Changes and fixes to support OpenSSL

8f2ed86 Tim Walsh Tue Mar 31 03:42:57 2020 +1000 Fix for dual certificate issue MAISTRA-1142 (maistra#10) 13d2925 Dmitri Dolguikh Thu Mar 26 14:00:00 2020 -0700 Fixes MAISTRA-1299: fix ASSERT failure and infinite loop when attempting to unset readDisable state on a closed connection, part 2 (maistra#11) a939c3c Dmitri Dolguikh Wed Mar 25 14:22:39 2020 -0700 Fixes MAISTRA-1299: fix ASSERT failure and infinite loop when attempting to unset readDisable state on a closed connection (maistra#9) 09d777a Jonh Wendell Mon Mar 16 18:42:04 2020 -0400 Merge pull request maistra#8 from jwendell/MAISTRA-1275 362b623 Jonh Wendell Mon Mar 16 18:33:04 2020 -0400 MAISTRA-1275: Write "OpenSSL" into envoy --version 6110125 Dmitri Dolguikh Fri Mar 13 10:43:59 2020 -0700 Merge pull request maistra#7 from dmitri-d/maistra-1.1-upstream-release-1.4.6-patch 7f1eb1e Dmitri Dolguikh Thu Mar 12 16:19:25 2020 -0700 Removed no longer relevant comments from tls_inspector_test 8ccac21 Dmitri Dolguikh Thu Mar 12 10:49:01 2020 -0700 Fixing alpn detection in tls_inspector cf0f50b Dmitri Dolguikh Thu Mar 12 14:10:23 2020 -0700 Updated bssl_wrapper to latest version fac23c0 Dmitri Dolguikh Thu Mar 12 14:38:36 2020 -0700 Merge branch 'upstream-release-1.4.6-patch' into maistra-1.1 0b12b16 Dmitri Dolguikh Mon Mar 9 10:55:57 2020 -0700 Fixes MAISTRA-1226: added support for importPublicKey in lua filter (maistra#6) e6e28d9 Dmitri Dolguikh Fri Feb 28 14:59:58 2020 -0800 added an explanation why DynamicOpentracingHttpTracer has been disabled (maistra#5) 7e50506 Dmitri Dolguikh Fri Feb 28 14:58:46 2020 -0800 added an explanation why DynamicOpentracingHttpTracer has been disabled (maistra#4) 7fe1986 Dmitri Dolguikh Fri Feb 28 14:57:44 2020 -0800 Fixes MAISTRA-1167: RetryHostPredicateFilter in protocol_integration_test suite passes now (maistra#3) 2c5d27e Dmitri Dolguikh Fri Feb 14 12:50:21 2020 -0800 Fixes MAISTRA-1167: //test/extensions/filters/listener/proxy_protocol:proxy_protocol_test is passing now (maistra#2) 7d0995a Dmitri Dolguikh Fri Feb 14 12:49:59 2020 -0800 Merge pull request maistra#1 from dmitri-d/fix-1168-certchain ff116fa Dmitri Dolguikh Wed Feb 12 15:29:31 2020 -0800 Fixes MAISTRA-1168: added implementation of boringssl function SSL_get_peer_full_cert_chain 72c81ba Dmitri Dolguikh Tue Feb 11 16:27:50 2020 -0800 Updated jwt_verification_lib to the latest version 487d30c Dmitri Dolguikh Tue Feb 11 09:19:53 2020 -0800 Updated for maistra-1.1 release 071457c Dmitri Dolguikh Tue Feb 4 15:32:41 2020 -0800 updated to support openssl Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
dmitri-d · May 8, 2020 · c18f12a · c18f12a
1 parent a976d31
commit c18f12a
Show file tree

Hide file tree

Showing 50 changed files with 787 additions and 270 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -207,3 +207,14 @@ build:compdb --define=ENVOY_CONFIG_COMPILATION_DATABASE=1
 
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
+
+build --cxxopt -D_GLIBCXX_USE_CXX11_ABI=1
+build --cxxopt -DENVOY_IGNORE_GLIBCXX_USE_CXX11_ABI_ERROR=1
+build --cxxopt -Wnon-virtual-dtor
+build --cxxopt -Wformat
+build --cxxopt -Wformat-security
+build --cxxopt -Wno-error=deprecated-declarations
+build --cxxopt -Wno-error=unused-variable
+build --cxxopt -w
+build --cxxopt -ldl
+build --copt -DOPENSSL_IS_BORINGSSL=0
diff --git a/WORKSPACE b/WORKSPACE
@@ -19,3 +19,9 @@ envoy_dependency_imports()
 load("@rules_antlr//antlr:deps.bzl", "antlr_dependencies")
 
 antlr_dependencies(471)
+
+new_local_repository(
+    name = "openssl",
+    path = "/usr/lib64/",
+    build_file = "openssl.BUILD"
+)
diff --git a/bazel/external/openssl_includes-1.patch b/bazel/external/openssl_includes-1.patch
@@ -0,0 +1,13 @@
+diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
+index 860360b8b2..49c719285f 100644
+--- a/ssl/packet_locl.h
++++ b/ssl/packet_locl.h
+@@ -426,7 +426,7 @@ __owur static ossl_inline int PACKET_memdup(const PACKET *pkt,
+     if (length == 0)
+         return 1;
+
+-    *data = OPENSSL_memdup(pkt->curr, length);
++    *data = (unsigned char *)OPENSSL_memdup(pkt->curr, length);
+     if (*data == NULL)
+         return 0;
+
diff --git a/bazel/external/openssl_includes.BUILD b/bazel/external/openssl_includes.BUILD
@@ -0,0 +1,18 @@
+cc_library(
+    name = "openssl_includes_lib",
+    copts = ["-Wno-error=error"],
+    hdrs = [
+            "e_os.h", 
+            "ssl/ssl_locl.h", 
+            "ssl/packet_locl.h", 
+            "ssl/record/record.h", 
+            "ssl/statem/statem.h", 
+            "include/internal/dane.h",
+            "include/internal/nelem.h",
+            "include/internal/numbers.h",
+            "include/internal/refcount.h",
+            "include/internal/tsan_assist.h",
+    ],
+    includes = ["ssl", "ssl/record", "ssl/statem", "include",],
+    visibility = ["//visibility:public"],
+)
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -105,12 +105,13 @@ def envoy_dependencies(skip_targets = []):
     # Binding to an alias pointing to the selected version of BoringSSL:
     # - BoringSSL FIPS from @boringssl_fips//:ssl,
     # - non-FIPS BoringSSL from @boringssl//:ssl.
-    _boringssl()
-    _boringssl_fips()
-    native.bind(
-        name = "ssl",
-        actual = "@envoy//bazel:boringssl",
-    )
+
+    # EXTERNAL OPENSSL
+    _openssl()
+    _openssl_includes()
+    _bssl_wrapper()
+    _openssl_cbs()
+
 
     # The long repo names (`com_github_fmtlib_fmt` instead of `fmtlib`) are
     # semi-standard in the Bazel community, intended to avoid both duplicate
@@ -178,23 +179,45 @@ def envoy_dependencies(skip_targets = []):
         actual = "@bazel_tools//tools/cpp/runfiles",
     )
 
-def _boringssl():
+#EXTERNAL OPENSSL
+def _openssl():
+    native.bind(
+        name = "ssl",
+        actual = "@openssl//:openssl-lib",
+)
+
+def _openssl_includes():
     _repository_impl(
-        name = "boringssl",
+        name = "com_github_openssl_openssl",
+        build_file = "@envoy//bazel/external:openssl_includes.BUILD",
+        patches = [
+            "@envoy//bazel/external:openssl_includes-1.patch",
+        ],
         patch_args = ["-p1"],
-        patches = ["@envoy//bazel:boringssl_static.patch"],
+    )
+    native.bind(
+        name = "openssl_includes_lib",
+        actual = "@com_github_openssl_openssl//:openssl_includes_lib",
+)
+
+
+#EXTERNAL OPENSSL
+def _bssl_wrapper():
+    _repository_impl("bssl_wrapper")
+    native.bind(
+        name = "bssl_wrapper_lib",
+        actual = "@bssl_wrapper//:bssl_wrapper_lib",
     )
 
-def _boringssl_fips():
-    location = REPOSITORY_LOCATIONS["boringssl_fips"]
-    genrule_repository(
-        name = "boringssl_fips",
-        urls = location["urls"],
-        sha256 = location["sha256"],
-        genrule_cmd_file = "@envoy//bazel/external:boringssl_fips.genrule_cmd",
-        build_file = "@envoy//bazel/external:boringssl_fips.BUILD",
+#EXTERNAL OPENSSL
+def _openssl_cbs():
+    _repository_impl("openssl_cbs")
+    native.bind(
+        name = "openssl_cbs_lib",
+        actual = "@openssl_cbs//:openssl_cbs_lib",
     )
 
+
 def _com_github_circonus_labs_libcircllhist():
     _repository_impl(
         name = "com_github_circonus_labs_libcircllhist",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -26,21 +26,22 @@ REPOSITORY_LOCATIONS = dict(
         # 2020-03-24
         urls = ["https://github.com/envoyproxy/envoy-build-tools/archive/84ca08de00eedd0ba08e7d5551108d6f03f5d362.tar.gz"],
     ),
-    boringssl = dict(
-        sha256 = "a3d4de4f03cb321ef943678d72a045c9a19d26b23d6f4e313f97600c65201a27",
-        strip_prefix = "boringssl-1c2769383f027befac5b75b6cedd25daf3bf4dcf",
-        # To update BoringSSL, which tracks Chromium releases:
-        # 1. Open https://omahaproxy.appspot.com/ and note <current_version> of linux/stable release.
-        # 2. Open https://chromium.googlesource.com/chromium/src/+/refs/tags/<current_version>/DEPS and note <boringssl_revision>.
-        # 3. Find a commit in BoringSSL's "master-with-bazel" branch that merges <boringssl_revision>.
-        #
-        # chromium-81.0.4044.69
-        urls = ["https://github.com/google/boringssl/archive/1c2769383f027befac5b75b6cedd25daf3bf4dcf.tar.gz"],
-    ),
-    boringssl_fips = dict(
-        sha256 = "b12ad676ee533824f698741bd127f6fbc82c46344398a6d78d25e62c6c418c73",
-        # fips-20180730
-        urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-docs/fips/boringssl-66005f41fbc3529ffe8d007708756720529da20d.tar.xz"],
+    com_github_openssl_openssl = dict(
+        sha256 = "cf26f056a955cff721d3a3c08d8126d1e4f69803e08c9600dac3b6b7158586d6",
+        strip_prefix = "openssl-894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596",
+        urls = ["https://github.com/openssl/openssl/archive/894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596.tar.gz"],
+     ),
+    #EXTERNAL OPENSSL
+    bssl_wrapper = dict(
+        sha256 = "d84ea7d190210145695e5b172e8e6fb23f3464360da5efab5a1ae1a973c21f57",
+        strip_prefix = "bssl_wrapper-c9649facde3ab1d8bc871c7375a8946c50950e97",
+        urls = ["https://github.com/maistra/bssl_wrapper/archive/c9649facde3ab1d8bc871c7375a8946c50950e97.tar.gz"],
+    ),
+    #EXTERNAL OPENSSL
+    openssl_cbs = dict(
+        sha256 = "f466ca7bc4b876cfa9edb4870275207e580588f85f8fae268c40277846a6d8de",
+        strip_prefix = "openssl-cbs-dab3282af49f134766abcda5f95cbb19057a53d1",
+        urls = ["https://github.com/maistra/openssl-cbs/archive/dab3282af49f134766abcda5f95cbb19057a53d1.tar.gz"],
     ),
     com_google_absl = dict(
         sha256 = "2693730730247afb0e7cb2d41664ac2af3ad75c79944efd266be40ba944179b9",
@@ -183,10 +184,10 @@ REPOSITORY_LOCATIONS = dict(
         urls = ["https://github.com/msgpack/msgpack-c/releases/download/cpp-3.2.1/msgpack-3.2.1.tar.gz"],
     ),
     com_github_google_jwt_verify = dict(
-        sha256 = "d422a6eadd4bcdd0f9b122cd843a4015f8b18aebea6e1deb004bd4d401a8ef92",
-        strip_prefix = "jwt_verify_lib-40e2cc938f4bcd059a97dc6c73f59ecfa5a71bac",
-        # 2020-02-11
-        urls = ["https://github.com/google/jwt_verify_lib/archive/40e2cc938f4bcd059a97dc6c73f59ecfa5a71bac.tar.gz"],
+        sha256 = "974826c9ba8060d9656e6c360718e3ee5eb1622ff59ed4138f8a3cd718ea7b13",
+        strip_prefix = "jwt_verify_lib-2c7ddcd871c3d902e089787e244ebe49723652cc",
+        # 2019-12-20
+        urls = ["https://github.com/Maistra/jwt_verify_lib/archive/2c7ddcd871c3d902e089787e244ebe49723652cc.tar.gz"],
     ),
     com_github_nodejs_http_parser = dict(
         sha256 = "8fa0ab8770fd8425a9b431fdbf91623c4d7a9cdb842b9339289bd2b0b01b0d3d",

diff --git a/include/envoy/ssl/private_key/private_key.h b/include/envoy/ssl/private_key/private_key.h
@@ -20,8 +20,9 @@ class TransportSocketFactoryContext;
 
 namespace Ssl {
 
+// TODO (dmitri-d) figure out a way to propagate -D compiler option to sub-projects, atm only the top-level is affected
 #ifdef OPENSSL_IS_BORINGSSL
-using BoringSslPrivateKeyMethodSharedPtr = std::shared_ptr<SSL_PRIVATE_KEY_METHOD>;
+//using BoringSslPrivateKeyMethodSharedPtr = std::shared_ptr<SSL_PRIVATE_KEY_METHOD>;
 #endif
 
 class PrivateKeyMethodProvider {
@@ -51,13 +52,14 @@ class PrivateKeyMethodProvider {
    */
   virtual bool checkFips() PURE;
 
+// TODO (dmitri-d) figure out a way to propagate -D compiler option to sub-projects, atm only the top-level is affected
 #ifdef OPENSSL_IS_BORINGSSL
   /**
    * Get the private key methods from the provider.
    * @return the private key methods associated with this provider and
    * configuration.
    */
-  virtual BoringSslPrivateKeyMethodSharedPtr getBoringSslPrivateKeyMethod() PURE;
+//  virtual BoringSslPrivateKeyMethodSharedPtr getBoringSslPrivateKeyMethod() PURE;
 #endif
 };
 

diff --git a/openssl.BUILD b/openssl.BUILD
@@ -0,0 +1,11 @@
+licenses(["notice"])  # Apache 2
+
+cc_library(
+    name = "openssl-lib",
+    srcs = [
+        "libssl.so.1.1",
+        "libcrypto.so.1.1",
+    ],
+    visibility = ["//visibility:public"],
+    linkstatic=False,
+)
diff --git a/source/common/common/BUILD b/source/common/common/BUILD
@@ -9,7 +9,6 @@ load(
     "envoy_cc_win32_library",
     "envoy_include_prefix",
     "envoy_package",
-    "envoy_select_boringssl",
 )
 
 envoy_package()
@@ -367,10 +366,7 @@ envoy_cc_library(
         # This is done so that the definitions linked via the linkstamp rule don't cause collisions.
         "//conditions:default": [":generate_version_linkstamp_empty"],
     }),
-    copts = envoy_select_boringssl(
-        ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""],
-        ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""],
-    ),
+    copts = ["-DENVOY_SSL_VERSION=\\\"OpenSSL_1.1.1d\\\""],
     linkstamp = "version_linkstamp.cc",
     strip_include_prefix = select({
         "//bazel:manual_stamp": "lib",

diff --git a/source/common/crypto/BUILD b/source/common/crypto/BUILD
@@ -9,7 +9,12 @@ load(
 envoy_package()
 
 envoy_cc_library(
-    name = "utility_lib",
+   name = "utility_lib",
+   external_deps = [
+     "ssl",
+     "openssl_cbs_lib",
+     "bssl_wrapper_lib"
+    ],
     hdrs = [
         "utility.h",
     ],

diff --git a/source/common/crypto/utility.h b/source/common/crypto/utility.h
@@ -3,6 +3,7 @@
 #include <cstdint>
 #include <vector>
 
+#include "bssl_wrapper/bssl_wrapper.h"
 #include "envoy/buffer/buffer.h"
 #include "envoy/common/crypto/crypto.h"
 
@@ -73,4 +74,4 @@ using ScopedUtilitySingleton = ScopedInjectableLoader<Utility>;
 
 } // namespace Crypto
 } // namespace Common
-} // namespace Envoy
+} // namespace Envoy
diff --git a/source/extensions/common/crypto/BUILD b/source/extensions/common/crypto/BUILD
@@ -20,6 +20,7 @@ envoy_cc_extension(
     ],
     external_deps = [
         "ssl",
+	"bssl_wrapper_lib",
     ],
     security_posture = "unknown",
     undocumented = True,

diff --git a/source/extensions/common/crypto/crypto_impl.h b/source/extensions/common/crypto/crypto_impl.h
@@ -2,7 +2,8 @@
 
 #include "envoy/common/crypto/crypto.h"
 
-#include "openssl/base.h"
+//#include "openssl/base.h"
+#include "bssl_wrapper/bssl_wrapper.h"
 #include "openssl/evp.h"
 
 namespace Envoy {

diff --git a/source/extensions/common/crypto/utility_impl.cc b/source/extensions/common/crypto/utility_impl.cc
@@ -48,6 +48,7 @@ const VerificationOutput UtilityImpl::verifySignature(absl::string_view hash, Cr
   if (md == nullptr) {
     return {false, absl::StrCat(hash, " is not supported.")};
   }
+
   // Step 3: initialize EVP_DigestVerify
   auto pkey_wrapper = Common::Crypto::Access::getTyped<Common::Crypto::PublicKeyObject>(key);
   EVP_PKEY* pkey = pkey_wrapper->getEVP_PKEY();
@@ -73,9 +74,8 @@ const VerificationOutput UtilityImpl::verifySignature(absl::string_view hash, Cr
 }
 
 CryptoObjectPtr UtilityImpl::importPublicKey(const std::vector<uint8_t>& key) {
-  CBS cbs({key.data(), key.size()});
-
-  return std::make_unique<PublicKeyObject>(EVP_parse_public_key(&cbs));
+  const unsigned char* tmp = key.data();
+  return std::make_unique<PublicKeyObject>(d2i_PUBKEY(nullptr, &tmp, key.size()));
 }
 
 const EVP_MD* UtilityImpl::getHashFunction(absl::string_view name) {

diff --git a/source/extensions/common/crypto/utility_impl.h b/source/extensions/common/crypto/utility_impl.h
@@ -2,7 +2,7 @@
 
 #include "common/crypto/utility.h"
 
-#include "openssl/bytestring.h"
+//#include "openssl/bytestring.h"
 #include "openssl/hmac.h"
 #include "openssl/sha.h"
 
@@ -12,6 +12,12 @@ namespace Crypto {
 
 class UtilityImpl : public Envoy::Common::Crypto::Utility {
 public:
+// a typedef used by BoringSSL
+  typedef struct cbs_st {
+    const uint8_t *data;
+    size_t len;
+  } CBS;
+
   std::vector<uint8_t> getSha256Digest(const Buffer::Instance& buffer) override;
   std::vector<uint8_t> getSha256Hmac(const std::vector<uint8_t>& key,
                                      absl::string_view message) override;
@@ -21,6 +27,7 @@ class UtilityImpl : public Envoy::Common::Crypto::Utility {
   CryptoObjectPtr importPublicKey(const std::vector<uint8_t>& key) override;
 
 private:
+//  EVP_PKEY* EVP_parse_public_key(CBS* cbs);
   const EVP_MD* getHashFunction(absl::string_view name);
 };
 

diff --git a/source/extensions/common/wasm/wasm.cc b/source/extensions/common/wasm/wasm.cc
@@ -44,7 +44,7 @@
 #include "eval/eval/field_backed_map_impl.h"
 #include "eval/public/cel_value.h"
 #include "eval/public/value_export_util.h"
-#include "openssl/bytestring.h"
+//#include "openssl/bytestring.h"
 #include "openssl/hmac.h"
 #include "openssl/sha.h"
 

diff --git a/source/extensions/filters/http/jwt_authn/BUILD b/source/extensions/filters/http/jwt_authn/BUILD
@@ -9,6 +9,13 @@ load(
 
 envoy_package()
 
+config_setting(
+    name = "openssl_build",
+    values = {
+        "OPENSSL_IS_BORINGSSL": "false",
+    },
+)
+
 envoy_cc_library(
     name = "extractor_lib",
     srcs = ["extractor.cc"],

diff --git a/source/extensions/filters/http/lua/BUILD b/source/extensions/filters/http/lua/BUILD
@@ -16,6 +16,9 @@ envoy_cc_library(
     name = "lua_filter_lib",
     srcs = ["lua_filter.cc"],
     hdrs = ["lua_filter.h"],
+    external_deps = [
+      "openssl_cbs_lib",
+    ],
     deps = [
         ":wrappers_lib",
         "//include/envoy/http:codes_interface",

diff --git a/source/extensions/filters/listener/tls_inspector/BUILD b/source/extensions/filters/listener/tls_inspector/BUILD
@@ -16,7 +16,11 @@ envoy_cc_library(
     name = "tls_inspector_lib",
     srcs = ["tls_inspector.cc"],
     hdrs = ["tls_inspector.h"],
-    external_deps = ["ssl"],
+    external_deps = [
+        "ssl",
+        "bssl_wrapper_lib",
+        "openssl_includes_lib",
+    ],
     deps = [
         "//include/envoy/event:dispatcher_interface",
         "//include/envoy/event:timer_interface",
@@ -40,4 +44,4 @@ envoy_cc_extension(
         "//source/extensions/filters/listener/tls_inspector:tls_inspector_lib",
         "@envoy_api//envoy/extensions/filters/listener/tls_inspector/v3:pkg_cc_proto",
     ],
-)
+)