cryptomb: add BN_bn2lebinpad definition for fips build (envoyproxy#…

…33756) The fips verison boringSSL is old. so it doesn't have the definition of BN_bn2lebinpad, so patch ipp-crypto to give a definition. Signed-off-by: He Jie Xu <hejie.xu@intel.com>
soulxu · Apr 30, 2024 · e06cc96 · e06cc96
1 parent 816188b
commit e06cc96
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch b/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch
@@ -0,0 +1,19 @@
+diff --git a/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c b/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
+index e6db178c..0a1ecc49 100644
+--- a/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
++++ b/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
+@@ -16,9 +16,14 @@
+
+ #include <internal/common/ifma_defs.h>
+ #include <internal/common/ifma_math.h>
++#include <openssl/bn.h>
+
+ #include <assert.h>
+
++static int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) {
++    return BN_bn2le_padded(to, tolen, a);
++}
++
+ #if defined(_MSC_VER) && (_MSC_VER < 1920)
+   // Disable optimization for VS2017 due to AVX512 masking bug
+   #define DISABLE_OPTIMIZATION __pragma(optimize( "", off ))
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -310,6 +310,7 @@ def envoy_dependencies(skip_targets = []):
     _com_github_rules_proto_grpc()
     _com_github_unicode_org_icu()
     _com_github_intel_ipp_crypto_crypto_mb()
+    _com_github_intel_ipp_crypto_crypto_mb_fips()
     _com_github_intel_qatlib()
     _com_github_intel_qatzip()
     _com_github_qat_zstd()
@@ -549,6 +550,19 @@ def _com_github_intel_ipp_crypto_crypto_mb():
         build_file_content = BUILD_ALL_CONTENT,
     )
 
+def _com_github_intel_ipp_crypto_crypto_mb_fips():
+    # Temporary fix for building ipp-crypto when boringssl-fips is used.
+    # Build will fail if bn2lebinpad patch is applied. Remove this archive
+    # when upstream dependency fixes this issue.
+    external_http_archive(
+        name = "com_github_intel_ipp_crypto_crypto_mb_fips",
+        patches = ["@envoy//bazel/foreign_cc:ipp-crypto-bn2lebinpad.patch"],
+        patch_args = ["-p1"],
+        build_file_content = BUILD_ALL_CONTENT,
+        # Use existing ipp-crypto repository location name to avoid redefinition.
+        location_name = "com_github_intel_ipp_crypto_crypto_mb",
+    )
+
 def _com_github_intel_qatlib():
     external_http_archive(
         name = "com_github_intel_qatlib",

diff --git a/contrib/cryptomb/private_key_providers/source/BUILD b/contrib/cryptomb/private_key_providers/source/BUILD
@@ -24,7 +24,10 @@ envoy_cmake(
     defines = [
         "OPENSSL_USE_STATIC_LIBS=TRUE",
     ],
-    lib_source = "@com_github_intel_ipp_crypto_crypto_mb//:all",
+    lib_source = select({
+        "//bazel:boringssl_fips": "@com_github_intel_ipp_crypto_crypto_mb_fips//:all",
+        "//conditions:default": "@com_github_intel_ipp_crypto_crypto_mb//:all",
+    }),
     out_lib_dir = "lib/intel64",
     out_static_libs = ["libcrypto_mb.a"],
     tags = ["skip_on_windows"],