port of OpenSSL changes to Maistra-1.8 (maistra#13)

* Changes and fixes to support OpenSSL

  8f2ed86      Tim Walsh       Tue Mar 31 03:42:57 2020 +1000  Fix for dual certificate issue MAISTRA-1142 (maistra#10)
  13d2925      Dmitri Dolguikh Thu Mar 26 14:00:00 2020 -0700  Fixes MAISTRA-1299: fix ASSERT failure and infinite loop when attempting to unset readDisable state on a closed connection, part 2 (maistra#11)
  a939c3c      Dmitri Dolguikh Wed Mar 25 14:22:39 2020 -0700  Fixes MAISTRA-1299: fix ASSERT failure and infinite loop when attempting to unset readDisable state on a closed connection (maistra#9)
  09d777a      Jonh Wendell    Mon Mar 16 18:42:04 2020 -0400  Merge pull request maistra#8 from jwendell/MAISTRA-1275
  362b623      Jonh Wendell    Mon Mar 16 18:33:04 2020 -0400  MAISTRA-1275: Write "OpenSSL" into envoy --version
  6110125      Dmitri Dolguikh Fri Mar 13 10:43:59 2020 -0700  Merge pull request maistra#7 from dmitri-d/maistra-1.1-upstream-release-1.4.6-patch
  7f1eb1e      Dmitri Dolguikh Thu Mar 12 16:19:25 2020 -0700  Removed no longer relevant comments from tls_inspector_test
  8ccac21      Dmitri Dolguikh Thu Mar 12 10:49:01 2020 -0700  Fixing alpn detection in tls_inspector
  cf0f50b      Dmitri Dolguikh Thu Mar 12 14:10:23 2020 -0700  Updated bssl_wrapper to latest version
  fac23c0      Dmitri Dolguikh Thu Mar 12 14:38:36 2020 -0700  Merge branch 'upstream-release-1.4.6-patch' into maistra-1.1
  0b12b16      Dmitri Dolguikh Mon Mar 9 10:55:57 2020 -0700   Fixes MAISTRA-1226: added support for importPublicKey in lua filter (maistra#6)
  e6e28d9      Dmitri Dolguikh Fri Feb 28 14:59:58 2020 -0800  added an explanation why DynamicOpentracingHttpTracer has been disabled (maistra#5)
  7e50506      Dmitri Dolguikh Fri Feb 28 14:58:46 2020 -0800  added an explanation why DynamicOpentracingHttpTracer has been disabled (maistra#4)
  7fe1986      Dmitri Dolguikh Fri Feb 28 14:57:44 2020 -0800  Fixes MAISTRA-1167: RetryHostPredicateFilter in protocol_integration_test suite passes now (maistra#3)
  2c5d27e      Dmitri Dolguikh Fri Feb 14 12:50:21 2020 -0800  Fixes MAISTRA-1167: //test/extensions/filters/listener/proxy_protocol:proxy_protocol_test is passing now (maistra#2)
  7d0995a      Dmitri Dolguikh Fri Feb 14 12:49:59 2020 -0800  Merge pull request maistra#1 from dmitri-d/fix-1168-certchain
  ff116fa      Dmitri Dolguikh Wed Feb 12 15:29:31 2020 -0800  Fixes MAISTRA-1168: added implementation of boringssl function SSL_get_peer_full_cert_chain
  72c81ba      Dmitri Dolguikh Tue Feb 11 16:27:50 2020 -0800  Updated jwt_verification_lib to the latest version
  487d30c      Dmitri Dolguikh Tue Feb 11 09:19:53 2020 -0800  Updated for maistra-1.1 release
  071457c      Dmitri Dolguikh Tue Feb 4 15:32:41 2020 -0800   updated to support openssl

Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>

* Fixed failing tests

* Fixed failing tests

* Removed todos that have been completed

.bazelignore

@@ -1,3 +1,4 @@
 api
 examples/grpc-bridge/script
 tools/clang_tools
+test/extensions/quic_listeners/quiche

.bazelrc

@@ -324,3 +324,14 @@ build:windows --dynamic_mode=off
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc
+
+build --cxxopt -D_GLIBCXX_USE_CXX11_ABI=1
+build --cxxopt -DENVOY_IGNORE_GLIBCXX_USE_CXX11_ABI_ERROR=1
+build --cxxopt -Wnon-virtual-dtor
+build --cxxopt -Wformat
+build --cxxopt -Wformat-security
+build --cxxopt -Wno-error=deprecated-declarations
+build --cxxopt -Wno-error=unused-variable
+build --cxxopt -w
+build --cxxopt -ldl
+build --copt -DOPENSSL_IS_BORINGSSL=0

.gitignore

@@ -33,6 +33,7 @@ clang-tidy-fixes.yaml
 clang.bazelrc
 user.bazelrc
 CMakeLists.txt
+/patches
 cmake-build-debug
 /linux
 bazel.output.txt

WORKSPACE

@@ -19,3 +19,9 @@ envoy_dependencies_extra()
 load("//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
+
+new_local_repository(
+    name = "openssl",
+    path = "/usr/lib64/",
+    build_file = "openssl.BUILD"
+)

bazel/external/openssl_includes-1.patch

@@ -0,0 +1,13 @@
+diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
+index 860360b8b2..49c719285f 100644
+--- a/ssl/packet_locl.h
++++ b/ssl/packet_locl.h
+@@ -426,7 +426,7 @@ __owur static ossl_inline int PACKET_memdup(const PACKET *pkt,
+     if (length == 0)
+         return 1;
+
+-    *data = OPENSSL_memdup(pkt->curr, length);
++    *data = (unsigned char *)OPENSSL_memdup(pkt->curr, length);
+     if (*data == NULL)
+         return 0;
+

bazel/external/openssl_includes.BUILD

@@ -0,0 +1,18 @@
+cc_library(
+    name = "openssl_includes_lib",
+    copts = ["-Wno-error=error"],
+    hdrs = [
+            "e_os.h", 
+            "ssl/ssl_locl.h", 
+            "ssl/packet_locl.h", 
+            "ssl/record/record.h", 
+            "ssl/statem/statem.h", 
+            "include/internal/dane.h",
+            "include/internal/nelem.h",
+            "include/internal/numbers.h",
+            "include/internal/refcount.h",
+            "include/internal/tsan_assist.h",
+    ],
+    includes = ["ssl", "ssl/record", "ssl/statem", "include",],
+    visibility = ["//visibility:public"],
+)

bazel/repositories.bzl

@@ -184,12 +184,13 @@ def envoy_dependencies(skip_targets = []):
     # Binding to an alias pointing to the selected version of BoringSSL:
     # - BoringSSL FIPS from @boringssl_fips//:ssl,
     # - non-FIPS BoringSSL from @boringssl//:ssl.
-    _boringssl()
-    _boringssl_fips()
-    native.bind(
-        name = "ssl",
-        actual = "@envoy//bazel:boringssl",
-    )
+
+    # EXTERNAL OPENSSL
+    _openssl()
+    _openssl_includes()
+    _bssl_wrapper()
+    _openssl_cbs()
+
 
     # The long repo names (`com_github_fmtlib_fmt` instead of `fmtlib`) are
     # semi-standard in the Bazel community, intended to avoid both duplicate
@@ -266,24 +267,45 @@ def envoy_dependencies(skip_targets = []):
         actual = "@bazel_tools//tools/cpp/runfiles",
     )
 
-def _boringssl():
+#EXTERNAL OPENSSL
+def _openssl():
+    native.bind(
+        name = "ssl",
+        actual = "@openssl//:openssl-lib",
+)
+
+def _openssl_includes():
     _repository_impl(
-        name = "boringssl",
+        name = "com_github_openssl_openssl",
+        build_file = "@envoy//bazel/external:openssl_includes.BUILD",
+        patches = [
+            "@envoy//bazel/external:openssl_includes-1.patch",
+        ],
         patch_args = ["-p1"],
-        patches = ["@envoy//bazel:boringssl_static.patch"],
+    )
+    native.bind(
+        name = "openssl_includes_lib",
+        actual = "@com_github_openssl_openssl//:openssl_includes_lib",
+)
+
+
+#EXTERNAL OPENSSL
+def _bssl_wrapper():
+    _repository_impl("bssl_wrapper")
+    native.bind(
+        name = "bssl_wrapper_lib",
+        actual = "@bssl_wrapper//:bssl_wrapper_lib",
     )
 
-def _boringssl_fips():
-    location = REPOSITORY_LOCATIONS["boringssl_fips"]
-    genrule_repository(
-        name = "boringssl_fips",
-        urls = location["urls"],
-        sha256 = location["sha256"],
-        genrule_cmd_file = "@envoy//bazel/external:boringssl_fips.genrule_cmd",
-        build_file = "@envoy//bazel/external:boringssl_fips.BUILD",
-        patches = ["@envoy//bazel/external:boringssl_fips.patch"],
+#EXTERNAL OPENSSL
+def _openssl_cbs():
+    _repository_impl("openssl_cbs")
+    native.bind(
+        name = "openssl_cbs_lib",
+        actual = "@openssl_cbs//:openssl_cbs_lib",
     )
 
+
 def _com_github_circonus_labs_libcircllhist():
     _repository_impl(
         name = "com_github_circonus_labs_libcircllhist",
@@ -942,6 +964,7 @@ def _com_github_gperftools_gperftools():
     http_archive(
         name = "com_github_gperftools_gperftools",
         build_file_content = BUILD_ALL_CONTENT,
+        patch_cmds = ["./autogen.sh"],
         **location
     )
 

bazel/repository_locations.bzl

@@ -102,34 +102,43 @@ DEPENDENCY_REPOSITORIES_SPEC = dict(
         last_updated = "2020-10-01",
         use_category = ["build"],
     ),
-    boringssl = dict(
-        project_name = "BoringSSL",
-        project_desc = "Minimal OpenSSL fork",
-        project_url = "https://github.com/google/boringssl",
-        version = "597b810379e126ae05d32c1d94b1a9464385acd0",
-        sha256 = "1ea42456c020daf0a9b0f9e8d8bc3a403c9314f4f54230c617257af996cd5fa6",
-        strip_prefix = "boringssl-{version}",
-        # To update BoringSSL, which tracks Chromium releases:
-        # 1. Open https://omahaproxy.appspot.com/ and note <current_version> of linux/stable release.
-        # 2. Open https://chromium.googlesource.com/chromium/src/+/refs/tags/<current_version>/DEPS and note <boringssl_revision>.
-        # 3. Find a commit in BoringSSL's "master-with-bazel" branch that merges <boringssl_revision>.
-        #
-        # chromium-85.0.4183.83
-        urls = ["https://github.com/google/boringssl/archive/{version}.tar.gz"],
+    com_github_openssl_openssl = dict(
+    	project_name = "openssl",
+        project_desc = "Cryptography and TLS/SSL Toolkit",
+        project_url = "https://github.com/openssl/openssl",
+        version = "1.1.1",
+        sha256 = "cf26f056a955cff721d3a3c08d8126d1e4f69803e08c9600dac3b6b7158586d6",
+        strip_prefix = "openssl-894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596",
+        urls = ["https://github.com/openssl/openssl/archive/894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596.tar.gz"],
         use_category = ["controlplane", "dataplane_core"],
-        last_updated = "2020-06-23",
-        cpe = "cpe:2.3:a:google:boringssl:*",
-    ),
-    boringssl_fips = dict(
-        project_name = "BoringSSL (FIPS)",
-        project_desc = "FIPS compliant BoringSSL",
-        project_url = "https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md",
-        version = "fips-20190808",
-        sha256 = "3b5fdf23274d4179c2077b5e8fa625d9debd7a390aac1d165b7e47234f648bb8",
-        urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz"],
+        cpe = "N/A",
+        last_updated = "2019-09-10",
+     ),
+    #EXTERNAL OPENSSL
+    bssl_wrapper = dict(
+        project_name = "OpenSSL BoringSSL Wrapper",
+        project_desc = "Calls to emulate BoringSSL calls in OpenSSL",
+        project_url = "https://github.com/maistra/bssl_wrapper",
+        version = "c9649facde3ab1d8bc871c7375a8946c50950e97",
+        sha256 = "d84ea7d190210145695e5b172e8e6fb23f3464360da5efab5a1ae1a973c21f57",
+        strip_prefix = "bssl_wrapper-c9649facde3ab1d8bc871c7375a8946c50950e97",
+        urls = ["https://github.com/maistra/bssl_wrapper/archive/c9649facde3ab1d8bc871c7375a8946c50950e97.tar.gz"],
+        use_category = ["controlplane", "dataplane_core"],
+        cpe = "N/A",
+        last_updated = "2020-03-09",
+    ),
+    #EXTERNAL OPENSSL
+    openssl_cbs = dict(
+        project_name = "Crypto ByteString",
+        project_desc = "CBS (Crypto ByteString) functionality provided by BoringSSL but not provided by OpenSSL",
+        project_url = "https://github.com/maistra/openssl-cbs",
+        version = "dab3282af49f134766abcda5f95cbb19057a53d1",
+        sha256 = "f466ca7bc4b876cfa9edb4870275207e580588f85f8fae268c40277846a6d8de",
+        strip_prefix = "openssl-cbs-dab3282af49f134766abcda5f95cbb19057a53d1",
+        urls = ["https://github.com/maistra/openssl-cbs/archive/dab3282af49f134766abcda5f95cbb19057a53d1.tar.gz"],
         use_category = ["controlplane", "dataplane_core"],
-        last_updated = "2019-08-08",
-        cpe = "cpe:2.3:a:google:boringssl:*",
+        cpe = "N/A",
+        last_updated = "2019-09-06",
     ),
     com_google_absl = dict(
         project_name = "Abseil",
@@ -451,14 +460,14 @@ DEPENDENCY_REPOSITORIES_SPEC = dict(
     com_github_google_jwt_verify = dict(
         project_name = "jwt_verify_lib",
         project_desc = "JWT verification library for C++",
-        project_url = "https://github.com/google/jwt_verify_lib",
-        version = "7276a339af8426724b744216f619c99152f8c141",
-        sha256 = "f1fde4f3ebb3b2d841332c7a02a4b50e0529a19709934c63bc6208d1bbe28fb1",
+        project_url = "https://github.com/maistra/jwt_verify_lib",
+        version = "73b3b3dba448b392efbe5e2894dd7b0a14d1e6f1",
+        sha256 = "ebc6a3ecdadcac401ac763ece02dd7020abbaffec7142318afcaef890607893c",
         strip_prefix = "jwt_verify_lib-{version}",
         urls = ["https://github.com/google/jwt_verify_lib/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.filters.http.jwt_authn"],
-        last_updated = "2020-07-09",
+        last_updated = "2020-08-13",
         cpe = "N/A",
     ),
     com_github_nodejs_http_parser = dict(

include/envoy/ssl/BUILD

@@ -80,7 +80,10 @@ envoy_cc_library(
 envoy_cc_library(
     name = "handshaker_interface",
     hdrs = ["handshaker.h"],
-    external_deps = ["ssl"],
+    external_deps = [
+        "ssl",
+        "bssl_wrapper_lib",
+    ],
     deps = [
         "//include/envoy/api:api_interface",
         "//include/envoy/config:typed_config_interface",

include/envoy/ssl/handshaker.h

@@ -7,6 +7,7 @@
 #include "envoy/protobuf/message_validator.h"
 
 #include "openssl/ssl.h"
+#include "bssl_wrapper/bssl_wrapper.h"
 
 namespace Envoy {
 namespace Ssl {

include/envoy/ssl/private_key/private_key.h

@@ -20,8 +20,9 @@ class TransportSocketFactoryContext;
 
 namespace Ssl {
 
+// TODO (dmitri-d) figure out a way to propagate -D compiler option to sub-projects, atm only the top-level is affected
 #ifdef OPENSSL_IS_BORINGSSL
-using BoringSslPrivateKeyMethodSharedPtr = std::shared_ptr<SSL_PRIVATE_KEY_METHOD>;
+//using BoringSslPrivateKeyMethodSharedPtr = std::shared_ptr<SSL_PRIVATE_KEY_METHOD>;
 #endif
 
 class PrivateKeyMethodProvider {
@@ -51,13 +52,14 @@ class PrivateKeyMethodProvider {
    */
   virtual bool checkFips() PURE;
 
+// TODO (dmitri-d) figure out a way to propagate -D compiler option to sub-projects, atm only the top-level is affected
 #ifdef OPENSSL_IS_BORINGSSL
   /**
    * Get the private key methods from the provider.
    * @return the private key methods associated with this provider and
    * configuration.
    */
-  virtual BoringSslPrivateKeyMethodSharedPtr getBoringSslPrivateKeyMethod() PURE;
+//  virtual BoringSslPrivateKeyMethodSharedPtr getBoringSslPrivateKeyMethod() PURE;
 #endif
 };
 

openssl.BUILD

@@ -0,0 +1,11 @@
+licenses(["notice"])  # Apache 2
+
+cc_library(
+    name = "openssl-lib",
+    srcs = [
+        "libssl.so.1.1",
+        "libcrypto.so.1.1",
+    ],
+    visibility = ["//visibility:public"],
+    linkstatic=False,
+)

source/common/crypto/BUILD

@@ -9,7 +9,12 @@ licenses(["notice"])  # Apache 2
 envoy_package()
 
 envoy_cc_library(
-    name = "utility_lib",
+   name = "utility_lib",
+   external_deps = [
+     "ssl",
+     "openssl_cbs_lib",
+     "bssl_wrapper_lib"
+    ],
     hdrs = [
         "utility.h",
     ],

source/common/crypto/utility.h

@@ -3,6 +3,7 @@
 #include <cstdint>
 #include <vector>
 
+#include "bssl_wrapper/bssl_wrapper.h"
 #include "envoy/buffer/buffer.h"
 #include "envoy/common/crypto/crypto.h"
 

source/extensions/common/crypto/BUILD

@@ -20,6 +20,7 @@ envoy_cc_extension(
     ],
     external_deps = [
         "ssl",
+	"bssl_wrapper_lib",
     ],
     # Legacy test use. TODO(#9953) clean up.
     extra_visibility = [

source/extensions/common/crypto/crypto_impl.h

@@ -2,7 +2,8 @@
 
 #include "envoy/common/crypto/crypto.h"
 
-#include "openssl/base.h"
+//#include "openssl/base.h"
+#include "bssl_wrapper/bssl_wrapper.h"
 #include "openssl/evp.h"
 
 namespace Envoy {

source/extensions/common/crypto/utility_impl.cc

@@ -73,9 +73,8 @@ const VerificationOutput UtilityImpl::verifySignature(absl::string_view hash, Cr
 }
 
 CryptoObjectPtr UtilityImpl::importPublicKey(const std::vector<uint8_t>& key) {
-  CBS cbs({key.data(), key.size()});
-
-  return std::make_unique<PublicKeyObject>(EVP_parse_public_key(&cbs));
+  const unsigned char* tmp = key.data();
+  return std::make_unique<PublicKeyObject>(d2i_PUBKEY(nullptr, &tmp, key.size()));
 }
 
 const EVP_MD* UtilityImpl::getHashFunction(absl::string_view name) {

source/extensions/common/crypto/utility_impl.h

@@ -2,7 +2,7 @@
 
 #include "common/crypto/utility.h"
 
-#include "openssl/bytestring.h"
+//#include "openssl/bytestring.h"
 #include "openssl/hmac.h"
 #include "openssl/sha.h"
 
@@ -12,6 +12,12 @@ namespace Crypto {
 
 class UtilityImpl : public Envoy::Common::Crypto::Utility {
 public:
+// a typedef used by BoringSSL
+  typedef struct cbs_st {
+    const uint8_t *data;
+    size_t len;
+  } CBS;
+
   std::vector<uint8_t> getSha256Digest(const Buffer::Instance& buffer) override;
   std::vector<uint8_t> getSha256Hmac(const std::vector<uint8_t>& key,
                                      absl::string_view message) override;

source/extensions/common/wasm/context.cc

@@ -38,7 +38,6 @@
 #include "eval/eval/field_backed_list_impl.h"
 #include "eval/eval/field_backed_map_impl.h"
 #include "eval/public/cel_value.h"
-#include "openssl/bytestring.h"
 #include "openssl/hmac.h"
 #include "openssl/sha.h"
 

source/extensions/extensions_build_config.bzl

@@ -175,7 +175,9 @@ EXTENSIONS = {
     "envoy.transport_sockets.upstream_proxy_protocol":  "//source/extensions/transport_sockets/proxy_protocol:upstream_config",
     "envoy.transport_sockets.raw_buffer":               "//source/extensions/transport_sockets/raw_buffer:config",
     "envoy.transport_sockets.tap":                      "//source/extensions/transport_sockets/tap:config",
-    "envoy.transport_sockets.quic":                     "//source/extensions/quic_listeners/quiche:quic_factory_lib",
+    #
+    # No support for quic under OpenSSL
+    # "envoy.transport_sockets.quic":                     "//source/extensions/quic_listeners/quiche:quic_factory_lib",
 
     #
     # Retry host predicates