aws · samuel40791765 · Mar 14, 2025 · Mar 17, 2025
@@ -1035,6 +1035,7 @@ struct bio_st {
 #define BIO_C_GET_FILE_PTR 107
 #define BIO_C_SET_FILENAME 108
 #define BIO_C_SET_SSL 109
+#define BIO_C_GET_SSL 110
 #define BIO_C_SET_MD 111
 #define BIO_C_GET_MD 112
 #define BIO_C_GET_CIPHER_STATUS 113

@@ -5112,6 +5112,34 @@ OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx);
 OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx);
 
 
+// SSL BIO methods
+
+// BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note
+// that this has quite different behaviour from the version in OpenSSL (notably
+// that it doesn't try to auto renegotiate).
+//
+// IMPORTANT: if you are not curl, don't use this.
+OPENSSL_EXPORT const BIO_METHOD *BIO_f_ssl(void);
+
+// BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must
+// have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will
+// call |SSL_free| on |ssl| when closed. It returns one on success or something
+// other than one on error.
+OPENSSL_EXPORT long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership);
+
+// BIO_get_ssl assigns the internal |SSL| of |bio| to |*ssl|. |*ssl| should
+// not be freed. It returns one on success or something other than one on error.
+OPENSSL_EXPORT long BIO_get_ssl(BIO *bio, SSL **ssl);
+
+// BIO_new_ssl_connect uses |ctx| to return a newly allocated BIO chain with
+// |BIO_new_ssl|, followed by a connect BIO.
+OPENSSL_EXPORT BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
+
+// BIO_new_ssl returns a newly allocated SSL BIO created with |ctx|. A client
+// SSL is created if |client| is non-zero, and a server is created if otherwise.
+OPENSSL_EXPORT BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
+
+
 // Deprecated functions.
 
 // SSL_library_init calls |CRYPTO_library_init| and returns one.
@@ -5509,19 +5537,6 @@ OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
 // SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|.
 OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
 
-// BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note
-// that this has quite different behaviour from the version in OpenSSL (notably
-// that it doesn't try to auto renegotiate).
-//
-// IMPORTANT: if you are not curl, don't use this.
-OPENSSL_EXPORT const BIO_METHOD *BIO_f_ssl(void);
-
-// BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must
-// have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will
-// call |SSL_free| on |ssl| when closed. It returns one on success or something
-// other than one on error.
-OPENSSL_EXPORT long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership);
-
 // SSL_get_session returns a non-owning pointer to |ssl|'s session. For
 // historical reasons, which session it returns depends on |ssl|'s state.
 //

@@ -114,6 +114,14 @@ static long ssl_ctrl(BIO *bio, int cmd, long num, void *ptr) {
       bio->init = 1;
       return 1;
 
+    case BIO_C_GET_SSL:
+      if (ptr != nullptr) {
+        auto sslp = static_cast<SSL **>(ptr);
+        *sslp = ssl;
+        return 1;
+      }
+      return 0;
+
     case BIO_CTRL_GET_CLOSE:
       return bio->shutdown;
 
@@ -190,3 +198,45 @@ const BIO_METHOD *BIO_f_ssl(void) { return &ssl_method; }
 long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership) {
   return BIO_ctrl(bio, BIO_C_SET_SSL, take_owership, ssl);
 }
+
+long BIO_get_ssl(BIO *bio, SSL **ssl) {
+  return BIO_ctrl(bio, BIO_C_GET_SSL, 0, ssl);
+}
+
+BIO *BIO_new_ssl_connect(SSL_CTX *ctx) {
+  bssl::UniquePtr<BIO> con(BIO_new(BIO_s_connect()));
+  bssl::UniquePtr<BIO> ssl(BIO_new_ssl(ctx, 1));
+  if (!con || !ssl) {
+    return nullptr;
+  }
+  bssl::UniquePtr<BIO> ret(BIO_push(ssl.get(), con.get()));
+  if (!ret) {
+    return nullptr;
+  }
+
+  con.release();
+  ssl.release();
+  return ret.release();
+}
+
+BIO *BIO_new_ssl(SSL_CTX *ctx, int client) {
+  bssl::UniquePtr<BIO> ret(BIO_new(BIO_f_ssl()));
+  SSL *ssl = SSL_new(ctx);
+
+  if (!ret || !ssl) {
+    return nullptr;
+  }
+  if (client) {
+    SSL_set_connect_state(ssl);
+  }
+  else {
+    SSL_set_accept_state(ssl);
+  }
+
+  if (BIO_set_ssl(ret.get(), ssl, BIO_CLOSE) <= 0) {
+    return nullptr;
+  }
+  return ret.release();
+}
+
+
@@ -11148,6 +11148,40 @@ TEST(SSLTest, BIO) {
   }
 }
 
+TEST(SSLTest, BIO_2) {
+  bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
+  bssl::UniquePtr<SSL_CTX> server_ctx(
+      CreateContextWithTestCertificate(TLS_method()));
+  ASSERT_TRUE(client_ctx);
+  ASSERT_TRUE(server_ctx);
+
+  bssl::UniquePtr<BIO> server_bio(BIO_new_ssl(server_ctx.get(), 0));
+  bssl::UniquePtr<BIO> client_bio(BIO_new_ssl_connect(client_ctx.get()));
+  ASSERT_TRUE(server_bio);
+  ASSERT_TRUE(client_bio);
+
+  SSL *server_ssl_ptr, *client_ssl_ptr;
+  ASSERT_TRUE(BIO_get_ssl(server_bio.get(), &server_ssl_ptr));
+  ASSERT_TRUE(BIO_get_ssl(client_bio.get(), &client_ssl_ptr));
+  ASSERT_TRUE(server_ssl_ptr);
+  ASSERT_TRUE(client_ssl_ptr);
+
+  // Client SSL BIOs typically establish connections to a host using
+  // |BIO_do_connect|, which leverages the underlying connect |BIO| for socket
+  // management. While OpenSSL provides |BIO_new_accept| and |BIO_s_accept| for
+  // server-side socket setup, we haven't yet implemented this functionality.
+  // For these tests, we opt for traditional SSL connection methods instead
+  // until we have support for server-side socket management via |BIO|s.
+  // Adding full socket management on the server side would exceed the scope of
+  // testing |BIO_new_ssl(_connect)|, especially since we have dedicated tests
+  // elsewhere that verify |BIO_do_connect|'s correctness.
+  BIO *bio1, *bio2;
+  ASSERT_TRUE(BIO_new_bio_pair(&bio1, 0, &bio2, 0));
+  SSL_set_bio(client_ssl_ptr, bio1, bio1);
+  SSL_set_bio(server_ssl_ptr, bio2, bio2);
+  ASSERT_TRUE(CompleteHandshakes(client_ssl_ptr, server_ssl_ptr));
+}
+
 TEST(SSLTest, ALPNConfig) {
   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
   ASSERT_TRUE(ctx);

@@ -26,9 +26,11 @@ RUN set -ex && \
     lcov \
     libcap-dev \
     libcurl4-openssl-dev \
+    libev-dev \
     libevent-dev \
     libfstrm-dev \
     libftdi-dev \
+    libgcrypt20-dev \
     libglib2.0-dev \
     libgmp-dev \
     libini-config-dev \
@@ -45,8 +47,9 @@ RUN set -ex && \
     libnl-genl-3-dev \
     libpam-dev \
     libpcre3-dev  \
-    libpsl-dev \
+    libprocps-dev \
     libprotobuf-c-dev \
+    libpsl-dev \
     libssl-dev \
     libsystemd-dev \
     liburcu-dev \
@@ -67,7 +70,8 @@ RUN set -ex && \
     python3-sphinx \
     ruby \
     uthash-dev \
-    uuid-dev && \
+    uuid-dev \
+    vim-common && \
     pip3 install gcovr && \
     apt-get autoremove --purge -y && \
     apt-get clean && \

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# This directory is specific to the docker image used. Use -DDOWNLOAD_BOOST=1 -DWITH_BOOST=<directory>
+# with mySQL to download a compatible boost version locally.
+BOOST_INSTALL_FOLDER=/home/dependencies/boost
+
+# Set up environment.
+
+# SYS_ROOT
+#  |
+#  - SRC_ROOT(aws-lc)
+#  |
+#  - SCRATCH_FOLDER
+#    |
+#    - AWS_LC_BUILD_FOLDER
+#    - AWS_LC_INSTALL_FOLDER
+#    - XTRABACKUP_BUILD_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER=${SYS_ROOT}/"XTRABACKUP_BUILD_ROOT"
+XTRABACKUP_SRC_FOLDER="${SCRATCH_FOLDER}/percona-xtrabackup"
+XTRABACKUP_BUILD_FOLDER="${SCRATCH_FOLDER}/xtrabackup-aws-lc"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${XTRABACKUP_SRC_FOLDER}/aws-lc-install"
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf "${SCRATCH_FOLDER:?}"/*
+cd ${SCRATCH_FOLDER}
+
+function xtrabackup_build() {
+  cmake ${XTRABACKUP_SRC_FOLDER} -GNinja -DWITH_SSL=system -DCMAKE_PREFIX_PATH=${AWS_LC_INSTALL_FOLDER} "-B${XTRABACKUP_BUILD_FOLDER}" -DCMAKE_BUILD_TYPE=RelWithDebInfo
+  time ninja -C ${XTRABACKUP_BUILD_FOLDER}
+  ls -R ${XTRABACKUP_BUILD_FOLDER}
+}
+
+git clone --recurse-submodules https://github.com/percona/percona-xtrabackup.git ${XTRABACKUP_SRC_FOLDER} --depth 1
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} ${XTRABACKUP_BUILD_FOLDER}
+ls
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=1
+
+pushd ${XTRABACKUP_SRC_FOLDER}
+xtrabackup_build
+popd
+
+ldd "${XTRABACKUP_BUILD_FOLDER}/bin/xtrabackup" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
+ldd "${XTRABACKUP_BUILD_FOLDER}/bin/xtrabackup" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libssl.so" || exit 1