feat: Migrate to OpenSSL 3.0 (#44)

* feat: Migrate to OpenSSL 3.0

.github/workflows/linux.yml

@@ -9,15 +9,13 @@ on:
 jobs:
 
   CI:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - name: Install Dependencies
-      run: sudo apt update && sudo apt install -y cmake
+      run: sudo apt update && sudo apt install -y cmake openssl
     - uses: actions/checkout@v3
     - name: Build
       run: cmake -S . -B build -DENABLE_UNIT_TESTS=TRUE && cmake --build build
-    - name: Unit Test
-      run: ./build/offload_unit_test
     - name: Set up Signer Proxy Binaries
       run: ./scripts/setup_signer_proxy.sh
     - name: Integration Test

.github/workflows/macos.yml

@@ -18,11 +18,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Install Dependencies
-        run: brew update && brew install cmake openssl@1.1
+        run: brew update && brew install cmake openssl@3
       - name: Build Library
-        run: OPENSSL_ROOT_DIR="$(brew --prefix openssl@1.1)" cmake -S . -B build -DENABLE_UNIT_TESTS=TRUE && cmake --build build
-      - name: Unit Test
-        run: ./build/offload_unit_test
+        run: OPENSSL_ROOT_DIR="$(brew --prefix openssl@3)" cmake -S . -B build -DENABLE_UNIT_TESTS=TRUE && cmake --build build
       - name: Set up Signer Proxy Binaries
         run: ./scripts/setup_signer_proxy.sh
       - name: Integration Test

CMakeLists.txt

@@ -21,41 +21,10 @@ project(GoogleEnterpriseCertificateOffload VERSION 0.1)
 set(CMAKE_CXX_STANDARD 11)
 set(CMAKE_CXX_STANDARD_REQUIRED True)
 
-if (WIN32)
-set(CMAKE_CXX_STANDARD_LIBRARIES "-static-libgcc -static-libstdc++ -lwsock32 -lws2_32 ${CMAKE_CXX_STANDARD_LIBRARIES}")
-set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-Bstatic,--whole-archive -lwinpthread -Wl,--no-whole-archive")
-endif()
-
-find_package(OpenSSL 1.1.1 EXACT REQUIRED)
+find_package(OpenSSL 3.0...<3.2 REQUIRED)
 
 add_library(tls_offload SHARED
   src/offload.cpp
 )
 
 target_link_libraries(tls_offload OpenSSL::Crypto OpenSSL::SSL)
-
-if (ENABLE_UNIT_TESTS)
-  include(FetchContent)
-  FetchContent_Declare(
-    googletest
-    GIT_REPOSITORY https://github.com/google/googletest.git
-    GIT_TAG release-1.12.1
-  )
-  FetchContent_MakeAvailable(googletest)
-
-  enable_testing()
-
-  add_executable(
-    offload_unit_test
-    tests/unit/offload_test.cpp
-  )
-
-  target_link_libraries(
-    offload_unit_test
-    GTest::gtest_main
-    tls_offload
-  )
-
-  include(GoogleTest)
-  gtest_discover_tests(offload_unit_test)
-endif()

src/offload.cpp

@@ -9,7 +9,6 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
-#include <openssl/rsa.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <stdio.h>
@@ -76,7 +75,7 @@ void LogInfo(const std::string &message) {
 
 // "ex data" will be allocated once globally by `CreateEngineOnceGlobally`
 // method.
-int g_rsa_ex_index = -1, g_ec_ex_index = -1;
+int g_key_index = -1;
 
 void FreeExData(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl,
                 void *argp) {
@@ -89,32 +88,11 @@ void FreeExData(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl,
 }
 
 bool SetCustomKey(EVP_PKEY *pkey, CustomKey *key) {
-  if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
-    LogInfo("setting RSA custom key");
-    RSA *rsa = EVP_PKEY_get0_RSA(pkey);
-    return rsa && RSA_set_ex_data(rsa, g_rsa_ex_index, key);
-  }
-  if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-    LogInfo("setting EC custom key");
-    EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
-    return ec_key && EC_KEY_set_ex_data(ec_key, g_ec_ex_index, key);
-  }
-  return false;
+    return EVP_PKEY_set_ex_data(pkey, g_key_index, key);
 }
 
 CustomKey *GetCustomKey(EVP_PKEY *pkey) {
-  if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
-    const RSA *rsa = EVP_PKEY_get0_RSA(pkey);
-    return rsa ? static_cast<CustomKey *>(RSA_get_ex_data(rsa, g_rsa_ex_index))
-               : nullptr;
-  }
-  if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-    const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
-    return ec_key ? static_cast<CustomKey *>(
-                        EC_KEY_get_ex_data(ec_key, g_ec_ex_index))
-                  : nullptr;
-  }
-  return nullptr;
+  return static_cast<CustomKey *>(EVP_PKEY_get_ex_data(pkey, g_key_index));
 }
 
 // Part 2. Next we make an `EVP_PKEY_METHOD` that can call `CustomKey::Sign`.
@@ -374,11 +352,9 @@ ENGINE *CreateEngineHelper() {
 
   // Allocate "ex data". We need a way to attach `CustomKey` to `EVP_PKEY`s that
   // we will hand to OpenSSL. OpenSSL does this with "ex data"
-  g_rsa_ex_index =
-      RSA_get_ex_new_index(0, nullptr, nullptr, nullptr, FreeExData);
-  g_ec_ex_index =
-      EC_KEY_get_ex_new_index(0, nullptr, nullptr, nullptr, FreeExData);
-  if (g_rsa_ex_index < 0 || g_ec_ex_index < 0) {
+  g_key_index =
+      EVP_PKEY_get_ex_new_index(0, nullptr, nullptr, nullptr, FreeExData);
+  if (g_key_index < 0) {
     LogInfo("Error allocating ex data");
     return nullptr;
   }

tests/testing_utils/requirements.txt

@@ -1,5 +1,6 @@
-cryptography==36.0.2
+cryptography
 requests
 pyopenssl
 pytest
 google-auth
+cffi