QUIC OpenSSL library in CCF (#3396)

Creates a new QUICTLS build into an Azure Universal Package repository,
and adds a way to retrieve it from the CCF build, making sure we include
and link to the right objects in the pre-built QUIC version of OpenSSL
for the enclave side.

It should not change the host side (still using the system's OpenSSL),
but we also need to guarantee that the versions are compatible (ie. have
the same version and backports, ex. 1.1.1f or 1.1.1o, etc).

Because Universal Packages version is strct, we can't have the final
patch letter in the end, so we make sure the packages uploaded there are
a match with the currently supported version of the Linux distro we use.

If we decide to support multiple distros in the future, we can move that
to a blob storage and do the name resolution at the Yaml/CMake level on
both building and importing sides.

MAJOR ISSUE: We can't get the 1.1.1f version that is the same as OE
because the quictls-openssl repo deletes branches too aggressively, all
we have access is from `h` onward. We're using `o` in hope it's backward
compatible but that too will soon disappear. We should NOT use this for
anything serious before we can solve this problem.

.azure-pipelines-quictls.yml

@@ -0,0 +1,61 @@
+trigger:
+  batch: false
+
+parameters:
+  - name: VERSION
+    displayName: QUICTLS version
+    type: string
+    default: "1.1.1"
+  - name: REV
+    displayName: QUICTLS version revision
+    type: string
+    default: "o"
+  - name: PUSH_ARTIFACT
+    displayName: Publish to package feed
+    type: boolean
+    default: true
+
+jobs:
+  - job: build_quictls
+    container: ccfmsrc.azurecr.io/ccf/ci/sgx:oe-0.17.7-1
+    pool: 1es-dv4-focal
+
+    strategy:
+      matrix:
+        debug:
+          MODE: "debug"
+        release:
+          MODE: "release"
+
+    steps:
+      - checkout: self
+        clean: true
+
+      - script: scripts/quictls/build.sh ${{ parameters.VERSION }} ${{ parameters.REV }} $(MODE) ${{ parameters.PUSH_ARTIFACT }}
+        displayName: "Build QUICTLS"
+
+      - ${{ if eq(parameters.PUSH_ARTIFACT, true) }}:
+          - script: |
+              # Version to MAJOR
+              VERSION=${{ parameters.VERSION }}
+              MAJOR=${VERSION//./}
+              # Rev to MINOR (assuming it doesn't go beyond 'z')
+              CHAR=$(printf '%d' "'${{ parameters.REV }}'")
+              BASE=$(printf '%d' "'a'")
+              MINOR=$(($CHAR-$BASE+1))
+              # MAJOR.MINOR (BUILD automatic and incrementing)
+              echo "##vso[task.setvariable variable=pkg-ver]$MAJOR.$MINOR.$(Build.BuildId)"
+
+              mv scripts/quictls/quictls-${{ parameters.VERSION }}${{ parameters.REV }}-$(MODE).tar.xz $(Build.ArtifactStagingDirectory)
+            displayName: "Prepare Artifact Staging Directory"
+
+          - task: UniversalPackages@0
+            displayName: "Publish QUICTLS Artifact"
+            inputs:
+              command: publish
+              publishDirectory: "$(Build.ArtifactStagingDirectory)"
+              vstsFeedPublish: "CCF/QUICTLS"
+              vstsFeedPackagePublish: "quictls-$(MODE)"
+              versionOption: custom
+              versionPublish: "$(pkg-ver)"
+              packagePublishDescription: "CCF build of QUICTLS-enabled OpenSSL"

.azure-pipelines-templates/common.yml

@@ -19,6 +19,12 @@ jobs:
               target: ${{ parameters.target }}
               v8_mode: ${{ parameters.fetch_v8 }}
 
+      - ${{ if parameters.fetch_quictls }}:
+          - template: fetch_quictls.yml
+            parameters:
+              target: ${{ parameters.target }}
+              quictls_mode: ${{ parameters.fetch_quictls }}
+
       - template: cmake.yml
         parameters:
           cmake_args: "${{ parameters.cmake_args }}"

.azure-pipelines-templates/daily-matrix.yml

@@ -23,6 +23,8 @@ parameters:
       cmake_args: "-DENABLE_V8=ON -DV8_DEBUG=ON"
     unsafe:
       cmake_args: "-DLVI_MITIGATIONS=OFF -DVERBOSE_LOGGING=ON -DENABLE_BFT=OFF -DUNSAFE_VERSION=ON"
+    QUICTLS:
+      cmake_args: "-DENABLE_QUICTLS=ON"
 
 jobs:
   - job: "Make"
@@ -44,7 +46,8 @@ jobs:
       target: NoSGX
       env: "${{ parameters.env.NoSGX }}"
       fetch_v8: debug
-      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.debug.cmake_args }} ${{ parameters.build.V8Debug.cmake_args }} ${{ parameters.build.NoSGX.cmake_args }}"
+      fetch_quictls: debug
+      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.debug.cmake_args }} ${{ parameters.build.V8Debug.cmake_args }} ${{ parameters.build.QUICTLS.cmake_args }} ${{ parameters.build.NoSGX.cmake_args }}"
       suffix: "Instrumented"
       artifact_name: "NoSGX_Instrumented"
       ctest_filter: '-LE "benchmark|perf"'

.azure-pipelines-templates/fetch_quictls.yml

@@ -0,0 +1,41 @@
+parameters:
+  quictls_version: "1.1.1"
+  quictls_rev: "o"
+  quictls_mode: "release"
+
+steps:
+  - script: |
+      set -e
+
+      # Version to MAJOR
+      VERSION=${{ parameters.quictls_version }}
+      MAJOR=${VERSION//./}
+      # Rev to MINOR (assuming it doesn't go beyond 'z')
+      CHAR=$(printf '%d' "'${{ parameters.quictls_rev }}'")
+      BASE=$(printf '%d' "'a'")
+      MINOR=$(($CHAR-$BASE+1))
+      # MAJOR.MINOR.* (BUILD automatic and incrementing)
+      echo "##vso[task.setvariable variable=pkg-ver]$MAJOR.$MINOR.*"
+
+      # Install dir (this isn't the best place but will do for now)
+      QUICTLS_DIR=build-quictls
+      echo "##vso[task.setvariable variable=QUICTLS_DIR]$QUICTLS_DIR"
+
+      # Create the download folder.
+      mkdir -p $QUICTLS_DIR
+    displayName: "Compute quictls artifact location"
+
+  - task: UniversalPackages@0
+    displayName: "Download quictls artifact"
+    inputs:
+      command: download
+      downloadDirectory: "$(QUICTLS_DIR)"
+      vstsFeed: "CCF/quictls"
+      vstsFeedPackage: "quictls-${{ parameters.quictls_mode }}"
+      vstsPackageVersion: "$(pkg-ver)"
+
+  - script: |
+      set -ex
+      TARBALL="$(QUICTLS_DIR)/quictls-${{ parameters.quictls_version }}${{ parameters.quictls_rev}}-${{ parameters.quictls_mode }}.tar.xz"
+      tar Jxf "$TARBALL" --strip 1 -C "$(QUICTLS_DIR)"
+    displayName: "Extract quictls artifact"

CMakeLists.txt

@@ -375,6 +375,14 @@ if(BUILD_TESTS)
       ${CMAKE_CURRENT_SOURCE_DIR}/src/node/test/node_info_json.cpp
     )
 
+    if(ENABLE_QUICTLS)
+      add_unit_test(
+        quic_test ${CMAKE_CURRENT_SOURCE_DIR}/src/quic/test/main.cpp
+      )
+      target_include_directories(quic_test PUBLIC ${QUICTLS_INCLUDE_DIRS})
+      target_link_libraries(quic_test PUBLIC ${QUICTLS_LIBRARIES})
+    endif()
+
     add_unit_test(tls_test ${CMAKE_CURRENT_SOURCE_DIR}/src/tls/test/main.cpp)
     target_link_libraries(tls_test PRIVATE ${CMAKE_THREAD_LIBS_INIT})
 

cmake/common.cmake

@@ -460,6 +460,7 @@ sign_app_library(
 # SNIPPET_END: JS generic application
 
 include(${CCF_DIR}/cmake/js_v8.cmake)
+include(${CCF_DIR}/cmake/quictls.cmake)
 
 install(DIRECTORY ${CCF_DIR}/samples/apps/logging/js
         DESTINATION samples/logging

cmake/quictls.cmake

@@ -0,0 +1,30 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+option(ENABLE_QUICTLS "Enable QUICTLS inside virtual enclave" OFF)
+if(ENABLE_QUICTLS)
+  message(STATUS "WARNING: QUIC utilisation is experimental")
+
+  # This isn't a good place, but because we're using the Universal Package to
+  # download it before the build directory is created, and all CI scripts are
+  # set with -xe, the `mkdir build` will fail in a later stage (and we don't
+  # want to use -p in case there is a build dir from a previous build). This
+  # will need to be fixed once we start using QUIC and shipping those libraries
+  # with CCF
+  set(QUICTLS_PATH ${CMAKE_SOURCE_DIR}/build-quictls)
+
+  if(NOT EXISTS ${QUICTLS_PATH})
+    message(
+      FATAL_ERROR
+        "ERROR: QUIC OpenSSL build not available, fetch it from the Azure Universal Package and add it to ${CMAKE_SOURCE_DIR}/build-quictls"
+    )
+  endif()
+
+  find_path(QUICTLS_INCLUDE_DIRS openssl/ssl.h HINTS ${QUICTLS_PATH}/include)
+
+  # This is intentionally different to override OE's libraries with our own
+  find_library(QUICTLS_SSL_LIBRARY ssl HINTS ${QUICTLS_PATH}/lib)
+  find_library(QUICTLS_CRYPTO_LIBRARY crypto HINTS ${QUICTLS_PATH}/lib)
+
+  set(QUICTLS_LIBRARIES "${QUICTLS_SSL_LIBRARY}" "${QUICTLS_CRYPTO_LIBRARY}")
+endif()

scripts/quictls/build.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+
+# Check https://github.com/quictls/openssl for known stable versions
+
+SKIP_CLEAN=${SKIP_CLEAN:-0}
+VERBOSE=${VERBOSE:-0}
+ASAN=${ASAN:-0}
+
+SYNTAX="build.sh <version (ex. 1.1.1)> <revision (ex. i, j, k)> <mode (debug|release)> [publish (true|false)]"
+if [ "$1" == "" ]; then
+  echo "ERROR: Missing expected argument 'version'"
+  echo "$SYNTAX"
+  exit 1
+fi
+VERSION="$1"
+REV="$2"
+MODE="$3"
+if [ "$MODE" != "debug" ] && [ "$MODE" != "release" ]; then
+  echo "ERROR: 'mode' argument must be 'debug' or 'release'"
+  echo "$SYNTAX"
+  exit 1
+fi
+PUBLISH=false
+if [ "$4" != "" ]; then
+  # uppercase to support Azure Pipelines booleans
+  if [ "$4" == "true" ] || [ "$4" == "True" ]; then
+    PUBLISH="true"
+  elif [ "$4" != "false" ] && [ "$4" != "False" ]; then
+    echo "ERROR: Publish can only be 'true' or 'false', got: $4"
+    echo "$SYNTAX"
+    exit 1
+  fi
+fi
+
+THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+BUILD_DIR="$THIS_DIR/build-quictls"
+INSTALL_DIR="install-quictls"
+PREFIX="$THIS_DIR/$INSTALL_DIR"
+SRC_TARBALL="$BUILD_DIR/openssl-$VERSION$REV.tgz"
+PKG_TARBALL="$THIS_DIR/quictls-$VERSION$REV-$MODE.tar.xz"
+BRANCH="OpenSSL_${VERSION//./_}$REV+quic"
+SRC_DIR="src"
+
+echo " + Version: $VERSION"
+echo " + Revision: $REV"
+echo " + Mode: $MODE"
+echo " + Publish: $PUBLISH"
+echo " + Source Tarball: $SRC_TARBALL"
+echo " + Package Tarball: $PKG_TARBALL"
+echo " + Branch: $BRANCH"
+
+echo " + Installing dependencies"
+sudo apt install -y clang
+
+echo " + Cleaning up environment..."
+if [ "$SKIP_CLEAN" != "1" ]; then
+  rm -rf "$BUILD_DIR"
+fi
+mkdir -p "$BUILD_DIR"
+# This should never fail but CI lint requires it
+cd "$BUILD_DIR" || exit
+
+if [ ! -f "$SRC_TARBALL" ]; then
+  echo " + Fetch the branch"
+  wget -O "$SRC_TARBALL" https://github.com/quictls/openssl/tarball/"$BRANCH"
+fi
+
+echo " + Prepare the source dir"
+# This is quictls-openssl-hash (which changes depending on the ver/rev)
+# Make sure we clean all past directories, if any
+rm -rf quictls-openssl-*
+tar xf "$SRC_TARBALL"
+TEMP_DIR=$(find . -name "quictls-openssl-*")
+mv "$TEMP_DIR" "$SRC_DIR"
+
+echo " + Configure"
+cd "$SRC_DIR" || exit
+./Configure no-dso no-shared no-ui-console no-afalgeng \
+            no-stdio no-posix-io no-threads no-tests \
+            linux-x86_64-clang \
+            --prefix="$PREFIX"
+
+echo " + Make"
+make -j "$(nproc)"
+make install_sw
+
+# Only generate tarball if asked to publish
+# Creates in .../$BUILD_DIR/ root
+if [ "$PUBLISH" == "true" ]; then
+  echo " + Generate the tarball..."
+  # Make sure we're one dir down
+  cd "$PREFIX"/.. || exit
+  rm -f "$PKG_TARBALL"
+  tar Jcf "$PKG_TARBALL" "$INSTALL_DIR"
+fi

src/quic/test/main.cpp

@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+
+#define DOCTEST_CONFIG_IMPLEMENT_WITH_MAIN
+#include "tls/tls.h"
+
+#include <doctest/doctest.h>
+#include <openssl/ssl.h>
+
+using namespace std;
+using namespace crypto;
+
+TEST_CASE("check QUIC OpenSSL library call")
+{
+  OpenSSL::Unique_SSL_CTX cfg(TLS_client_method());
+  OpenSSL::Unique_SSL ssl(cfg);
+  SSL_QUIC_METHOD* quic;
+  SSL_set_quic_method(ssl, quic);
+}