From ad7338d648cfeffbd595e9a7681f746ce834d59e Mon Sep 17 00:00:00 2001
From: Daniel Kurtz <djkurtz@chromium.org>
Date: Mon, 3 Jun 2019 16:46:17 -0600
Subject: [PATCH 04/10] libbrillo: Update for OpenSSL 1.1

OpenSSL 1.1 has made significant non-backwards compatible changes to its
API as outlined in:
https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes

Note: There are cases (sludge, tael, tatl), where libbrillo is built
against a libchrome that has been built w/out libbase-crypto (ie,
USE="-crypto").  For this reason, we don't use its libcrypto-compat.h.

BUG=chromium:737445
TEST=cros_workon --board=sarien start libbrillo
TEST=w/ openssl-1.0.2t: FEATURES=test emerge-sarien libbrillo
TEST=w/ openssl-1.1.0j: FEATURES=test emerge-sarien libbrillo
 => Both build and pass all unittests

Change-Id: I911c733e63ccbe58b7d9ef6d8e84c9e121056725
Reviewed-on: https://chromium-review.googlesource.com/1641754
Tested-by: Daniel Kurtz <djkurtz@chromium.org>
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Nick Crews <ncrews@chromium.org>
---
 .../brillo/streams/openssl_stream_bio.cc      | 75 ++++++++++++++++---
 libbrillo/brillo/streams/tls_stream.cc        |  7 +-
 libbrillo/policy/device_policy_impl.cc        | 10 ++-
 3 files changed, 77 insertions(+), 15 deletions(-)

diff --git a/libbrillo/brillo/streams/openssl_stream_bio.cc b/libbrillo/brillo/streams/openssl_stream_bio.cc
index a63d9c0cc..478b11233 100644
--- a/libbrillo/brillo/streams/openssl_stream_bio.cc
+++ b/libbrillo/brillo/streams/openssl_stream_bio.cc
@@ -13,9 +13,32 @@ namespace brillo {
 
 namespace {
 
+// TODO(crbug.com/984789): Remove once support for OpenSSL <1.1 is dropped.
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static void BIO_set_data(BIO* a, void* ptr) {
+  a->ptr = ptr;
+}
+
+static void* BIO_get_data(BIO* a) {
+  return a->ptr;
+}
+
+static void BIO_set_init(BIO* a, int init) {
+  a->init = init;
+}
+
+static int BIO_get_init(BIO* a) {
+  return a->init;
+}
+
+static void BIO_set_shutdown(BIO* a, int shut) {
+  a->shutdown = shut;
+}
+#endif
+
 // Internal functions for implementing OpenSSL BIO on brillo::Stream.
 int stream_write(BIO* bio, const char* buf, int size) {
-  brillo::Stream* stream = static_cast<brillo::Stream*>(bio->ptr);
+  brillo::Stream* stream = static_cast<brillo::Stream*>(BIO_get_data(bio));
   size_t written = 0;
   BIO_clear_retry_flags(bio);
   if (!stream->WriteNonBlocking(buf, size, &written, nullptr))
@@ -30,7 +53,7 @@ int stream_write(BIO* bio, const char* buf, int size) {
 }
 
 int stream_read(BIO* bio, char* buf, int size) {
-  brillo::Stream* stream = static_cast<brillo::Stream*>(bio->ptr);
+  brillo::Stream* stream = static_cast<brillo::Stream*>(BIO_get_data(bio));
   size_t read = 0;
   BIO_clear_retry_flags(bio);
   bool eos = false;
@@ -49,16 +72,16 @@ int stream_read(BIO* bio, char* buf, int size) {
 // NOLINTNEXTLINE(runtime/int)
 long stream_ctrl(BIO* bio, int cmd, long /* num */, void* /* ptr */) {
   if (cmd == BIO_CTRL_FLUSH) {
-    brillo::Stream* stream = static_cast<brillo::Stream*>(bio->ptr);
+    brillo::Stream* stream = static_cast<brillo::Stream*>(BIO_get_data(bio));
     return stream->FlushBlocking(nullptr) ? 1 : 0;
   }
   return 0;
 }
 
 int stream_new(BIO* bio) {
-  bio->shutdown = 0;  // By default do not close underlying stream on shutdown.
-  bio->init = 0;
-  bio->num = -1;  // not used.
+  // By default do not close underlying stream on shutdown.
+  BIO_set_shutdown(bio, 0);
+  BIO_set_init(bio, 0);
   return 1;
 }
 
@@ -66,13 +89,17 @@ int stream_free(BIO* bio) {
   if (!bio)
     return 0;
 
-  if (bio->init) {
-    bio->ptr = nullptr;
-    bio->init = 0;
+  if (BIO_get_init(bio)) {
+    BIO_set_data(bio, nullptr);
+    BIO_set_init(bio, 0);
   }
   return 1;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+// TODO(crbug.com/984789): Remove #ifdef once support for OpenSSL <1.1 is
+// dropped.
+
 // BIO_METHOD structure describing the BIO built on top of brillo::Stream.
 BIO_METHOD stream_method = {
     0x7F | BIO_TYPE_SOURCE_SINK,  // type: 0x7F is an arbitrary unused type ID.
@@ -87,13 +114,37 @@ BIO_METHOD stream_method = {
     nullptr,       // callback function, not used
 };
 
+BIO_METHOD* stream_get_method() {
+  return &stream_method;
+}
+
+#else
+
+BIO_METHOD* stream_get_method() {
+  static BIO_METHOD* stream_method;
+
+  if (!stream_method) {
+    stream_method = BIO_meth_new(BIO_get_new_index() | BIO_TYPE_SOURCE_SINK,
+                                 "stream");
+    BIO_meth_set_write(stream_method, stream_write);
+    BIO_meth_set_read(stream_method, stream_read);
+    BIO_meth_set_ctrl(stream_method, stream_ctrl);
+    BIO_meth_set_create(stream_method, stream_new);
+    BIO_meth_set_destroy(stream_method, stream_free);
+  }
+
+  return stream_method;
+}
+
+#endif
+
 }  // anonymous namespace
 
 BIO* BIO_new_stream(brillo::Stream* stream) {
-  BIO* bio = BIO_new(&stream_method);
+  BIO* bio = BIO_new(stream_get_method());
   if (bio) {
-    bio->ptr = stream;
-    bio->init = 1;
+    BIO_set_data(bio, stream);
+    BIO_set_init(bio, 1);
   }
   return bio;
 }
diff --git a/libbrillo/brillo/streams/tls_stream.cc b/libbrillo/brillo/streams/tls_stream.cc
index 603bd1d54..cc63258db 100644
--- a/libbrillo/brillo/streams/tls_stream.cc
+++ b/libbrillo/brillo/streams/tls_stream.cc
@@ -68,6 +68,11 @@ const char kCACertificatePath[] =
 
 namespace brillo {
 
+// TODO(crbug.com/984789): Remove once support for OpenSSL <1.1 is dropped.
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define TLS_client_method() TLSv1_2_client_method()
+#endif
+
 // Helper implementation of TLS stream used to hide most of OpenSSL inner
 // workings from the users of brillo::TlsStream.
 class TlsStream::TlsStreamImpl {
@@ -342,7 +347,7 @@ bool TlsStream::TlsStreamImpl::Init(StreamPtr socket,
                                     const base::Closure& success_callback,
                                     const Stream::ErrorCallback& error_callback,
                                     ErrorPtr* error) {
-  ctx_.reset(SSL_CTX_new(TLSv1_2_client_method()));
+  ctx_.reset(SSL_CTX_new(TLS_client_method()));
   if (!ctx_)
     return ReportError(error, FROM_HERE, "Cannot create SSL_CTX");
 
diff --git a/libbrillo/policy/device_policy_impl.cc b/libbrillo/policy/device_policy_impl.cc
index eaf90c96a..3f96d12ee 100644
--- a/libbrillo/policy/device_policy_impl.cc
+++ b/libbrillo/policy/device_policy_impl.cc
@@ -30,6 +30,12 @@ namespace em = enterprise_management;
 
 namespace policy {
 
+// TODO(crbug.com/984789): Remove once support for OpenSSL <1.1 is dropped.
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+#endif
+
 // Maximum value of RollbackAllowedMilestones policy.
 const int kMaxRollbackAllowedMilestones = 4;
 
@@ -55,8 +61,8 @@ bool ReadPublicKeyFromFile(const base::FilePath& key_file,
 bool VerifySignature(const std::string& signed_data,
                      const std::string& signature,
                      const std::string& public_key) {
-  std::unique_ptr<EVP_MD_CTX, void (*)(EVP_MD_CTX *)> ctx(EVP_MD_CTX_create(),
-                                                          EVP_MD_CTX_destroy);
+  std::unique_ptr<EVP_MD_CTX, void (*)(EVP_MD_CTX *)> ctx(EVP_MD_CTX_new(),
+                                                          EVP_MD_CTX_free);
   if (!ctx)
     return false;
 
-- 
2.24.1