OSM-5001 Removed the use of equal preference groups in default cipher…

… suite spec Signed-off-by: Ted Poole <tpoole@redhat.com>
envoyproxy · Jan 10, 2024 · 7414b59 · 7414b59
1 parent 2bfc638
commit 7414b59
Show file tree

Hide file tree

Showing 9 changed files with 1,029 additions and 313 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -1,10 +1,9 @@
 import %workspace%/vendor/envoy/.bazelrc
 import %workspace%/vendor.bazelrc
 
+test --test_env=ENVOY_IP_TEST_VERSIONS=v4only
+
 # As of today we do not support QUIC/HTTP3 -- hence we exclude it from the build, always.
 build --@envoy//bazel:http3=false
 build --deleted_packages=@envoy//test/common/quic
-build --deleted_packages=@envoy//test/common/quic/platform
-
-# build --@envoy//bazel:http3=False
-# test --@envoy//bazel:http3=False
+build --deleted_packages=@envoy//test/common/quic/platform
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -9,7 +9,7 @@ on:
 jobs:
 
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-20.04
 
     steps:
 
@@ -18,8 +18,11 @@ jobs:
       with:
         submodules: 'true'
 
+    - name: SSH
+      uses: lhotari/action-upterm@v1
+
     - name: Prerequisites
-      run: sudo apt install -y libclang-14-dev kcov
+      run: sudo apt update -y && sudo apt install -y kcov
 
     - name: Configure
       run: cmake -B ${{github.workspace}}/build -S ${{github.workspace}}/bssl-compat -DCMAKE_BUILD_TYPE=RelWithDebInfo

diff --git a/bazel/envoy_openssl_repositories.bzl b/bazel/envoy_openssl_repositories.bzl
@@ -66,11 +66,13 @@ def envoy_openssl_repositories(download = False):
                 "//patch/envoy:source/extensions/transport_sockets/tls/io_handle_bio.cc.patch",
                 "//patch/envoy:source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc.patch",
                 "//patch/envoy:source/extensions/transport_sockets/tls/utility.cc.patch",
-                # These next 3 patches are temporary, just to get the envoy exe
+                # These next patches are temporary, just to get the envoy exe
                 # to link while the full set of correct patches are being developed.
                 "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.cc.patch",
                 "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.h.patch",
+                "//patch/envoy:source/extensions/transport_sockets/tls/context_config_impl.cc.patch",
                 "//patch/envoy:source/extensions/transport_sockets/tls/ssl_handshaker.cc.patch",
+                "//patch/envoy:test/extensions/transport_sockets/tls/test_private_key_method_provider.cc.patch",
             ],
             overwrites = [
                 # "//patch/envoy:source/extensions/transport_sockets/tls/context_impl.cc",

diff --git a/patch/envoy/source/extensions/transport_sockets/tls/context_config_impl.cc.patch b/patch/envoy/source/extensions/transport_sockets/tls/context_config_impl.cc.patch
@@ -0,0 +1,24 @@
+--- a/source/extensions/transport_sockets/tls/context_config_impl.cc
++++ b/source/extensions/transport_sockets/tls/context_config_impl.cc
+@@ -328,8 +328,8 @@ const unsigned ClientContextConfigImpl::DEFAULT_MAX_VERSION = TLS1_2_VERSION;
+
+ const std::string ClientContextConfigImpl::DEFAULT_CIPHER_SUITES =
+ #ifndef BORINGSSL_FIPS
+-    "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:"
+-    "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:"
++    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:"
++    "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:"
+ #else // BoringSSL FIPS
+     "ECDHE-ECDSA-AES128-GCM-SHA256:"
+     "ECDHE-RSA-AES128-GCM-SHA256:"
+@@ -367,8 +367,8 @@ const unsigned ServerContextConfigImpl::DEFAULT_MAX_VERSION = TLS1_3_VERSION;
+
+ const std::string ServerContextConfigImpl::DEFAULT_CIPHER_SUITES =
+ #ifndef BORINGSSL_FIPS
+-    "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:"
+-    "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:"
++    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:"
++    "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:"
+ #else // BoringSSL FIPS
+     "ECDHE-ECDSA-AES128-GCM-SHA256:"
+     "ECDHE-RSA-AES128-GCM-SHA256:"
diff --git a/patch/envoy/source/extensions/transport_sockets/tls/context_impl.cc.patch b/patch/envoy/source/extensions/transport_sockets/tls/context_impl.cc.patch
@@ -6,8 +6,8 @@
            // validation and always supply the callback to boring SSL.
 -          SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
 -          SSL_CTX_set_reverify_on_resume(ctx, /*reverify_on_resume_enabled)=*/1);
-+          PANIC("SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);");
-+          PANIC("SSL_CTX_set_reverify_on_resume(ctx, /*reverify_on_resume_enabled)=*/1);");
++          fprintf(stderr, "SKIPPED SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);\n");
++          fprintf(stderr, "SKIPPED SSL_CTX_set_reverify_on_resume(ctx, /*reverify_on_resume_enabled)=*/1);\n");
          } else {
            SSL_CTX_set_verify(ctx, verify_mode, nullptr);
            SSL_CTX_set_cert_verify_callback(ctx, verifyCallback, this);
@@ -16,7 +16,7 @@
          }
  #endif
 -        SSL_CTX_set_private_key_method(ctx.ssl_ctx_.get(), private_key_method.get());
-+        PANIC("SSL_CTX_set_private_key_method(ctx.ssl_ctx_.get(), private_key_method.get());");
++        fprintf(stderr, "SKIPPED SSL_CTX_set_private_key_method(ctx.ssl_ctx_.get(), private_key_method.get());\n");
        } else if (!tls_certificate.privateKey().empty()) {
          // Load private key.
          ctx.loadPrivateKey(tls_certificate.privateKey(), tls_certificate.privateKeyPath(),