Merge pull request #4740 from sysown/ssl_dynamic_lib

Using system OpenSSL library

deps/Makefile

@@ -38,7 +38,7 @@ endif
 STDCPP := -std=c++$(shell echo $(CPLUSPLUS) | cut -c3-4) -DCXX$(shell echo $(CPLUSPLUS) | cut -c3-4)
 
 
-targets := libconfig libdaemon jemalloc mariadb_client re2 sqlite3 pcre lz4 cityhash microhttpd curl ev libssl libhttpserver libinjection prometheus-cpp postgresql libusual libscram
+targets := check_openssl_version libconfig libdaemon jemalloc mariadb_client re2 sqlite3 pcre lz4 cityhash microhttpd curl ev libhttpserver libinjection prometheus-cpp postgresql libusual libscram
 ifeq ($(SYS_KERN),Linux)
 	targets += coredumper
 endif
@@ -69,19 +69,42 @@ endif
 
 libinjection: libinjection/libinjection/src/libinjection.a
 
+DISTRO := $(shell lsb_release -si 2>/dev/null || grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"')
+OPENSSL_VERSION_3 := 3.0.0
 
-libssl/openssl/libssl.a:
-	cd libssl && rm -rf openssl-openssl-*/ openssl-3*/ || true
-	cd libssl && tar -zxf openssl-*.tar.gz
-	cd libssl && ./verify-bio_st-match.sh
-#	cd libssl/openssl && patch crypto/ec/curve448/curve448.c < ../curve448.c-multiplication-overflow.patch
-#	cd libssl/openssl && patch crypto/asn1/a_time.c < ../a_time.c-multiplication-overflow.patch
-	cd libssl/openssl && ./config no-ssl3 no-tests
-	cd libssl/openssl && CC=${CC} CXX=${CXX} ${MAKE}
-	cd libssl/openssl && ln -fs ./ lib # curl wants this path
+ifeq ($(DISTRO), almalinux)
+	ssl_header_path := $(shell find /usr /usr/local /opt -name "ssl.h" -path "*/openssl3/*" 2>/dev/null | head -n 1)
+	LIB_SSL_PATH := $(shell find /usr /usr/local /opt -name "libssl.so.3" 2>/dev/null | head -n 1)
+	LIB_CRYPTO_PATH := $(shell find /usr /usr/local /opt -name "libcrypto.so.3" 2>/dev/null | head -n 1)
+    SSL_LDIR := $(dir $(LIB_SSL_PATH))
+else
+	ssl_header_path := $(shell find /usr /usr/local /opt -name "ssl.h" -path "*/openssl/*" 2>/dev/null | head -n 1)
+	LIB_SSL_PATH := $(shell find /usr /usr/local /opt -name "libssl.so" 2>/dev/null | head -n 1)
+	LIB_CRYPTO_PATH := $(shell find /usr /usr/local /opt -name "libcrypto.so" 2>/dev/null | head -n 1)
+    SSL_LDIR := $(dir $(LIB_SSL_PATH))
+endif
 
-libssl: libssl/openssl/libssl.a
+ifneq ($(ssl_header_path),)
+	SSL_IDIR := $(shell dirname $(shell dirname $(ssl_header_path)))
+    $(info Found OpenSSL headers at $(SSL_IDIR))
+    $(info OpenSSL lib full path is $(LIB_SSL_PATH))
+    $(info OpenSSL libs directory is $(SSL_LDIR))	
+else
+    $(error Warning: OpenSSL headers not found. exiting, please install openssl.)
+endif
 
+check_openssl_version:
+	@if [ "$(DISTRO)" = "almalinux" ]; then \
+		@current_version=$$(openssl3 version | awk '{print $$2}'); \
+	else \
+		@current_version=$$(openssl version | awk '{print $$2}'); \
+	fi; \
+	echo "Installed OpenSSL version: $$current_version"; \
+	compare_result=`printf "%s\n%s" "$(OPENSSL_VERSION_3)" "$$current_version" | sort -V | head -n 1`; \
+	if [ "$$compare_result" != "$(OPENSSL_VERSION_3)" ]; then \
+		echo "Error: Installed OpenSSL version must be $(OPENSSL_VERSION_3) or higher, Please upgrade OpenSSL."; \
+		exit 1; \
+	fi
 
 libhttpserver/libhttpserver/build/src/.libs/libhttpserver.a: libmicrohttpd/libmicrohttpd/src/microhttpd/.libs/libmicrohttpd.a re2/re2/obj/libre2.a
 	cd libhttpserver && rm -rf libhttpserver-*/ || true
@@ -120,16 +143,16 @@ coredumper/coredumper/src/libcoredumper.a:
 	cd coredumper/coredumper && CC=${CC} CXX=${CXX} ${MAKE}
 coredumper: coredumper/coredumper/src/libcoredumper.a
 
-curl/curl/lib/.libs/libcurl.a: libssl/openssl/libssl.a
+curl/curl/lib/.libs/libcurl.a:
 	cd curl && rm -rf curl-*/ || true
 	cd curl && tar -zxf curl-*.tar.gz
 #	cd curl/curl && ./configure --disable-debug --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-ipv6 --disable-sspi --disable-crypto-auth --disable-ntlm-wb --disable-tls-srp --without-nghttp2 --without-libidn2 --without-libssh2 --without-brotli --with-ssl=$(shell pwd)/../../libssl/openssl/ && CC=${CC} CXX=${CXX} ${MAKE}
 	cd curl/curl && autoreconf -fi
 ifeq ($(SYS_KERN),Darwin)
 	cd curl/curl && patch configure < ../configure.patch
 endif
-	cd curl/curl && ./configure --disable-debug --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-ipv6 --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-nghttp2 --without-libidn2 --without-libssh2 --without-brotli --without-librtmp --without-libpsl --without-zstd --with-ssl=$(shell pwd)/libssl/openssl/ --enable-shared=yes
-	cd curl/curl && LD_LIBRARY_PATH=$(shell pwd)/libssl/openssl CFLAGS=-fPIC CC=${CC} CXX=${CXX} ${MAKE}
+	cd curl/curl && CPPFLAGS="-I$(SSL_IDIR)" LDFLAGS="$(LIB_SSL_PATH) $(LIB_CRYPTO_PATH)" ./configure --disable-debug --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-ipv6 --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-nghttp2 --without-libidn2 --without-libssh2 --without-brotli --without-librtmp --without-libpsl --without-zstd --with-ssl --enable-shared=yes
+	cd curl/curl && CFLAGS=-fPIC CC=${CC} CXX=${CXX} ${MAKE}
 
 curl: curl/curl/lib/.libs/libcurl.a
 
@@ -194,11 +217,11 @@ jemalloc/jemalloc/lib/libjemalloc.a:
 jemalloc: jemalloc/jemalloc/lib/libjemalloc.a
 
 
-mariadb-client-library/mariadb_client/libmariadb/libmariadbclient.a: libssl/openssl/libssl.a
+mariadb-client-library/mariadb_client/libmariadb/libmariadbclient.a:
 	cd mariadb-client-library && rm -rf mariadb-connector-c-*/ || true
 	cd mariadb-client-library && tar -zxf mariadb-connector-c-3.3.8-src.tar.gz
 	cd mariadb-client-library/mariadb_client && patch -p0 < ../plugin_auth_CMakeLists.txt.patch
-	cd mariadb-client-library/mariadb_client && cmake . -Wno-dev -DCMAKE_BUILD_TYPE=RelWithDebInfo -DOPENSSL_ROOT_DIR=$(shell pwd)/libssl/openssl/ -DOPENSSL_LIBRARIES=$(shell pwd)/libssl/openssl/ -DICONV_LIBRARIES=$(brew --prefix libiconv)/lib -DICONV_INCLUDE=$(brew --prefix libiconv)/include .
+	cd mariadb-client-library/mariadb_client && cmake . -Wno-dev -DCMAKE_BUILD_TYPE=RelWithDebInfo -DOPENSSL_ROOT_DIR=$(SSL_IDIR) -DOPENSSL_LIBRARIES=$(SSL_LDIR) -DICONV_LIBRARIES=$(brew --prefix libiconv)/lib -DICONV_INCLUDE=$(brew --prefix libiconv)/include .
 ifeq ($(PROXYDEBUG),1)
 	cd mariadb-client-library/mariadb_client && patch -p0 < ../ma_context.h.patch
 else ifeq ($(USEVALGRIND),1)
@@ -305,30 +328,30 @@ pcre/pcre/.libs/libpcre.a:
 
 pcre: pcre/pcre/.libs/libpcre.a
 
-postgresql/postgresql/src/interfaces/libpq/libpq.a : libssl/openssl/libssl.a
+postgresql/postgresql/src/interfaces/libpq/libpq.a :
 	cd postgresql && rm -rf postgresql-*/ || true
 	cd postgresql && tar -zxf postgresql-*.tar.gz
 	cd postgresql/postgresql && patch -p0 < ../get_result_from_pgconn.patch
 	cd postgresql/postgresql && patch -p0 < ../handle_row_data.patch
 	#cd postgresql/postgresql && LD_LIBRARY_PATH="$(shell pwd)/libssl/openssl" ./configure --with-ssl=openssl --with-includes="$(shell pwd)/libssl/openssl/include/" --with-libraries="$(shell pwd)/libssl/openssl/" --without-readline --enable-debug  CFLAGS="-ggdb -O0 -fno-omit-frame-pointer" CPPFLAGS="-g -O0"
-	cd postgresql/postgresql && LD_LIBRARY_PATH="$(shell pwd)/libssl/openssl" ./configure --with-ssl=openssl --with-includes="$(shell pwd)/libssl/openssl/include/" --with-libraries="$(shell pwd)/libssl/openssl/" --without-readline
+	cd postgresql/postgresql && LD_LIBRARY_PATH="$(SSL_LDIR)" ./configure --with-ssl=openssl --with-includes="$(SSL_IDIR)" --with-libraries="$(SSL_LDIR)" --without-readline
 	cd postgresql/postgresql/src/interfaces/libpq && CC=${CC} CXX=${CXX} ${MAKE} MAKELEVEL=0
 	#cd postgresql/postgresql && CC=${CC} CXX=${CXX} ${MAKE} -f src/interfaces/libpq/Makefile all
 
 postgresql: postgresql/postgresql/src/interfaces/libpq/libpq.a
 
-libusual/libusual/.libs/libusual.a: libssl/openssl/libssl.a
+libusual/libusual/.libs/libusual.a:
 	cd libusual && rm -rf libusual-*/ || true
 	cd libusual && tar -zxf libusual-*.tar.gz
 	cd libusual/libusual && ./autogen.sh
-	cd libusual/libusual && ./configure --with-openssl="$(shell pwd)/libssl/openssl/" --disable-shared
+	cd libusual/libusual &&  CPPFLAGS="-I$(SSL_IDIR)" LDFLAGS="$(LIB_SSL_PATH) $(LIB_CRYPTO_PATH)" ./configure --with-openssl="$(SSL_LDIR)" --disable-shared
 	cd libusual/libusual && CC=${CC} CXX=${CXX} ${MAKE}
 
 libusual: libusual/libusual/.libs/libusual.a
 
-libscram/lib/libscram.a: libssl/openssl/libssl.a postgresql/postgresql/src/interfaces/libpq/libpq.a 
+libscram/lib/libscram.a:postgresql/postgresql/src/interfaces/libpq/libpq.a 
 	cd libscram && rm -rf lib/* || true
-	cd libscram && CC=${CC} CXX=${CXX} ${MAKE} LIBOPENSSL_DIR="$(shell pwd)/libssl/openssl" POSTGRESQL_DIR="$(shell pwd)/postgresql/postgresql/"
+	cd libscram && CC=${CC} CXX=${CXX} ${MAKE} LIBOPENSSL_DIR="$(SSL_IDIR)" POSTGRESQL_DIR="$(shell pwd)/postgresql/postgresql/"
 
 libscram: libscram/lib/libscram.a
 
@@ -356,7 +379,6 @@ cleanall:
 	cd libmicrohttpd && rm -rf libmicrohttpd-*/ || true
 	cd curl && rm -rf curl-*/ || true
 	cd libev && rm -rf libev-*/ || true
-	cd libssl && rm -rf openssl-openssl-*/ openssl-3*/ || true
 	cd libconfig && rm -rf libconfig-*/ || true
 	cd prometheus-cpp && rm -rf prometheus-cpp-*/ || true
 	cd cityhash && rm -rf cityhash-*/ || true

deps/libssl/README.md

@@ -16,3 +16,5 @@ Do not upgrade without extensive testing.
 See note about `struct bio_st` in MySQL_Data_Stream.cpp .
 
 Run `verify-bio_st-match.sh` to confirm compatibility.
+
+In ProxySQL 3.0.1, OpenSSL was changed from being statically linked to dynamically linked.

lib/Makefile

@@ -47,8 +47,20 @@ COREDUMPER_IDIR := $(COREDUMPER_DIR)/include
 CURL_DIR := $(DEPS_PATH)/curl/curl
 CURL_IDIR := $(CURL_DIR)/include
 
-SSL_DIR := $(DEPS_PATH)/libssl/openssl/
-SSL_IDIR := $(SSL_DIR)/include
+DISTRO := $(shell lsb_release -si 2>/dev/null || grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"')
+
+ifeq ($(DISTRO), almalinux)
+	ssl_header_path := $(shell find /usr /usr/local /opt -name "ssl.h" -path "*/openssl3/*" 2>/dev/null | head -n 1)
+else
+	ssl_header_path := $(shell find /usr /usr/local /opt -name "ssl.h" -path "*/openssl/*" 2>/dev/null | head -n 1)
+endif
+
+ifneq ($(ssl_header_path),)
+	SSL_IDIR := $(shell dirname $(shell dirname $(ssl_header_path)))
+    $(info Found yash OpenSSL headers at $(SSL_IDIR))
+else
+    $(error Warning: OpenSSL headers not found. exiting, please install openssl.)
+endif
 
 EV_DIR := $(DEPS_PATH)/libev/libev/
 EV_IDIR := $(EV_DIR)

lib/PgSQL_Data_Stream.cpp

@@ -11,61 +11,6 @@
 
 #include "openssl/x509v3.h"
 
-/*
-
-in libssl 1.1.0
-struct bio_st {
-	const BIO_METHOD *method;
-	long (*callback) (struct bio_st *, int, const char *, int, long, long);
-	char *cb_arg;
-	int init;
-	int shutdown;
-	int flags;
-	int retry_reason;
-	int num;
-	void *ptr;
-	struct bio_st *next_bio;
-	struct bio_st *prev_bio;
-	int references;
-	uint64_t num_read;
-	uint64_t num_write;
-	CRYPTO_EX_DATA ex_data;
-	CRYPTO_RWLOCK *lock;
-};
-*/
-
-typedef int CRYPTO_REF_COUNT;
-
-/**
- * @brief This is the 'bio_st' struct definition from libssl 3.0.0. NOTE: This is an internal struct from
- *   OpenSSL library, currently it's used for performing checks on the reads/writes performed on the BIO objects.
- *   It's extremely important to keep this struct up to date with each OpenSSL dependency update.
- */
-struct bio_st {
-	OSSL_LIB_CTX* libctx;
-	const BIO_METHOD* method;
-	/* bio, mode, argp, argi, argl, ret */
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-	BIO_callback_fn callback;
-#endif
-	BIO_callback_fn_ex callback_ex;
-	char* cb_arg;               /* first argument for the callback */
-	int init;
-	int shutdown;
-	int flags;                  /* extra storage */
-	int retry_reason;
-	int num;
-	void* ptr;
-	struct bio_st* next_bio;    /* used by filter BIOs */
-	struct bio_st* prev_bio;    /* used by filter BIOs */
-	CRYPTO_REF_COUNT references;
-	uint64_t num_read;
-	uint64_t num_write;
-	CRYPTO_EX_DATA ex_data;
-	CRYPTO_RWLOCK* lock;
-};
-
-
 #define RESULTSET_BUFLEN_DS_16K 16000
 #define RESULTSET_BUFLEN_DS_1M 1000*1024
 
@@ -602,8 +547,8 @@ int PgSQL_Data_Stream::read_from_net() {
 		//ssize_t n = read(fd, buf, sizeof(buf));
 		int n = recv(fd, buf, sizeof(buf), 0);
 		//proxy_info("SSL recv of %d bytes\n", n);
-		proxy_debug(PROXY_DEBUG_NET, 7, "Session=%p: recv() read %d bytes. num_write: %lu ,  num_read: %lu\n", sess, n, rbio_ssl->num_write, rbio_ssl->num_read);
-		if (n > 0 || rbio_ssl->num_write > rbio_ssl->num_read) {
+		proxy_debug(PROXY_DEBUG_NET, 7, "Session=%p: recv() read %d bytes. num_write: %lu ,  num_read: %lu\n", sess, n, BIO_number_written(rbio_ssl), BIO_number_read(rbio_ssl));
+		if (n > 0 || BIO_number_written(rbio_ssl) > BIO_number_read(rbio_ssl)) {
 			//on_read_cb(buf, (size_t)n);
 
 			char buf2[MY_SSL_BUFFER];
@@ -728,7 +673,7 @@ int PgSQL_Data_Stream::write_to_net() {
 		if (encrypted == false) {
 			return 0;
 		}
-		if (ssl_write_len == 0 && wbio_ssl->num_write == wbio_ssl->num_read) {
+		if (ssl_write_len == 0 && BIO_number_written(wbio_ssl) == BIO_number_read(wbio_ssl)) {
 			return 0;
 		}
 	}
@@ -738,7 +683,7 @@ int PgSQL_Data_Stream::write_to_net() {
 		bytes_io = SSL_write(ssl, queue_r_ptr(queueOUT), s);
 		//proxy_info("Used SSL_write to write %d bytes\n", bytes_io);
 		proxy_debug(PROXY_DEBUG_NET, 7, "Session=%p, Datastream=%p: SSL_write() wrote %d bytes . queueOUT before: %u\n", sess, this, bytes_io, queue_data(queueOUT));
-		if (ssl_write_len || wbio_ssl->num_write > wbio_ssl->num_read) {
+		if (ssl_write_len || BIO_number_written(wbio_ssl) > BIO_number_read(wbio_ssl)) {
 			//proxy_info("ssl_write_len = %d , num_write = %d , num_read = %d\n", ssl_write_len , wbio_ssl->num_write , wbio_ssl->num_read);
 			char buf[MY_SSL_BUFFER];
 			do {
@@ -861,7 +806,7 @@ void PgSQL_Data_Stream::set_pollout() {
 			_pollfd->events |= POLLOUT;
 		}
 		if (encrypted) {
-			if (ssl_write_len || wbio_ssl->num_write > wbio_ssl->num_read) {
+			if (ssl_write_len || BIO_number_written(wbio_ssl) > BIO_number_read(wbio_ssl)) {
 				_pollfd->events |= POLLOUT;
 			}
 			else {
@@ -966,7 +911,7 @@ int PgSQL_Data_Stream::write_to_net_poll() {
 	}
 	if (call_write_to_net == false) {
 		if (encrypted) {
-			if (ssl_write_len || wbio_ssl->num_write > wbio_ssl->num_read) {
+			if (ssl_write_len || BIO_number_written(wbio_ssl) > BIO_number_read(wbio_ssl)) {
 				call_write_to_net = true;
 			}
 		}
@@ -1362,7 +1307,7 @@ void PgSQL_Data_Stream::destroy_MySQL_Connection_From_Pool(bool sq) {
 }
 
 bool PgSQL_Data_Stream::data_in_rbio() {
-	if (rbio_ssl->num_write > rbio_ssl->num_read) {
+	if (BIO_number_written(rbio_ssl) > BIO_number_read(rbio_ssl)) {
 		return true;
 	}
 	return false;