Skip to content

Commit

Permalink
ssl: upgrade FIPS boringssl version (#27087)
Browse files Browse the repository at this point in the history
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
  • Loading branch information
ggreenway authored and phlax committed Jul 24, 2023
1 parent faf6eb3 commit 9d5e760
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 106 deletions.
48 changes: 33 additions & 15 deletions bazel/external/boringssl_fips.genrule_cmd
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,21 @@ fi
ROOT=./external/boringssl_fips
pushd "$ROOT"

# Build tools requirements:
# - Clang compiler version 7.0.1 (https://releases.llvm.org/download.html)
# - Go programming language version 1.12.7 (https://golang.org/dl/)
# - Ninja build system version 1.9.0 (https://github.com/ninja-build/ninja/releases)
# Build tools requirements (from section 12.1 of https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf):
# - Clang compiler version 12.0.0 (https://releases.llvm.org/download.html)
# - Go programming language version 1.16.5 (https://golang.org/dl/)
# - Ninja build system version 1.10.2 (https://github.com/ninja-build/ninja/releases)
# - Cmake version 3.20.1 (https://cmake.org/download/)

# Override $PATH for build tools, to avoid picking up anything else.
export PATH="$(dirname `which cmake`):/usr/bin:/bin"

# Clang 7.0.1
VERSION=7.0.1
SHA256=02ad925add5b2b934d64c3dd5cbd1b2002258059f7d962993ba7f16524c3089c
PLATFORM="x86_64-linux-gnu-ubuntu-16.04"
# Clang
VERSION=12.0.0
SHA256=a9ff205eb0b73ca7c86afc6432eed1c2d49133bd0d49e47b15be59bbf0dd292e
PLATFORM="x86_64-linux-gnu-ubuntu-20.04"

curl -sLO https://releases.llvm.org/"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz \
curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz \
&& echo "$SHA256" clang+llvm-"$VERSION"-"$PLATFORM".tar.xz | sha256sum --check
tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz

Expand All @@ -42,9 +43,9 @@ if [[ `clang --version | head -1 | awk '{print $3}'` != "$VERSION" ]]; then
exit 1
fi

# Go 1.12.7
VERSION=1.12.7
SHA256=66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9
# Go
VERSION=1.16.5
SHA256=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061
PLATFORM="linux-amd64"

curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
Expand All @@ -60,9 +61,9 @@ if [[ `go version | awk '{print $3}'` != "go$VERSION" ]]; then
exit 1
fi

# Ninja 1.9.0
VERSION=1.9.0
SHA256=1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305
# Ninja
VERSION=1.10.2
SHA256=763464859c7ef2ea3a0a10f4df40d2025d3bb9438fcb1228404640410c0ec22d
PLATFORM="linux"

curl -sLO https://github.com/ninja-build/ninja/releases/download/v"$VERSION"/ninja-"$PLATFORM".zip \
Expand All @@ -76,6 +77,22 @@ if [[ `ninja --version` != "$VERSION" ]]; then
exit 1
fi

# CMake
VERSION=3.20.1
SHA256=b8c141bd7a6d335600ab0a8a35e75af79f95b837f736456b5532f4d717f20a09
PLATFORM="linux-x86_64"

curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
&& echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check
tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz

export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH"

if [[ `cmake --version | head -n1` != "cmake version $VERSION" ]]; then
echo "ERROR: CMake version doesn't match."
exit 1
fi

# Clean after previous build.
rm -rf boringssl/build

Expand All @@ -84,6 +101,7 @@ cd boringssl
mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
ninja
ninja run_tests
./crypto/crypto_test

# Verify correctness of the FIPS build.
if [[ `tool/bssl isfips` != "1" ]]; then
Expand Down
18 changes: 0 additions & 18 deletions bazel/external/boringssl_fips.patch

This file was deleted.

1 change: 0 additions & 1 deletion bazel/repositories.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,6 @@ def _boringssl_fips():
external_http_archive(
name = "boringssl_fips",
build_file = "@envoy//bazel/external:boringssl_fips.BUILD",
patches = ["@envoy//bazel/external:boringssl_fips.patch"],
)

def _com_github_circonus_labs_libcircllhist():
Expand Down
8 changes: 4 additions & 4 deletions bazel/repository_locations.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -125,11 +125,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_url = "https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md",
# When this is updated to a revision newer than 2022-08-12,
# CertValidatorUtil::setIgnoreCertificateExpiration can be simplified.
version = "fips-20190808",
sha256 = "3b5fdf23274d4179c2077b5e8fa625d9debd7a390aac1d165b7e47234f648bb8",
urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz"],
version = "fips-20210429",
sha256 = "a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2",
urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz"],
use_category = ["controlplane", "dataplane_core"],
release_date = "2019-08-08",
release_date = "2021-04-29",
cpe = "cpe:2.3:a:google:boringssl:*",
),
aspect_bazel_lib = dict(
Expand Down
69 changes: 2 additions & 67 deletions source/extensions/transport_sockets/tls/utility.cc
Original file line number Diff line number Diff line change
Expand Up @@ -16,29 +16,6 @@ namespace Extensions {
namespace TransportSockets {
namespace Tls {

#if BORINGSSL_API_VERSION < 10
static constexpr absl::string_view SSL_ERROR_NONE_MESSAGE = "NONE";
static constexpr absl::string_view SSL_ERROR_SSL_MESSAGE = "SSL";
static constexpr absl::string_view SSL_ERROR_WANT_READ_MESSAGE = "WANT_READ";
static constexpr absl::string_view SSL_ERROR_WANT_WRITE_MESSAGE = "WANT_WRITE";
static constexpr absl::string_view SSL_ERROR_WANT_X509_LOOPUP_MESSAGE = "WANT_X509_LOOKUP";
static constexpr absl::string_view SSL_ERROR_SYSCALL_MESSAGE = "SYSCALL";
static constexpr absl::string_view SSL_ERROR_ZERO_RETURN_MESSAGE = "ZERO_RETURN";
static constexpr absl::string_view SSL_ERROR_WANT_CONNECT_MESSAGE = "WANT_CONNECT";
static constexpr absl::string_view SSL_ERROR_WANT_ACCEPT_MESSAGE = "WANT_ACCEPT";
static constexpr absl::string_view SSL_ERROR_WANT_CHANNEL_ID_LOOKUP_MESSAGE =
"WANT_CHANNEL_ID_LOOKUP";
static constexpr absl::string_view SSL_ERROR_PENDING_SESSION_MESSAGE = "PENDING_SESSION";
static constexpr absl::string_view SSL_ERROR_PENDING_CERTIFICATE_MESSAGE = "PENDING_CERTIFICATE";
static constexpr absl::string_view SSL_ERROR_WANT_PRIVATE_KEY_OPERATION_MESSAGE =
"WANT_PRIVATE_KEY_OPERATION";
static constexpr absl::string_view SSL_ERROR_PENDING_TICKET_MESSAGE = "PENDING_TICKET";
static constexpr absl::string_view SSL_ERROR_EARLY_DATA_REJECTED_MESSAGE = "EARLY_DATA_REJECTED";
static constexpr absl::string_view SSL_ERROR_WANT_CERTIFICATE_VERIFY_MESSAGE =
"WANT_CERTIFICATE_VERIFY";
static constexpr absl::string_view SSL_ERROR_HANDOFF_MESSAGE = "HANDOFF";
static constexpr absl::string_view SSL_ERROR_HANDBACK_MESSAGE = "HANDBACK";
#endif
static constexpr absl::string_view SSL_ERROR_UNKNOWN_ERROR_MESSAGE = "UNKNOWN_ERROR";

Envoy::Ssl::CertificateDetailsPtr Utility::certificateDetails(X509* cert, const std::string& path,
Expand Down Expand Up @@ -332,54 +309,12 @@ absl::optional<std::string> Utility::getLastCryptoError() {
}

absl::string_view Utility::getErrorDescription(int err) {
#if BORINGSSL_API_VERSION < 10
// TODO(davidben): Remove this and the corresponding SSL_ERROR_*_MESSAGE constants when the FIPS
// build is updated to a later version.
switch (err) {
case SSL_ERROR_NONE:
return SSL_ERROR_NONE_MESSAGE;
case SSL_ERROR_SSL:
return SSL_ERROR_SSL_MESSAGE;
case SSL_ERROR_WANT_READ:
return SSL_ERROR_WANT_READ_MESSAGE;
case SSL_ERROR_WANT_WRITE:
return SSL_ERROR_WANT_WRITE_MESSAGE;
case SSL_ERROR_WANT_X509_LOOKUP:
return SSL_ERROR_WANT_X509_LOOPUP_MESSAGE;
case SSL_ERROR_SYSCALL:
return SSL_ERROR_SYSCALL_MESSAGE;
case SSL_ERROR_ZERO_RETURN:
return SSL_ERROR_ZERO_RETURN_MESSAGE;
case SSL_ERROR_WANT_CONNECT:
return SSL_ERROR_WANT_CONNECT_MESSAGE;
case SSL_ERROR_WANT_ACCEPT:
return SSL_ERROR_WANT_ACCEPT_MESSAGE;
case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP:
return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP_MESSAGE;
case SSL_ERROR_PENDING_SESSION:
return SSL_ERROR_PENDING_SESSION_MESSAGE;
case SSL_ERROR_PENDING_CERTIFICATE:
return SSL_ERROR_PENDING_CERTIFICATE_MESSAGE;
case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION_MESSAGE;
case SSL_ERROR_PENDING_TICKET:
return SSL_ERROR_PENDING_TICKET_MESSAGE;
case SSL_ERROR_EARLY_DATA_REJECTED:
return SSL_ERROR_EARLY_DATA_REJECTED_MESSAGE;
case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
return SSL_ERROR_WANT_CERTIFICATE_VERIFY_MESSAGE;
case SSL_ERROR_HANDOFF:
return SSL_ERROR_HANDOFF_MESSAGE;
case SSL_ERROR_HANDBACK:
return SSL_ERROR_HANDBACK_MESSAGE;
}
#else
const char* description = SSL_error_description(err);
if (description) {
return description;
}
#endif
ENVOY_BUG(false, "Unknown BoringSSL error had occurred");

IS_ENVOY_BUG("BoringSSL error had occurred: SSL_error_description() returned nullptr");
return SSL_ERROR_UNKNOWN_ERROR_MESSAGE;
}

Expand Down
2 changes: 1 addition & 1 deletion test/extensions/transport_sockets/tls/utility_test.cc
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ TEST(UtilityTest, SslErrorDescriptionTest) {
}

EXPECT_ENVOY_BUG(EXPECT_EQ(Utility::getErrorDescription(-1), "UNKNOWN_ERROR"),
"Unknown BoringSSL error had occurred");
"BoringSSL error had occurred: SSL_error_description() returned nullptr");
}

TEST(UtilityTest, TestGetX509ErrorInfo) {
Expand Down

0 comments on commit 9d5e760

Please sign in to comment.