Merge 1.34 with new BoringSSL #312
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dcillera
force-pushed
the
merge-1.34-new-boring
branch
from
65024b1 to
4b41469
Compare
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…b89d846ec53f2) BoringSSL Commit ca1690e221677cea3fb946f324eb89d846ec53f2 Now in the bssl-compat/third_party/boringssl/ directory According to https://boringssl.googlesource.com/boringssl/+/HEAD/INCORPORATING.md Disabled the configure/build for BoringSSL because (1) it can't be done on all platforms, and (2) we no longer need to configure/build BoringSSL to obtain it's crypto_test_data.cc file because it is now checked in. Removed the pre installation of go into the builder image. This was only being done as a work around to support the BoringSSL configure/build, but that requirement has now gone. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
We can now use the original OpenSSL functions as Envoy has stopped accessing the internal struct fields of BIO_METHOD (relevant change in Envoy was in 0ff3fcb). This change also removes our wrapper functions to deal with this behavior and the tests for them. Signed-off-by: Daniel Grimm <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Daniel Grimm <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
* Only supports synchronous (pass or fail) verification, which is enough to accommodate the default certificate validator. * Also fixed/extended the implementation of SSL_get_peer_full_cert_chain() so that (1) it's return value now has the correct ownership semantics, and (2) it works in the context of a SSL_CTX_set_custom_verify() callback. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…s options) Note that this really is a misuse of the "boringssl=fips" define, and the "nofips" tag. However, pretending that we are building on a FIPS version of BoringSSL has the side effect of compiling out QUIC support, which is what we want to achieve. At some point, when a newer version of BoringSSL FIPS does support building QUIC, this misuse of these options will almost certainly stop working. At that point, we will need to fix the //bazel:http3=False option. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Eliminated the need for the openssl/do_ci.sh script, so the upstream ci/do_ci.sh script should now be used directly instead. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
For this test to pass, it requires OpenSSL's legacy provider, so that the RC2-40-CBC encryption algorithm is available. Previously, this was achieved via an OpenSSL configuration file, pointed to by the OPENSSL_CONF env var, which was set up in openssl/do_ci.sh script. But since the openssl/do_ci.sh script no longer exists, we have to load (and unload) the legacy provider programatically instead. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Since we do not currently support async cert validation, the following tests have been disabled: SslIntegrationTest.AsyncCertValidationSucceeds SslIntegrationTest.AsyncCertValidationSucceedsWithLocalAddress SslIntegrationTest.AsyncCertValidationAfterTearDown SslIntegrationTest.AsyncCertValidationAfterSslShutdown Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…tests By making BoringSSL's ssl_private_key_method_st struct defintion, and a few extra functions, available in bssl-compat, it is now possible to compile all of Envoy's private key method provider mplementation and test code. The main reason for this is to minimise the number of diffs wrt upstream. Clearly, because the private key method provider mechanism isn't actually implemented on OpenSSL, all the tests which actually excercise the private key method provider will fail, so they are all disabled. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Switching OpenSSL between FIPS and non-FIPS is a config choice that is made during deployment. Therefore, FIPS vs non-FIPS mode has no affect during build time. Therefore the envoy-openssl binary has no concept of being built for one mode or the other. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…f BoringSSL Some tests check for things like JA3 fingerprints and/or received byte counts, which vary between BoringSSL and OpenSSL due to slightly different client hello contents etc. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
The ErrTest.test_SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM test was failing to compile because it was referring to SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM rather than the prefixed ossl_SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM. The previously generated implementations of SSL_CTX_get_session_cache_mode() and X509_STORE_CTX_get0_chain() have been replaced with hand written ones, with the addition of some const casting to remove compiler warnings. Finally, the OpenSSL version is increased from 3.0.8 to 3.0.13 Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
A non-null callback was previously disallowed simply because there were no tests. However, when building Envoy with google grpc, the callback capability is required, and without it some of the grpc_client_integration_test fails. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
* Boringssl s390x fix * rules python fix for s390x * Update to minimum python version supported on s390x Signed-off-by: Surender Yadav <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Dependabot already runs upstream on envoyproxy/envoy, so we get all of the updates that it makes each time we synchronize. Duplicating the same checks here just creates duplicates/noise. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
It is not possible to statically obtain all available curves, so this function loads them dynamically, by trying to set each of curves superset, returning only the valid ones for given SSL context. Signed-off-by: Zuzana Miklankova <[email protected]>
Signed-off-by: Zuzana Miklankova <[email protected]>
Signed-off-by: Zuzana Miklankova <[email protected]>
dcillera
force-pushed
the
merge-1.34-new-boring
branch
3 times, most recently
from
7d5f9bb to
3eb6034
Compare
…ounds There were a number of targets and dependencies that had been commented out of various bazel files, in order to fix some QUIC related compilation failures. As it turns out, by adding just the one missing `nofips` tag, all of the previous commenting out could be removed, thus eliminating a lot of diffs WRT upstream. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
…ewrite and matching (#39169) Adds support for matching requests that include the `*` character in the path. A relevant issue was created: envoyproxy/envoy#39168 Risk Level: Testing: Updated unit tests Docs Changes: N/A Release Notes: Added Platform Specific Features: N/A Runtime guard: envoy.reloadable_features.uri_template_match_on_asterisk Resolves: envoyproxy/envoy#39168 --------- Signed-off-by: Chwila <[email protected]> Signed-off-by: Yan Avlasov <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Backport #39310 and #39349 If a connection starts draining while it has negative unused capacity (which happens if a SETTINGS frame reduces allowed concurrency to below the current number of requests), that connections unused capacity will be included in total pool capacity even though it is unusable because it is draining. This can result in not enough connections being established for current pending requests. This is most problematic for long-lived requests (such as streaming gRPC requests or long-poll requests) because a connection could be in the draining state for a long time. Maybe fixes: #39238 Fixed an issue that could lead to too many connections when using :ref:`AutoHttpConfig <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions.AutoHttpConfig>` if the established connection is ``http/2`` and Envoy predicted it would have lower concurrent capacity. --------- Signed-off-by: Greg Greenway <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
dcillera
force-pushed
the
merge-1.34-new-boring
branch
from
3eb6034 to
d08f97d
Compare
|
The |
tedjpoole
requested changes
Jun 9, 2025
Yes but what value to be returned in that case? only ossl_SSL_CLIENT_HELLO_RETRY seems feasible (only 3 values available in OpenSSL) |
tedjpoole
requested changes
Jun 11, 2025
tedjpoole
reviewed
Jun 12, 2025
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
tedjpoole
requested changes
Jun 12, 2025
None of the Envoy code ever returns the new |
Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
dcillera
force-pushed
the
merge-1.34-new-boring
branch
from
362ffae to
a9dba77
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR to permit the review of 1.34 merge and updated BoringSSL version into envoy-openssl.