Skip to content

Merge 1.34 with new BoringSSL #312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 102 commits into from
Jun 13, 2025
Merged

Merge 1.34 with new BoringSSL #312

Changes from 1 commit
Commits
Show all changes
102 commits
Select commit Hold shift + click to select a range
e56a7d6
Added bssl-compat sub directory
tedjpoole Mar 25, 2024
e3826c7
Added patches for jwt_verify_lib
tedjpoole Mar 27, 2024
42d5f4e
Added envoy-openssl specific bazelrc
tedjpoole Mar 27, 2024
62e5317
Code changes to compile on bssl-compat/openssl
tedjpoole Mar 28, 2024
68bdd34
Added basic build instructions and scripts
tedjpoole Apr 2, 2024
85eb1cc
Replaced BoringSSL submodule with a copy (ca1690e221677cea3fb946f324e…
tedjpoole Apr 3, 2024
29b0488
Updated README.md
tedjpoole Apr 4, 2024
75dc026
Add missing functions and types in Bssl compat. layer
dcillera Apr 9, 2024
4222ddb
OSSM-6274 Fixed some QUIC related compilation failures
tedjpoole Apr 10, 2024
3b67016
Fix a compile error due to a missing include (#2)
jwendell Apr 12, 2024
2657ba4
Realigned io_handle_bio_test.cc with upstream
tedjpoole Apr 15, 2024
ddbb85f
SSL_CTX_get_session_cache_mode added to bssl layer
dcillera Apr 10, 2024
75b32d2
Use OpenSSL's BIO_meth* functions instead of our wrappers
dgn May 16, 2024
3e63907
Add some missing symbols
dgn May 16, 2024
0860fb6
Initial implementation of SSL_CTX_set_custom_verify()
tedjpoole May 13, 2024
a0eddb1
Disabled compilation of QUIC code (by (mis)using the existing [no]fip…
tedjpoole May 14, 2024
37db7eb
Simplified the use of OpenSSL 3.0.x in the build container
tedjpoole May 16, 2024
b7b7360
Fixed SslSocketTest.Pkcs12CertificatesWithPassword test
tedjpoole May 16, 2024
c52a439
Disabled SslIntegrationTest.AsyncCertValidation* tests
tedjpoole May 16, 2024
e2912ed
Reinstated private key method provider implementation and (disabled) …
tedjpoole May 17, 2024
114445a
Always act as if we are building on a non-FIPS BoringSSL
tedjpoole May 17, 2024
02f1260
Fixed some test fingerprints & byte counts to match OpenSSL instead o…
tedjpoole May 17, 2024
3c0077c
Tidy up some bssl-compat compiler warnings
tedjpoole May 21, 2024
17e6eea
Allow SSL_CTX_set_verify() to receive a non-null callback parameter
tedjpoole May 21, 2024
2727cb3
Removed WORKSPACE file from bssl-compat directory
tedjpoole May 30, 2024
3a53176
Boringssl and rules python fix for s390x (#166)
surenderky Jun 6, 2024
5bc65de
Removed .github/dependabot.yml file
tedjpoole Jun 10, 2024
c6a53d2
Some tweaks for proxy build
dcillera Jun 13, 2024
96f5b11
Remove calls to unimplemented SSL_CTX_set_reverify_on_resume and SSL_…
dcillera Jun 17, 2024
0f68416
Changes & tidy ups for proxy
dcillera Jun 19, 2024
558a08d
Adding changes for ppc64le.
Jun 24, 2024
c2178ce
Vendor the googletest dependency
jwendell Jun 27, 2024
37a858c
Report "OpenSSL" instead of "BoringSSL" in version string
tedjpoole Jun 28, 2024
e1a4bbe
Fixing build failures for ppc64le
NishikantThorat Jul 1, 2024
41acc2b
s390x luajit fix with luajit2
Jul 2, 2024
8841baf
Add missing changes for luajit2 on ppc64le
Swapnali911 Jul 3, 2024
c7241f2
Patch to remove hard coded -lcrypto from proxy-wasm-cpp-host on s390x
tedjpoole Jul 5, 2024
43c9caa
Adjust default TLS versions, ciphers & curves according to FIPS
tedjpoole Jul 9, 2024
37204ee
Fixed TLS alert code mapping in SSL_CTX_set_custom_verify()
tedjpoole Jul 10, 2024
4114dab
Added EAGAIN handling in SslSocket::doRead/doWrite() methods
tedjpoole Jul 25, 2024
fce76ee
Removed "callback failed" error message from tls_inspector.cc
tedjpoole Jul 24, 2024
fccc555
Tweak maxmind build
dcillera Aug 5, 2024
1129d72
Add new patch for jwt_verify_lib
dgn May 6, 2024
8f1030b
Upstream code tweaking in BIO io_handle
dcillera Apr 30, 2025
0bab372
Uncomment layer function EC_KEY_set_public_key
dcillera Aug 6, 2024
7845f1b
Add ECDSA_verify function to compat. layer
dcillera Aug 7, 2024
8909a00
Remove compile errors in ssl_integration_test
dcillera Aug 7, 2024
1ae6cab
Align io_handle_bio to envoy-openssl
dcillera Aug 7, 2024
44e8d81
Add necessary defines and functions to bssl layer
dcillera Aug 14, 2024
8ccec20
Replace opaque OpenSSL type "BIGNUM"
dcillera Aug 14, 2024
5c6d216
Comment unimplemented function in bssl Layer
dcillera Aug 14, 2024
0bc40b2
Manage split of context_config_impl.cc file
dcillera Aug 14, 2024
0a0f7be
Clear compiler errors on quic libraries
dcillera Aug 19, 2024
a23dd58
RSA_check_key in bssl layer to solve the difference with boring when …
dcillera Aug 20, 2024
e99f1c2
Prevent failure of RevokedIntermediateCertificate
dcillera Aug 22, 2024
9e78c84
Workaround to prevent failure of tcp_grpc_access_log_integration_test
dcillera Aug 22, 2024
cf631eb
temporarily disable hotrestart_handoff_test.py
zmiklank Aug 29, 2024
02a84c5
Disable failing tests in aws_request_signing_integration
dcillera Sep 3, 2024
5cb077a
Don't test @com_github_google_quiche//:ci_tests by default
tedjpoole Aug 30, 2024
38b4603
ServerContextConfig: set TLSv1.3 as max also for FIPS mode as default
zmiklank Aug 19, 2024
8aa4b10
[bp/1.31] Prevent upstream envoy code owners getting review requests
tedjpoole Oct 4, 2024
4c195bf
Add missing X509 functions to bSSL layer
dcillera Oct 28, 2024
a5a2fd0
Build maxmind_linux in foreign_cc package
dcillera Oct 28, 2024
0998212
s390x patch for datatype mismatch in valgrind
Sep 24, 2024
6ff743b
Comment quic cert_compression_test
dcillera Oct 28, 2024
d198405
Disable new async cert tests in ssl_integration_test
dcillera Oct 29, 2024
986d8c2
Disable TlsCertificateSelectorFactoryTest/pending (async cert)
dcillera Oct 30, 2024
7302a49
Adjust sizeof of StreamInfoImpl for the test
dcillera Oct 30, 2024
97c14d1
Enabled luajit2 support for Z/P
surenderky Dec 10, 2024
5604ba6
Fixed ppc64le build failure for io_bazel_rules_go
Swapnali911 Dec 10, 2024
ebb70c5
Added workflow to perform scheduled auto merge from upstream envoy
tedjpoole Mar 4, 2025
a3dad07
Set the LLVM and CLang CMAKE path
jwendell Mar 7, 2025
b392b77
Tweak rules_go patch
dcillera May 5, 2025
b289baa
Tweak rules_foreign_cc patch
dcillera May 5, 2025
4b932e1
Add some functions to bssl-compat
dcillera May 6, 2025
7d652e8
Comment some calls to functions not available in OpenSSL
dcillera May 6, 2025
7083930
Add SSL_get0_peer_certificates to bssl-compat
dcillera May 6, 2025
334985c
Add -latomic to clang linker options
dcillera May 6, 2025
c2f5e48
Comment building of some "quic" code
dcillera May 8, 2025
e90fc80
Implement functions in bssl-compat and comment what still TODO
dcillera May 8, 2025
f5a6832
Update BoringSSL in the bssl-compat
dcillera Jun 3, 2025
9fb813d
Adjust bssl-compat to the new BoringSSL
dcillera Jun 3, 2025
405fb57
Fix SSL_get_all_cipher_names function in bssl_compat
dcillera May 26, 2025
5c912b8
Implement SSL_CTX_set_compliance_policy in the bssl_compat
dcillera May 26, 2025
97d3bf3
Fixed failure of cert_validator_integration_test
dcillera May 29, 2025
2ecdd4c
Fix xfcc_integration_test by correcting SSL_get0_peer_certificate in …
dcillera May 30, 2025
394c937
SSL_get_all_curve_names dynamic implementation
zmiklank May 30, 2025
b61dd8f
SSL_get_all_cipher_names: obtain list of ciphers dynamically
zmiklank Jun 4, 2025
a88eea7
SSL_get_all_signature_algorithm_names: obtain algs dynamically
zmiklank Jun 4, 2025
ea2eacf
Added a missing `nofips` tag and removed previous commenting & workar…
tedjpoole Jun 4, 2025
720187d
Fix review comments in PR#312
dcillera Jun 5, 2025
6cc1a91
uri_template: Add support for the "*" character matching in pattern r…
barchw May 2, 2025
22356f2
release/docker: Bump release image -> 67cadaf (#39344)
phlax May 5, 2025
0a91a13
changelogs: Blank summary
phlax May 6, 2025
8bd888d
repo: Dev v1.34.2
phlax May 8, 2025
d08f97d
conn pool: fix bugs leading to incorrect conns created (#39446)
ggreenway May 12, 2025
c937eef
Review fixes for SSL_get_all_cipher_names(), plus a test
tedjpoole Jun 11, 2025
4b103b2
Review fixes for SSL_get_all_signature_algorithm_names(), plus a test
tedjpoole Jun 11, 2025
2752075
Review fixes for SSL_get_all_curve_names(), plus a test
tedjpoole Jun 12, 2025
d860866
Fix bssl-compat functions from new review comments in PR#312
dcillera Jun 12, 2025
0b27124
Remove warnings about constness
tedjpoole Jun 12, 2025
a9dba77
Clean, and tweak returned values, in some bssl-compat functions
dcillera Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 68 additions & 35 deletions bssl-compat/source/SSL_get_all_signature_algorithm_names.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,45 +1,78 @@
#include <openssl/ssl.h>
#include <ossl.h>

static const size_t kMaxSignatureAlgorithmNameLen = 24;

struct SignatureAlgorithmName {
uint16_t signature_algorithm;
const char name[kMaxSignatureAlgorithmNameLen];
};

static const struct SignatureAlgorithmName kSignatureAlgorithmNames[] = {
{SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"},
{SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"},
{SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"},
{SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, "rsa_pkcs1_sha256_legacy"},
{SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"},
{SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"},
{SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"},
{SSL_SIGN_ECDSA_SECP256R1_SHA256, "ecdsa_secp256r1_sha256"},
{SSL_SIGN_ECDSA_SECP384R1_SHA384, "ecdsa_secp384r1_sha384"},
{SSL_SIGN_ECDSA_SECP521R1_SHA512, "ecdsa_secp521r1_sha512"},
{SSL_SIGN_RSA_PSS_RSAE_SHA256, "rsa_pss_rsae_sha256"},
{SSL_SIGN_RSA_PSS_RSAE_SHA384, "rsa_pss_rsae_sha384"},
{SSL_SIGN_RSA_PSS_RSAE_SHA512, "rsa_pss_rsae_sha512"},
{SSL_SIGN_ED25519, "ed25519"},
static const char* kSigAlgCandidates[] = {
"ecdsa_secp256r1_sha256",
"ecdsa_secp384r1_sha384",
"ecdsa_secp521r1_sha512",
"ed25519",
"ed448",
"rsa_pss_pss_sha256",
"rsa_pss_pss_sha384",
"rsa_pss_pss_sha512",
"rsa_pss_rsae_sha256",
"rsa_pss_rsae_sha384",
"rsa_pss_rsae_sha512",
"rsa_pkcs1_sha256",
"rsa_pkcs1_sha384",
"rsa_pkcs1_sha512",
"ecdsa_sha224",
"ecdsa_sha256",
"ecdsa_sha384",
"ecdsa_sha512",
"ecdsa_sha1",
"rsa_pkcs1_sha224",
"rsa_pkcs1_sha1",
"dsa_sha224",
"dsa_sha1",
"dsa_sha256",
"dsa_sha384",
"dsa_sha512",
"gostr34102012_256_intrinsic",
"gostr34102012_512_intrinsic",
"gostr34102012_256_gostr34112012_256",
"gostr34102012_512_gostr34112012_512",
"gostr34102001_gostr3411",
"rsa_pkcs1_md5_sha1",
"rsa_pkcs1_sha256_legacy"
};

#define CANDIDATES_SIZE 33

size_t SSL_get_all_signature_algorithm_names(const char **out, size_t max_out) {
const char *kPredefinedNames[] = {"ecdsa_sha256", "ecdsa_sha384",
"ecdsa_sha512"};
size_t predefinedSize = (sizeof(kPredefinedNames) / sizeof(kPredefinedNames[0]));
size_t nameSize = (sizeof(kSignatureAlgorithmNames) / sizeof(kSignatureAlgorithmNames[0]));
if(max_out != 0) {
for(int i = 0; i < predefinedSize; i++) {
*out++ = kPredefinedNames[i];
}
for(int i = 0; i < nameSize; i++) {
*out++ = kSignatureAlgorithmNames[i].name;
}
}
return predefinedSize+nameSize;
static uint8_t initialized = 0;
static char* validSigAlgNames[CANDIDATES_SIZE];
static size_t validSigAlgSize = 0;
if (initialized == 0) {
ossl_SSL_CTX* ctx = ossl.ossl_SSL_CTX_new(ossl.ossl_TLS_client_method());
if (!ctx) {
return 0;
}
ossl_SSL* ssl = ossl.ossl_SSL_new(ctx);
if (!ssl) {
ossl.ossl_SSL_CTX_free(ctx);
return 0;
}

// Iterate through our hardcoded candidates and attempt to set each one.
for (size_t i = 0; i < CANDIDATES_SIZE; ++i) {
const char* candidate = kSigAlgCandidates[i];

if (ossl.ossl_SSL_set1_sigalgs_list(ssl, candidate)) {
// Success: OpenSSL knows this signature_algorithm and can handle it.
validSigAlgNames[validSigAlgSize] = candidate;
validSigAlgSize++;
}
}

ossl.ossl_SSL_free(ssl);
ossl.ossl_SSL_CTX_free(ctx);
initialized = 1;
}
for(int i = 0; i < max_out && i < validSigAlgSize; i++) {
*out++ = validSigAlgNames[i];
}
return validSigAlgSize; // Return number of signature_algorithms found, not written
}