diff --git a/.bazelrc b/.bazelrc index 403f253b1b..3fe4083d70 100644 --- a/.bazelrc +++ b/.bazelrc @@ -568,7 +568,7 @@ common:bes-envoy-engflow --bes_timeout=3600s common:bes-envoy-engflow --bes_upload_mode=fully_async common:bes-envoy-engflow --nolegacy_important_outputs common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com -common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://quay.io/jwendell/envoy-build-ubuntu@sha256:de2689a4c97657764e27050ffbee3c6330a81bf3cd52ede2a4efeff5bce86958 +common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:56b66cc84065c88a141963cedbbe4198850ffae0dacad769f516d0e9081439da common:rbe-envoy-engflow --jobs=200 common:rbe-envoy-engflow --define=engflow_rbe=true diff --git a/.github/workflows/envoy-openssl.yml b/.github/workflows/envoy-openssl.yml index 111f92b401..cea14db450 100644 --- a/.github/workflows/envoy-openssl.yml +++ b/.github/workflows/envoy-openssl.yml @@ -34,5 +34,3 @@ jobs: ENVOY_RBE: 1 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ENVOY_STDLIB: libstdc++ - IMAGE_NAME: quay.io/jwendell/envoy-build-ubuntu - IMAGE_ID: openssl-cb86d91cf406995012e330ab58830e6ee10240cb diff --git a/bazel/external/openssl.BUILD b/bazel/external/openssl.BUILD new file mode 100644 index 0000000000..b230a27e4e --- /dev/null +++ b/bazel/external/openssl.BUILD @@ -0,0 +1,31 @@ +load("@rules_foreign_cc//foreign_cc:configure.bzl", "configure_make") +load("@rules_cc//cc:defs.bzl", "cc_library") + +licenses(["notice"]) # Apache 2 + +filegroup( + name = "all", + srcs = glob(["**"]), + visibility = ["//visibility:public"], +) + +# Set out_headers_only=True to stop executables linking against the OpenSSL shared libraries. +# This is required because we want executables to link against the bssl-compat library instead. +# The bssl-compat library is a static library that provides a compatibility layer for BoringSSL, +# by dynamically loading the OpenSSL shared libraries at run time. +# +# We do still list the OpenSSL shared libraries in out_shared_libs, so that they are made available +# in the sandbox of dependant targets, so bssl-compat can dynamically load them at run time. +configure_make( + name = "openssl", + lib_source = ":all", + configure_in_place = True, + configure_command = "Configure", + targets = ["build_sw", "install_sw"], + args = ["-j"], + out_headers_only = True, + out_include_dir = "include", + out_lib_dir = "lib64", + out_shared_libs = ["libssl.so.3", "libcrypto.so.3"], + visibility = ["//visibility:public"], +) diff --git a/bazel/rbe/toolchains/configs/linux/clang/config/BUILD b/bazel/rbe/toolchains/configs/linux/clang/config/BUILD index 2f850819bc..767644bdfd 100755 --- a/bazel/rbe/toolchains/configs/linux/clang/config/BUILD +++ b/bazel/rbe/toolchains/configs/linux/clang/config/BUILD @@ -44,7 +44,7 @@ platform( "@bazel_tools//tools/cpp:clang", ], exec_properties = { - "container-image": "docker://quay.io/jwendell/envoy-build-ubuntu@sha256:de2689a4c97657764e27050ffbee3c6330a81bf3cd52ede2a4efeff5bce86958", + "container-image": "docker://gcr.io/envoy-ci/envoy-build@sha256:56b66cc84065c88a141963cedbbe4198850ffae0dacad769f516d0e9081439da", "OSFamily": "Linux", }, parents = ["@local_config_platform//:host"], diff --git a/bazel/rbe/toolchains/configs/linux/clang_libcxx/config/BUILD b/bazel/rbe/toolchains/configs/linux/clang_libcxx/config/BUILD index b1925923a3..a0a44b2af6 100755 --- a/bazel/rbe/toolchains/configs/linux/clang_libcxx/config/BUILD +++ b/bazel/rbe/toolchains/configs/linux/clang_libcxx/config/BUILD @@ -44,7 +44,7 @@ platform( "@bazel_tools//tools/cpp:clang", ], exec_properties = { - "container-image": "docker://quay.io/jwendell/envoy-build-ubuntu@sha256:de2689a4c97657764e27050ffbee3c6330a81bf3cd52ede2a4efeff5bce86958", + "container-image": "docker://gcr.io/envoy-ci/envoy-build@sha256:56b66cc84065c88a141963cedbbe4198850ffae0dacad769f516d0e9081439da", "OSFamily": "Linux", }, parents = ["@local_config_platform//:host"], diff --git a/bazel/rbe/toolchains/configs/linux/gcc/config/BUILD b/bazel/rbe/toolchains/configs/linux/gcc/config/BUILD index 471564df63..496ba319d4 100755 --- a/bazel/rbe/toolchains/configs/linux/gcc/config/BUILD +++ b/bazel/rbe/toolchains/configs/linux/gcc/config/BUILD @@ -42,7 +42,7 @@ platform( "@bazel_tools//tools/cpp:clang", ], exec_properties = { - "container-image": "docker://quay.io/jwendell/envoy-build-ubuntu@sha256:de2689a4c97657764e27050ffbee3c6330a81bf3cd52ede2a4efeff5bce86958", + "container-image": "docker://gcr.io/envoy-ci/envoy-build@sha256:56b66cc84065c88a141963cedbbe4198850ffae0dacad769f516d0e9081439da", "OSFamily": "Linux", }, parents = ["@local_config_platform//:host"], diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 8acd53d75a..f74aa8a900 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -135,6 +135,8 @@ def envoy_dependencies(skip_targets = []): # Setup external Bazel rules _foreign_cc_dependencies() + _openssl() + # Binding to an alias pointing to the bssl-compat layer native.bind( name = "ssl", @@ -273,6 +275,12 @@ def _aws_lc(): build_file = "@envoy//bazel/external:aws_lc.BUILD", ) +def _openssl(): + external_http_archive( + name = "openssl", + build_file = "@envoy//bazel/external:openssl.BUILD", + ) + def _com_github_openhistogram_libcircllhist(): external_http_archive( name = "com_github_openhistogram_libcircllhist", diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 189b480515..ba98b7da82 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -157,6 +157,20 @@ REPOSITORY_LOCATIONS_SPEC = dict( release_date = "2025-02-06", cpe = "cpe:2.3:a:google:boringssl:*", ), + openssl = dict( + project_name = "OpenSSL", + project_desc = "TLS/SSL and crypto library", + project_url = "https://github.com/openssl/openssl", + version = "3.0.16", + sha256 = "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86", + strip_prefix = "openssl-{version}", + urls = ["https://github.com/openssl/openssl/releases/download/openssl-{version}/openssl-{version}.tar.gz"], + use_category = ["controlplane", "dataplane_core"], + release_date = "2025-02-11", + cpe = "cpe:2.3:a:openssl:openssl:*", + license = "Apache-2.0", + license_url = "https://github.com/openssl/openssl/blob/openssl-{version}/LICENSE.txt", + ), aspect_bazel_lib = dict( project_name = "Aspect Bazel helpers", project_desc = "Base Starlark libraries and basic Bazel rules which are useful for constructing rulesets and BUILD files", diff --git a/bssl-compat/BUILD b/bssl-compat/BUILD index b022908f18..ebcf602364 100644 --- a/bssl-compat/BUILD +++ b/bssl-compat/BUILD @@ -15,7 +15,8 @@ cmake( visibility = ["//visibility:public"], generate_crosstool_file = False, out_binaries = ["utests-bssl-compat"], - build_args = [ "-j" ] + build_args = [ "-j" ], + deps = ["@openssl//:openssl"], ) filegroup( diff --git a/bssl-compat/CMakeLists.txt b/bssl-compat/CMakeLists.txt index 73b1385a54..fdd59f6774 100644 --- a/bssl-compat/CMakeLists.txt +++ b/bssl-compat/CMakeLists.txt @@ -7,9 +7,6 @@ if(POLICY CMP0135) cmake_policy(SET CMP0135 NEW) endif() -set(OPENSSL_URL https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.13.tar.gz) -set(OPENSSL_URL_HASH e74504ed7035295ec7062b1da16c15b57ff2a03cd2064a28d8c39458cacc45fc) - set(CMAKE_C_STANDARD 11) set(CMAKE_CXX_STANDARD 17) diff --git a/bssl-compat/cmake/openssl.cmake b/bssl-compat/cmake/openssl.cmake index 00fbae02b7..9219189db9 100644 --- a/bssl-compat/cmake/openssl.cmake +++ b/bssl-compat/cmake/openssl.cmake @@ -5,19 +5,5 @@ if(OpenSSL_FOUND) get_filename_component(OPENSSL_LIBRARY_DIR ${OPENSSL_CRYPTO_LIBRARY} DIRECTORY) message(STATUS "Found OpenSSL ${OPENSSL_VERSION} (${OPENSSL_LIBRARY_DIR})") else() - message(STATUS "Building OpenSSL (${OPENSSL_URL})") - include(ExternalProject) - set(OPENSSL_SOURCE_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl/source) - set(OPENSSL_CONFIG_CMD ${OPENSSL_SOURCE_DIR}/config) - set(OPENSSL_INSTALL_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl/install) - set(OPENSSL_INCLUDE_DIR ${OPENSSL_INSTALL_DIR}/include) - set(OPENSSL_LIBRARY_DIR ${OPENSSL_INSTALL_DIR}/lib) - ExternalProject_Add(OpenSSL - URL ${OPENSSL_URL} - URL_HASH SHA256=${OPENSSL_URL_HASH} - SOURCE_DIR ${OPENSSL_SOURCE_DIR} - CONFIGURE_COMMAND ${OPENSSL_CONFIG_CMD} --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib - TEST_COMMAND "" - INSTALL_COMMAND make install_sw - ) + message(FATAL_ERROR "OpenSSL 3.0 not found. Aborting.") endif() diff --git a/bssl-compat/prefixer/prefixer.cpp b/bssl-compat/prefixer/prefixer.cpp index f6a0bc6bfb..8d27616c52 100644 --- a/bssl-compat/prefixer/prefixer.cpp +++ b/bssl-compat/prefixer/prefixer.cpp @@ -265,12 +265,9 @@ class MyFrontendAction: public clang::ASTFrontendAction { if (prefixable(token.getLocation())) { std::string name = pp.getSpelling(token); m_identifiers.insert(name); - if (name == "SHLIB_VERSION_NUMBER") { + if (name == "OPENSSL_VERSION_MAJOR") { const auto &token = directive->getMacroInfo()->getReplacementToken(0); m_shlibversion = std::string(token.getLiteralData(), token.getLength()); - // Remove the quotation marks. - m_shlibversion = m_shlibversion.substr(1, m_shlibversion.size() - 1); - m_shlibversion.pop_back(); } } } @@ -438,9 +435,10 @@ void MyFrontendAction::EndSourceFileAction() { std::map> funcmap; for(const auto &f : m_functions) { - std::string header = f.getHeader(srcmgr); + std::filesystem::path header = f.getHeader(srcmgr); + header = header.lexically_relative(opt::incdir()); if(funcmap.find(header) == funcmap.end()) { - hstr << "#include \"" << header <<"\"" << std::endl; + hstr << "#include \"" << header.string() <<"\"" << std::endl; } funcmap[header].push_back(f); } @@ -472,6 +470,8 @@ void MyFrontendAction::EndSourceFileAction() { std::ofstream cstr (opt::cfile()); cstr << "//" << std::endl << "// THIS FILE IS GENERATED BY THE PREFIXER TOOL DO NOT EDIT" << std::endl << "//" << std::endl + << "#define _GNU_SOURCE" << std::endl + << "#include " << std::endl << "#include " << std::endl << "#include " << std::endl << "#include " << std::endl @@ -493,22 +493,31 @@ void MyFrontendAction::EndSourceFileAction() { << " const char *s = symbol + " << opt::prefix.size() + 1 << ";" << std::endl << " if ((result = dlsym(libcrypto, s)) != NULL) return result;" << std::endl << " if((result = dlsym(libssl, s)) != NULL) return result;" << std::endl - << "//fprintf(stderr, \"dlsym(%s) : %s\\n\", s, dlerror());" << std::endl - << "//exit(ELIBACC);" << std::endl << " return NULL;" << std::endl << "}" << std::endl << std::endl << "static void " << opt::prefix << "_init(void) {" << std::endl - << " if((libcrypto = dlopen(LIBCRYPTO_SO, RTLD_NOW | RTLD_LOCAL)) == NULL) {" << std::endl + << " if((libcrypto = dlopen(LIBCRYPTO_SO, RTLD_NOW | RTLD_LOCAL | RTLD_DEEPBIND)) == NULL) {" << std::endl << " fprintf(stderr, \"dlopen(%s) : %s\\n\", LIBCRYPTO_SO, dlerror());" << std::endl << " exit(ELIBACC);" << std::endl << " }" << std::endl << std::endl - << " if((libssl = dlopen(LIBSSL_SO, RTLD_NOW | RTLD_LOCAL)) == NULL) {" << std::endl + << " if((libssl = dlopen(LIBSSL_SO, RTLD_NOW | RTLD_LOCAL | RTLD_DEEPBIND)) == NULL) {" << std::endl << " fprintf(stderr, \"dlopen(%s) : %s\\n\", LIBSSL_SO, dlerror());" << std::endl << " exit(ELIBACC);" << std::endl << " }" << std::endl << std::endl + << " if(getenv(\"BSSL_COMPAT_DEBUG_DLINFO\")) {" << std::endl + << " char libcryptoorigin[PATH_MAX];" << std::endl + << " if (dlinfo(libcrypto, RTLD_DI_ORIGIN, libcryptoorigin) == 0) {" << std::endl + << " fprintf(stderr, \"bssl-compat: Loaded %s from %s\\n\", LIBCRYPTO_SO, libcryptoorigin);" << std::endl + << " }" << std::endl + << " char libsslorigin[PATH_MAX];" << std::endl + << " if (dlinfo(libssl, RTLD_DI_ORIGIN, libsslorigin) == 0) {" << std::endl + << " fprintf(stderr, \"bssl-compat: Loaded %s from %s\\n\", LIBSSL_SO, libsslorigin);" << std::endl + << " }" << std::endl + << " }" << std::endl + << std::endl << " ossl.ossl_OpenSSL_version_num = (ossl_OpenSSL_version_num_t)lookup(\"ossl_OpenSSL_version_num\");" << std::endl << " if (ossl.ossl_OpenSSL_version_num == NULL) {" << std::endl << " fprintf(stderr, \"Failed to load OpenSSL_version_num()\\n\");" << std::endl @@ -711,7 +720,7 @@ int main(int argc, const char **argv) { globflags |= GLOB_APPEND; } for (auto i = 0; i < globbuf.gl_pathc; i++) { - auto p = std::filesystem::proximate(globbuf.gl_pathv[i], srcpath); + auto p = std::filesystem::path(globbuf.gl_pathv[i]).lexically_relative(srcpath); opt::headers[p] = true; } globfree (&globbuf); @@ -725,7 +734,7 @@ int main(int argc, const char **argv) { globflags |= GLOB_APPEND; } for (auto i = 0; i < globbuf.gl_pathc; i++) { - auto p = std::filesystem::proximate(globbuf.gl_pathv[i], srcpath); + auto p = std::filesystem::path(globbuf.gl_pathv[i]).lexically_relative(srcpath); opt::headers[p] = false; } globfree (&globbuf); @@ -756,6 +765,8 @@ int main(int argc, const char **argv) { std::filesystem::remove(dsthdr); } std::filesystem::copy_file(srcpath / hdr, dsthdr); + std::filesystem::permissions(dsthdr, std::filesystem::perms::owner_write | + std::filesystem::perms::owner_read); } } diff --git a/openssl/bazelrc b/openssl/bazelrc index 1d7c5c7972..800ab2136b 100644 --- a/openssl/bazelrc +++ b/openssl/bazelrc @@ -23,5 +23,6 @@ build:ppc --//source/extensions/filters/common/lua:luajit2=1 --linkopt=-fuse-ld= common --action_env=Clang_DIR=/opt/llvm common --action_env=LLVM_DIR=/opt/llvm -common --action_env=LD_LIBRARY_PATH=/opt/openssl3.0/lib64 -test --test_env=LD_LIBRARY_PATH=/opt/openssl3.0/lib64 + +build --verbose_failures +build --keep_going diff --git a/test/common/router/BUILD b/test/common/router/BUILD index a6cee86025..8f05eb1746 100644 --- a/test/common/router/BUILD +++ b/test/common/router/BUILD @@ -257,11 +257,6 @@ sh_binary( envoy_directory_genrule( name = "corpus_from_config_impl", testonly = 1, - srcs = [ - # This is deliberately in srcs, since we run into host/target confusion - # otherwise in oss-fuzz builds. - ":config_impl_test_static", - ], cmd = " ".join([ "$(location corpus_from_config_impl_sh)", "$(location //test/common/router:config_impl_test_static)", @@ -270,7 +265,10 @@ envoy_directory_genrule( "//bazel:engflow_rbe_x86_64": {"Pool": "6gig"}, "//conditions:default": {}, }), - tools = [":corpus_from_config_impl_sh"], + tools = [ + ":config_impl_test_static", + ":corpus_from_config_impl_sh", + ], ) filegroup( diff --git a/test/common/router/corpus_from_config_impl.sh b/test/common/router/corpus_from_config_impl.sh index 12bb68420e..345d87ffc9 100755 --- a/test/common/router/corpus_from_config_impl.sh +++ b/test/common/router/corpus_from_config_impl.sh @@ -1,5 +1,40 @@ #!/bin/sh +set +x + +echo "TED: \$0 = '$0'" +echo "TED: \$@ = '$@'" + +echo "TED:" +echo "TED: readelf -d \"$1\" ...." +readelf -d "$1" | sed 's/^/TED: /g' + +echo "TED:" +echo "TED: ldd \"$1\" ...." +ldd "$1" | sed 's/^/TED: /g' + +ORIGIN="$(dirname "$(readlink -f "$1")")" + +readelf -d "$1" | awk '/RUNPATH/ {match($0, /Library runpath: \[(.*)\]/, a); print a[1]}' | \ +tr ':' '\n' | while IFS= read -r RUNPATH; do + echo "TED:" + echo "TED: RUNPATH : $RUNPATH" + ABSRUNPATH="$(readlink -f "$(echo "$RUNPATH" | sed "s|\$ORIGIN|$ORIGIN|g")")" + if [ -d "${ABSRUNPATH}" ]; then + echo "TED: ABSRUNPATH : $ABSRUNPATH" + find "$ABSRUNPATH" -name "*.so*" | while IFS= read -r SOFILE; do + echo "TED: SOFILE : $SOFILE" + ls -l "$SOFILE" | sed 's/^/TED: : /g' + file "$SOFILE" | sed 's/^/TED: : /g' + file --dereference "$SOFILE" | sed 's/^/TED: : /g' + ldd "$SOFILE" | sed 's/^/TED: : /g' + done + else + echo "TED: ABSRUNPATH not found: $ABSRUNPATH" + fi +done + + # Helper shell script for :corpus_from_config_impl genrule in BUILD. # Set NORUNFILES so test/main doesn't fail when runfiles manifest is not found.