Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl: upgrade FIPS boringssl version #27087

Merged
merged 2 commits into from
May 2, 2023
Merged

ssl: upgrade FIPS boringssl version #27087

merged 2 commits into from
May 2, 2023

Conversation

ggreenway
Copy link
Contributor

Commit Message: Update FIPS BoringSSL version to 20210429
Additional Description:
Risk Level: low
Testing: existing tests
Docs Changes: none
Release Notes: none
Platform Specific Features: no changes
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

@ggreenway
ssl: upgrade FIPS boringssl version
37575ea 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway ggreenway requested a review from lizan as a code owner May 1, 2023 16:31
@repokitteh-read-only repokitteh-read-only bot added the deps Approval required for changes to Envoy's external dependencies label May 1, 2023
@repokitteh-read-only
Copy link

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @RyanTheOptimist

🐱

Caused by: #27087 was opened by ggreenway.

see: more, trace.

RyanTheOptimist
RyanTheOptimist previously approved these changes May 1, 2023
View reviewed changes
Copy link
Contributor

@RyanTheOptimist RyanTheOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@repokitteh-read-only repokitteh-read-only bot removed the deps Approval required for changes to Envoy's external dependencies label May 1, 2023
@yanavlasov
Copy link
Contributor

Looks like a fragile change detector test has failed.

/wait

@ggreenway
fix test to match bug string
a962ec9 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@repokitteh-read-only repokitteh-read-only bot added deps Approval required for changes to Envoy's external dependencies and removed waiting labels May 1, 2023
@yanavlasov yanavlasov enabled auto-merge (squash) May 1, 2023 19:16
@ggreenway
Copy link
Contributor Author

/retest

@repokitteh-read-only
Copy link

Retrying Azure Pipelines:
Check envoy-presubmit isn't fully completed, but will still attempt retrying.
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #27087 (comment) was created by @ggreenway.

see: more, trace.

@yanavlasov yanavlasov merged commit eed541d into envoyproxy:main May 2, 2023
michaelfinch added a commit to michaelfinch/envoy that referenced this pull request May 2, 2023
@michaelfinch
Merge branch 'main' into aws-credentials-file
4ec72ba 
* main: (175 commits)
  xds: add config for pick_first LB policy extension (envoyproxy#26952)
  ci: run Kotlin tests with signal_trace disabled (envoyproxy#27090)
  ssl: upgrade FIPS boringssl version (envoyproxy#27087)
  Add createPath to Filesystem abstraction. (envoyproxy#27052)
  mobile/ci: Increase test_timeout for ios tests (envoyproxy#27044)
  [mobile]remove Java and GMScore impl from Cronvoy (envoyproxy#27039)
  Fix compliance issues for iOS builds (envoyproxy#27027)
  docs: fix the license URL of the dependency "dd-trace-cpp" (envoyproxy#27054)
  ci/mobile: Hide CI progress in .bazelrc (envoyproxy#27045)
  thrift_proxy: add access log support for local reply (envoyproxy#27057)
  ci: Consolidate artifact targets (envoyproxy#27079)
  lb: moving maglev to extensions (envoyproxy#27037)
  Overload Manager: LoadShedPoint for HCM decode headers (envoyproxy#26769)
  Plumb ServerFactoryContext into header validator factory (envoyproxy#27008)
  access_log: use AccessLogType::NotSet instead of default value (envoyproxy#27058)
  access_log: pass access log type parameter to evaluate function (envoyproxy#27063)
  Remove unused member from GrpcStream (envoyproxy#27055)
  tools: setup build in local_fix_format (envoyproxy#27060)
  generic proxy: virtual host support for the generic proxy routing (envoyproxy#26932)
  deps: Bump pytooling publishing deps (envoyproxy#27059)
  ...
This was referenced Jul 7, 2023
Closed
Merged
reskin89 pushed a commit to reskin89/envoy that referenced this pull request Jul 11, 2023
@ggreenway @reskin89
ssl: upgrade FIPS boringssl version (envoyproxy#27087)
a558132 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Ryan Eskin <ryan.eskin89@protonmail.com>
phlax pushed a commit to phlax/envoy that referenced this pull request Jul 24, 2023
@ggreenway @phlax
ssl: upgrade FIPS boringssl version (envoyproxy#27087)
958cd85 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax pushed a commit to phlax/envoy that referenced this pull request Jul 24, 2023
@ggreenway @phlax
ssl: upgrade FIPS boringssl version (envoyproxy#27087)
9d5e760 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax pushed a commit to phlax/envoy that referenced this pull request Jul 24, 2023
@ggreenway @phlax
ssl: upgrade FIPS boringssl version (envoyproxy#27087)
be48837 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax pushed a commit that referenced this pull request Jul 24, 2023
@ggreenway @phlax
ssl: upgrade FIPS boringssl version (#27087)
8ae3aa5 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax pushed a commit that referenced this pull request Jul 24, 2023
@ggreenway @phlax
ssl: upgrade FIPS boringssl version (#27087)
b149723 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax pushed a commit that referenced this pull request Jul 24, 2023
@ggreenway @phlax
ssl: upgrade FIPS boringssl version (#27087)
c0eeaf8 
* ssl: upgrade FIPS boringssl version

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax added a commit that referenced this pull request Jul 24, 2023
@phlax
changelogs: Add arm64 FIPS build (#28590)
7e0d04a 
Follow up from:

- #27087
- #27622

Signed-off-by: Ryan Northey <ryan@synca.io>
phlax added a commit to phlax/envoy that referenced this pull request Jul 25, 2023
@phlax
changelogs: Add arm64 FIPS build (envoyproxy#28590)
d57e1e5 
Follow up from:

- envoyproxy#27087
- envoyproxy#27622

Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: phlax <phlax@users.noreply.github.com>
phlax added a commit that referenced this pull request Jul 25, 2023
@phlax
changelogs: Add arm64 FIPS build (#28590)
95d97a8 
Follow up from:

- #27087
- #27622

Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: phlax <phlax@users.noreply.github.com>
phlax added a commit to phlax/envoy that referenced this pull request Jul 25, 2023
@phlax
changelogs: Add arm64 FIPS build (envoyproxy#28590)
81edae1 
Follow up from:

- envoyproxy#27087
- envoyproxy#27622

Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: phlax <phlax@users.noreply.github.com>
phlax added a commit that referenced this pull request Jul 26, 2023
@phlax
changelogs: Add arm64 FIPS build (#28590)
c54f18f 
Follow up from:

- #27087
- #27622

Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: phlax <phlax@users.noreply.github.com>
phlax added a commit to phlax/envoy that referenced this pull request Jul 26, 2023
@phlax
changelogs: Add arm64 FIPS build (envoyproxy#28590)
5615087 
Follow up from:

- envoyproxy#27087
- envoyproxy#27622

Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: phlax <phlax@users.noreply.github.com>
phlax added a commit that referenced this pull request Jul 26, 2023
@phlax
changelogs: Add arm64 FIPS build (#28590)
51aaaa6 
Follow up from:

- #27087
- #27622

Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: phlax <phlax@users.noreply.github.com>
@danzh2010 danzh2010 mentioned this pull request Sep 11, 2023
Merged
alyssawilk pushed a commit that referenced this pull request Sep 19, 2023
@danzh2010 @danzh1989
quic: fix build with option --//bazel:http3=False (#29561)
3f8a126 
Commit Message: QUICHE QUIC code and libraries are supposed to be hidden behind macro ENVOY_ENABLE_QUIC and envoy_select_enable_http3(). Any violation should have resulted in open SSL FIPS build error because of the interface incompatibility. But recent FIPS dependency update #27087 resolved the incompatibility. So upstream_request_lib unhide QUIC code accidentally. This change fix the dependency leakage and change some critical QUIC libraries to be wrapped in envoy_select_enable_http3 which skips building the libraries under bazel option //bazel:http3=False to avoid future leakage.

Risk Level: low
Testing: existing builds are happy
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A

Signed-off-by: Dan Zhang <danzh@google.com>
Co-authored-by: Dan Zhang <danzh@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanavlasov yanavlasov yanavlasov approved these changes

@RyanTheOptimist RyanTheOptimist RyanTheOptimist left review comments

@lizan lizan Awaiting requested review from lizan

Assignees

@RyanTheOptimist RyanTheOptimist

Labels
deps Approval required for changes to Envoy's external dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ggreenway @yanavlasov @RyanTheOptimist