key_length(evp_cipher::EvpCipher)::Int32 = ccall(
-    (:EVP_CIPHER_key_length, libcrypto),
+    (EVP_CIPHER_key_length, libcrypto),
     Int32,
     (EvpCipher,),
     evp_cipher)
 
 get_init_vector_length(evp_cipher::EvpCipher)::Int32 = ccall(
-    (:EVP_CIPHER_iv_length, libcrypto),
+    (EVP_CIPHER_iv_length, libcrypto),
     Int32,
     (EvpCipher,),
     evp_cipher)
@@ -997,19 +1132,19 @@ function cipher(evp_cipher_ctx::EvpCipherContext, in_io::IO, out_io::IO)
 end
 
 get_block_size(evp_cipher_ctx::EvpCipherContext)::Int32 = ccall(
-    (:EVP_CIPHER_CTX_block_size, libcrypto),
+    (EVP_CIPHER_CTX_block_size, libcrypto),
     Int32,
     (EvpCipherContext,),
     evp_cipher_ctx)
 
 get_key_length(evp_cipher_ctx::EvpCipherContext)::Int32 = ccall(
-    (:EVP_CIPHER_CTX_key_length, libcrypto),
+    (EVP_CIPHER_CTX_key_length, libcrypto),
     Int32,
     (EvpCipherContext,),
     evp_cipher_ctx)
 
 get_init_vector_length(evp_cipher_ctx::EvpCipherContext)::Int32 = ccall(
-    (:EVP_CIPHER_CTX_iv_length, libcrypto),
+    (EVP_CIPHER_CTX_iv_length, libcrypto),
     Int32,
     (EvpCipherContext,),
     evp_cipher_ctx)
@@ -1748,7 +1883,7 @@ end
 
 function get_key_type(evp_pkey::EvpPKey)::EvpPKeyType
     pkey_type = ccall(
-        (:EVP_PKEY_base_id, libcrypto),
+        (EVP_PKEY_base_id, libcrypto),
         EvpPKeyType,
         (EvpPKey,),
         evp_pkey)
@@ -2971,16 +3106,6 @@ function update_tls_error_state()
     end
 end
 
-function version(; version_type::OpenSSLVersion=OPENSSL_VERSION)::String
-    version = ccall(
-        (:OpenSSL_version, libcrypto),
-        Cstring,
-        (Cint,),
-        version_type)
-
-    return unsafe_string(version)
-end
-
 include("ssl.jl")
 
 const OPEN_SSL_INIT = Ref{OpenSSLInit}()
@@ -2994,6 +3119,12 @@ function __init__()
     OPEN_SSL_INIT.x = OpenSSLInit()
     BIO_STREAM_CALLBACKS.x = BIOStreamCallbacks()
     BIO_STREAM_METHOD.x = BIOMethod("BIO_STREAM_METHOD")
+
+    # Set the openssl provider search path
+    if version_number() ≥ v"3"
+        ossl_provider_set_default_search_path()
+    end
+
     return
 end
 

src/ssl.jl

@@ -700,7 +700,7 @@ end
 """
 function get_peer_certificate(ssl::SSLStream)::Option{X509Certificate}
     x509 = ccall(
-        (:SSL_get_peer_certificate, libssl),
+        (SSL_get_peer_certificate, libssl),
         Ptr{Cvoid},
         (SSL,),
         ssl.ssl)