msquic does not load with OpenSSL in FIPS mode

[wfurt]

Describe the bug

This impacts Centos 7 and Mariner 2.0 (OpenSSL 1.1.1k FIPS) and perhaps other Linux versions.
the load fails as

: symbol lookup error: /lib/libmsquic.so.2: undefined symbol: EVP_chacha20_poly1305, version OPENSSL_1_1_0

CHACHA is not approved algorithm and it is missing in system crypto binaries.
This seems to defeat only purpose of UseSystemOpenSSLCrypto option.

Affected OS

• Windows
• Linux
• macOS
• Other (specify below)

Additional OS information

Centos 7 and Mariner 2.0

MsQuic version

release/2.1

Steps taken to reproduce bug

Try to load published msquic library on impacted OS.

Expected behavior

libmsquic loads and ignores unsupported algorithms. If only CHACHA was requested via policy, API calls should return proper error.

Actual outcome

libmsuic fails to load because of missing dependencies.

Additional details

we should make QUIC_ALLOWED_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 fully optional. (and related code)

cc: @ManickaP @CarnaViire

[nibanks]

It doesn't even export EVP_chacha20_poly1305? Why can't it export but just return NULL?

[wfurt]

question for OpenSSL bit it does not. I think that is same for other ciphers you disable during configuration. If you build without them they just disappear.

This should be easy to fix. I have change that would fix it. I'll put up PR when I clean it up and do more testing.

[nibanks]

I'd rather not disable ChaCha20 at build time, but instead dynamically resolve it at runtime. Most folks that use libmsquic package likely won't be FIPS, and I want the algorithm to continue to work.

[wfurt]

yep. since we already have the XXX_HANDLE dlsym() is the answer IMHO. (+little bit sanity)

[wfurt]

I did more testing and #3423 is unfortunately not sufficient.
It seems like more creeps in from ssl/ssl_init.c
I will try to find some solution.

[nibanks]

@wfurt can we resolve this now?

[wfurt]

I was planning to close as soon as this rolls in to our tests. I know MsQuic may not care @nibanks but it saves us double tracking.
And what is your strategy to track back-ports? I feel this should be serviced since it impacts platforms .NET officially supports.

[nibanks]

If you have something you want/need backported, please just go ahead and create the PR to the correct branch.

[nibanks]

@wfurt have you backported everything you need? I'd like to get this item closed.

[wfurt]

no. I was hoping to flow this to our tests but I'm falling to build MsQuic on Centos 7 because of compiler (and other differences). At this point I'm inclined to just do the port to 2.1 without end to end validation if that is ok with you @nibanks. Is there some timeline for 2.1.8?

[wfurt]

.NET tests are now passing on Mariner 2.0 using 2.1.8

https://helixre107v0xdcypoyl9e7f.blob.core.windows.net/dotnet-runtime-refs-pull-81973-merge-808ab19800c3444c99/System.Net.Quic.Functional.Tests/1/console.0eaba122.log

Console log: 'System.Net.Quic.Functional.Tests' from job 808ab198-00c3-444c-9983-c24f3929b683 (ubuntu.1804.amd64.open.rt) using docker image mcr.microsoft.com/dotnet-buildtools/prereqs:cbl-mariner-2.0-helix-amd64 on a00A27U


----- start Fri Mar 17 18:44:21 UTC 2023 =============== To repro directly: =====================================================
pushd .
/root/helix/work/correlation/dotnet exec --runtimeconfig System.Net.Quic.Functional.Tests.runtimeconfig.json --depsfile System.Net.Quic.Functional.Tests.deps.json xunit.console.dll System.Net.Quic.Functional.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing 
popd
===========================================================================================================
/root/helix/work/workitem/e /root/helix/work/workitem/e
  Discovering: System.Net.Quic.Functional.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Net.Quic.Functional.Tests (found 113 of 122 test cases)
  Starting:    System.Net.Quic.Functional.Tests (parallel test collections = on, max threads = 2)
    System.Net.Quic.Tests.MsQuicPlatformDetectionTests.UnsupportedPlatforms_ThrowsPlatformNotSupportedException [SKIP]
      Condition(s) not met: "IsQuicUnsupported"
  Finished:    System.Net.Quic.Functional.Tests
=== TEST EXECUTION SUMMARY ===
   System.Net.Quic.Functional.Tests  Total: 337, Errors: 0, Failed: 0, Skipped: 1, Time: 89.975s
/root/helix/work/workitem/e