Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSSM-5001 Additions to support maistra/proxy build #128

Closed
wants to merge 27 commits into from
Closed

OSSM-5001 Additions to support maistra/proxy build #128

wants to merge 27 commits into from

Conversation

tedjpoole
Copy link
Contributor

@tedjpoole tedjpoole commented Nov 15, 2023
edited
Loading

This PR:

  • adds a vendored & patched copy of the envoyproxy/envoy repository
  • configures bazel to build the vendored envoy against the bssl-compat layer instead of BoringSSL
  • adds some more functions to the bssl-compat layer to support envoy tests

@tedjpoole
OSSM-5001 Added stdc++fs library to prefixer link line
c3615ce 
Required when building in maistra-builder:2.5 (clang++13)

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Replaced bc with bash arithmetic
ca9c72e 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Fixed dependency
d4b330c 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added missing .bazelversion file
5d11029 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Fixed dependency
8cc7bfd 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Fixed lbbssl-compat.a installation directory
5d0a292 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Modified check for installed OpenSSL
b5c6d09 
Now checks for <openssl/types.h> instead of <openssl/ssl.h> because
<openssl/types.h> is only in OpenSSL 3.0.x. This ensures that if the host
only has OpenSSL 1.1.x headers, they will not be used.

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch 3 times, most recently from 63159c0 to efdc85d Compare November 30, 2023 11:02
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch 5 times, most recently from 8d92df6 to c09fa3b Compare December 13, 2023 13:52
@tedjpoole
OSSM-5001 Vendored envoy
de50633 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch from c09fa3b to de50633 Compare December 13, 2023 14:29
@tedjpoole
OSSM-5001 Added PEM_write_bio_X509() implementation in bssl-compat
62cf7c7 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added PEM_read_bio_X509_AUX() implementation in bssl-compat
4b204eb 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added i2d_X509_PUBKEY() implementation in bssl-compat
e7f3d00 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Fixed OpenSSL version checking
ae9d798 
The functions that were being used to check the loaded OpenSSL version were only available
in OpenSSL >= 3.0.0, so the check crashed if 1.1.1 libraries were loaded.

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added temporary patches to get envoy linking
e0827e4 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Tidy up bssl-compat install process
f2697d1 
There were some unnecessary files getting installed as part of the
bssl-compat installation process. In particular, the googletest headers
were being installed, which was upsetting the envoy build.

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added SSL_get0_peer_verify_algorithms() & d2i_X509() to bss…
2bfc638 
…l-compat

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch 5 times, most recently from 7414b59 to 70be25b Compare January 10, 2024 17:05
@tedjpoole
OSM-5001 Removed the use of equal preference groups in default cipher…
574a176 
… suite spec

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch from 70be25b to 574a176 Compare January 10, 2024 18:10
@tedjpoole tedjpoole marked this pull request as ready for review January 11, 2024 10:13
@tedjpoole tedjpoole requested a review from twghu January 11, 2024 10:13
@tedjpoole
OSSM-5001 Added SSLTest.test_SSL_get_servername_inside_select_certifi…
608d41b 
…cate_cb

The test passes on BoringSSL but is skipped on bssl-compat pending a fix

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch from abd01c3 to 608d41b Compare January 23, 2024 13:06
@rishikakedia rishikakedia mentioned this pull request Feb 7, 2024
Closed
@clnperez
Copy link
Contributor

clnperez commented Feb 8, 2024

@tedjpoole have you talked to anyone about this PR outside of this thread? I'm just curious as to its fate since it doesn't have any comments and you submitted it in November :)

@tedjpoole
OSSM-5001 Updated envoy from c2919e9 (v1.26.6 tag) to 772b418 (releas…
56865b6 
…e/v1.26 branch)

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Fixed segv in SSL_CIPHER_get_min_version()
76bbae6 
SSL_CIPHER_get_min_version() would segv when called for a
cipher who's implementation engine wasn't loaded.

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Fixed calling SSL_get_servername() within select certificat…
d8263de 
…e callback

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Replace the use of SSL_get_peer_certificate() in ContextImp…
4aa3cd4 
…l::verifyCallback()

The SSL_get_peer_certificate() function doesn't work the same way in OpenSSL as it does
in BoringSSL, when called within a callback installed via SSL_CTX_set_cert_verify_callback().
Therefore, we replace it with calls to X509_STORE_CTX_get_current_cert() and
X509_STORE_CTX_get0_cert().

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Run just the with_sync_cert_validation test variants
a4d1f1b 
Since we aren't supporting async certificate validation, ensure
that we only run the tests in "with_sync_cert_validation" mode.

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added translation from IANA cipher suite names to OpenSSL e…
9307158 
…quivalent

This allows the use of IANA cipher suite names as well as OpenSSL specific names,
which in turn means fewer patches to upstream source, expecially configs in test
code.

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Disabled tests that use the private_key_provider configuration
8cec652 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 SSL_set_ocsp_response() now works when called from a select…
ac25602 
… certificate callback

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole
OSSM-5001 Added GENERAL_NAMES_free()
b59446a 
Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch 2 times, most recently from b3cfefd to 48d297e Compare March 22, 2024 10:47
@tedjpoole
OSSM-5001 Many additions & fixes (WIP)
1c9a393 
2 tests fail to build
3 tests fail to pass

Signed-off-by: Ted Poole <tpoole@redhat.com>
@tedjpoole tedjpoole force-pushed the OSSM-5001-integrate-into-proxy branch from 48d297e to 1c9a393 Compare March 22, 2024 10:48
@tedjpoole
Copy link
Contributor Author

Closing this PR because it has become out of date

@tedjpoole tedjpoole closed this May 21, 2024
@tedjpoole tedjpoole deleted the OSSM-5001-integrate-into-proxy branch July 2, 2024 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twghu twghu Awaiting requested review from twghu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tedjpoole @clnperez