ssl: upgrade FIPS boringssl version (#27087)

* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
envoyproxy · Jul 24, 2023 · 9d5e760 · 9d5e760
1 parent faf6eb3
commit 9d5e760
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 106 deletions.
diff --git a/bazel/external/boringssl_fips.genrule_cmd b/bazel/external/boringssl_fips.genrule_cmd
@@ -16,20 +16,21 @@ fi
 ROOT=./external/boringssl_fips
 pushd "$ROOT"
 
-# Build tools requirements:
-# - Clang compiler version 7.0.1 (https://releases.llvm.org/download.html)
-# - Go programming language version 1.12.7 (https://golang.org/dl/)
-# - Ninja build system version 1.9.0 (https://github.com/ninja-build/ninja/releases)
+# Build tools requirements (from section 12.1 of https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf):
+# - Clang compiler version 12.0.0 (https://releases.llvm.org/download.html)
+# - Go programming language version 1.16.5 (https://golang.org/dl/)
+# - Ninja build system version 1.10.2 (https://github.com/ninja-build/ninja/releases)
+# - Cmake version 3.20.1 (https://cmake.org/download/)
 
 # Override $PATH for build tools, to avoid picking up anything else.
 export PATH="$(dirname `which cmake`):/usr/bin:/bin"
 
-# Clang 7.0.1
-VERSION=7.0.1
-SHA256=02ad925add5b2b934d64c3dd5cbd1b2002258059f7d962993ba7f16524c3089c
-PLATFORM="x86_64-linux-gnu-ubuntu-16.04"
+# Clang
+VERSION=12.0.0
+SHA256=a9ff205eb0b73ca7c86afc6432eed1c2d49133bd0d49e47b15be59bbf0dd292e
+PLATFORM="x86_64-linux-gnu-ubuntu-20.04"
 
-curl -sLO https://releases.llvm.org/"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz \
+curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz \
   && echo "$SHA256" clang+llvm-"$VERSION"-"$PLATFORM".tar.xz | sha256sum --check
 tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
 
@@ -42,9 +43,9 @@ if [[ `clang --version | head -1 | awk '{print $3}'` != "$VERSION" ]]; then
   exit 1
 fi
 
-# Go 1.12.7
-VERSION=1.12.7
-SHA256=66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9
+# Go
+VERSION=1.16.5
+SHA256=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061
 PLATFORM="linux-amd64"
 
 curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
@@ -60,9 +61,9 @@ if [[ `go version | awk '{print $3}'` != "go$VERSION" ]]; then
   exit 1
 fi
 
-# Ninja 1.9.0
-VERSION=1.9.0
-SHA256=1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305
+# Ninja
+VERSION=1.10.2
+SHA256=763464859c7ef2ea3a0a10f4df40d2025d3bb9438fcb1228404640410c0ec22d
 PLATFORM="linux"
 
 curl -sLO https://github.com/ninja-build/ninja/releases/download/v"$VERSION"/ninja-"$PLATFORM".zip \
@@ -76,6 +77,22 @@ if [[ `ninja --version` != "$VERSION" ]]; then
   exit 1
 fi
 
+# CMake
+VERSION=3.20.1
+SHA256=b8c141bd7a6d335600ab0a8a35e75af79f95b837f736456b5532f4d717f20a09
+PLATFORM="linux-x86_64"
+
+curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
+  && echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check
+tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz
+
+export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH"
+
+if [[ `cmake --version | head -n1` != "cmake version $VERSION" ]]; then
+  echo "ERROR: CMake version doesn't match."
+  exit 1
+fi
+
 # Clean after previous build.
 rm -rf boringssl/build
 
@@ -84,6 +101,7 @@ cd boringssl
 mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
 ninja
 ninja run_tests
+./crypto/crypto_test
 
 # Verify correctness of the FIPS build.
 if [[ `tool/bssl isfips` != "1" ]]; then

diff --git a/bazel/external/boringssl_fips.patch b/bazel/external/boringssl_fips.patch
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -316,7 +316,6 @@ def _boringssl_fips():
     external_http_archive(
         name = "boringssl_fips",
         build_file = "@envoy//bazel/external:boringssl_fips.BUILD",
-        patches = ["@envoy//bazel/external:boringssl_fips.patch"],
     )
 
 def _com_github_circonus_labs_libcircllhist():

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -125,11 +125,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_url = "https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md",
         # When this is updated to a revision newer than 2022-08-12,
         # CertValidatorUtil::setIgnoreCertificateExpiration can be simplified.
-        version = "fips-20190808",
-        sha256 = "3b5fdf23274d4179c2077b5e8fa625d9debd7a390aac1d165b7e47234f648bb8",
-        urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz"],
+        version = "fips-20210429",
+        sha256 = "a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2",
+        urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz"],
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2019-08-08",
+        release_date = "2021-04-29",
         cpe = "cpe:2.3:a:google:boringssl:*",
     ),
     aspect_bazel_lib = dict(

diff --git a/source/extensions/transport_sockets/tls/utility.cc b/source/extensions/transport_sockets/tls/utility.cc
@@ -16,29 +16,6 @@ namespace Extensions {
 namespace TransportSockets {
 namespace Tls {
 
-#if BORINGSSL_API_VERSION < 10
-static constexpr absl::string_view SSL_ERROR_NONE_MESSAGE = "NONE";
-static constexpr absl::string_view SSL_ERROR_SSL_MESSAGE = "SSL";
-static constexpr absl::string_view SSL_ERROR_WANT_READ_MESSAGE = "WANT_READ";
-static constexpr absl::string_view SSL_ERROR_WANT_WRITE_MESSAGE = "WANT_WRITE";
-static constexpr absl::string_view SSL_ERROR_WANT_X509_LOOPUP_MESSAGE = "WANT_X509_LOOKUP";
-static constexpr absl::string_view SSL_ERROR_SYSCALL_MESSAGE = "SYSCALL";
-static constexpr absl::string_view SSL_ERROR_ZERO_RETURN_MESSAGE = "ZERO_RETURN";
-static constexpr absl::string_view SSL_ERROR_WANT_CONNECT_MESSAGE = "WANT_CONNECT";
-static constexpr absl::string_view SSL_ERROR_WANT_ACCEPT_MESSAGE = "WANT_ACCEPT";
-static constexpr absl::string_view SSL_ERROR_WANT_CHANNEL_ID_LOOKUP_MESSAGE =
-    "WANT_CHANNEL_ID_LOOKUP";
-static constexpr absl::string_view SSL_ERROR_PENDING_SESSION_MESSAGE = "PENDING_SESSION";
-static constexpr absl::string_view SSL_ERROR_PENDING_CERTIFICATE_MESSAGE = "PENDING_CERTIFICATE";
-static constexpr absl::string_view SSL_ERROR_WANT_PRIVATE_KEY_OPERATION_MESSAGE =
-    "WANT_PRIVATE_KEY_OPERATION";
-static constexpr absl::string_view SSL_ERROR_PENDING_TICKET_MESSAGE = "PENDING_TICKET";
-static constexpr absl::string_view SSL_ERROR_EARLY_DATA_REJECTED_MESSAGE = "EARLY_DATA_REJECTED";
-static constexpr absl::string_view SSL_ERROR_WANT_CERTIFICATE_VERIFY_MESSAGE =
-    "WANT_CERTIFICATE_VERIFY";
-static constexpr absl::string_view SSL_ERROR_HANDOFF_MESSAGE = "HANDOFF";
-static constexpr absl::string_view SSL_ERROR_HANDBACK_MESSAGE = "HANDBACK";
-#endif
 static constexpr absl::string_view SSL_ERROR_UNKNOWN_ERROR_MESSAGE = "UNKNOWN_ERROR";
 
 Envoy::Ssl::CertificateDetailsPtr Utility::certificateDetails(X509* cert, const std::string& path,
@@ -332,54 +309,12 @@ absl::optional<std::string> Utility::getLastCryptoError() {
 }
 
 absl::string_view Utility::getErrorDescription(int err) {
-#if BORINGSSL_API_VERSION < 10
-  // TODO(davidben): Remove this and the corresponding SSL_ERROR_*_MESSAGE constants when the FIPS
-  // build is updated to a later version.
-  switch (err) {
-  case SSL_ERROR_NONE:
-    return SSL_ERROR_NONE_MESSAGE;
-  case SSL_ERROR_SSL:
-    return SSL_ERROR_SSL_MESSAGE;
-  case SSL_ERROR_WANT_READ:
-    return SSL_ERROR_WANT_READ_MESSAGE;
-  case SSL_ERROR_WANT_WRITE:
-    return SSL_ERROR_WANT_WRITE_MESSAGE;
-  case SSL_ERROR_WANT_X509_LOOKUP:
-    return SSL_ERROR_WANT_X509_LOOPUP_MESSAGE;
-  case SSL_ERROR_SYSCALL:
-    return SSL_ERROR_SYSCALL_MESSAGE;
-  case SSL_ERROR_ZERO_RETURN:
-    return SSL_ERROR_ZERO_RETURN_MESSAGE;
-  case SSL_ERROR_WANT_CONNECT:
-    return SSL_ERROR_WANT_CONNECT_MESSAGE;
-  case SSL_ERROR_WANT_ACCEPT:
-    return SSL_ERROR_WANT_ACCEPT_MESSAGE;
-  case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP:
-    return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP_MESSAGE;
-  case SSL_ERROR_PENDING_SESSION:
-    return SSL_ERROR_PENDING_SESSION_MESSAGE;
-  case SSL_ERROR_PENDING_CERTIFICATE:
-    return SSL_ERROR_PENDING_CERTIFICATE_MESSAGE;
-  case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
-    return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION_MESSAGE;
-  case SSL_ERROR_PENDING_TICKET:
-    return SSL_ERROR_PENDING_TICKET_MESSAGE;
-  case SSL_ERROR_EARLY_DATA_REJECTED:
-    return SSL_ERROR_EARLY_DATA_REJECTED_MESSAGE;
-  case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
-    return SSL_ERROR_WANT_CERTIFICATE_VERIFY_MESSAGE;
-  case SSL_ERROR_HANDOFF:
-    return SSL_ERROR_HANDOFF_MESSAGE;
-  case SSL_ERROR_HANDBACK:
-    return SSL_ERROR_HANDBACK_MESSAGE;
-  }
-#else
   const char* description = SSL_error_description(err);
   if (description) {
     return description;
   }
-#endif
-  ENVOY_BUG(false, "Unknown BoringSSL error had occurred");
+
+  IS_ENVOY_BUG("BoringSSL error had occurred: SSL_error_description() returned nullptr");
   return SSL_ERROR_UNKNOWN_ERROR_MESSAGE;
 }
 

diff --git a/test/extensions/transport_sockets/tls/utility_test.cc b/test/extensions/transport_sockets/tls/utility_test.cc
@@ -194,7 +194,7 @@ TEST(UtilityTest, SslErrorDescriptionTest) {
   }
 
   EXPECT_ENVOY_BUG(EXPECT_EQ(Utility::getErrorDescription(-1), "UNKNOWN_ERROR"),
-                   "Unknown BoringSSL error had occurred");
+                   "BoringSSL error had occurred: SSL_error_description() returned nullptr");
 }
 
 TEST(UtilityTest, TestGetX509ErrorInfo) {