Rebase upstream Envoy 1.35 into envoy-openssl #349
+2,417,002
−659
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…b89d846ec53f2) BoringSSL Commit ca1690e221677cea3fb946f324eb89d846ec53f2 Now in the bssl-compat/third_party/boringssl/ directory According to https://boringssl.googlesource.com/boringssl/+/HEAD/INCORPORATING.md Disabled the configure/build for BoringSSL because (1) it can't be done on all platforms, and (2) we no longer need to configure/build BoringSSL to obtain it's crypto_test_data.cc file because it is now checked in. Removed the pre installation of go into the builder image. This was only being done as a work around to support the BoringSSL configure/build, but that requirement has now gone. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
We can now use the original OpenSSL functions as Envoy has stopped accessing the internal struct fields of BIO_METHOD (relevant change in Envoy was in 0ff3fcb). This change also removes our wrapper functions to deal with this behavior and the tests for them. Signed-off-by: Daniel Grimm <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Daniel Grimm <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
* Only supports synchronous (pass or fail) verification, which is enough to accommodate the default certificate validator. * Also fixed/extended the implementation of SSL_get_peer_full_cert_chain() so that (1) it's return value now has the correct ownership semantics, and (2) it works in the context of a SSL_CTX_set_custom_verify() callback. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…s options) Note that this really is a misuse of the "boringssl=fips" define, and the "nofips" tag. However, pretending that we are building on a FIPS version of BoringSSL has the side effect of compiling out QUIC support, which is what we want to achieve. At some point, when a newer version of BoringSSL FIPS does support building QUIC, this misuse of these options will almost certainly stop working. At that point, we will need to fix the //bazel:http3=False option. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Eliminated the need for the openssl/do_ci.sh script, so the upstream ci/do_ci.sh script should now be used directly instead. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
For this test to pass, it requires OpenSSL's legacy provider, so that the RC2-40-CBC encryption algorithm is available. Previously, this was achieved via an OpenSSL configuration file, pointed to by the OPENSSL_CONF env var, which was set up in openssl/do_ci.sh script. But since the openssl/do_ci.sh script no longer exists, we have to load (and unload) the legacy provider programatically instead. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Since we do not currently support async cert validation, the following tests have been disabled: SslIntegrationTest.AsyncCertValidationSucceeds SslIntegrationTest.AsyncCertValidationSucceedsWithLocalAddress SslIntegrationTest.AsyncCertValidationAfterTearDown SslIntegrationTest.AsyncCertValidationAfterSslShutdown Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…tests By making BoringSSL's ssl_private_key_method_st struct defintion, and a few extra functions, available in bssl-compat, it is now possible to compile all of Envoy's private key method provider mplementation and test code. The main reason for this is to minimise the number of diffs wrt upstream. Clearly, because the private key method provider mechanism isn't actually implemented on OpenSSL, all the tests which actually excercise the private key method provider will fail, so they are all disabled. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Switching OpenSSL between FIPS and non-FIPS is a config choice that is made during deployment. Therefore, FIPS vs non-FIPS mode has no affect during build time. Therefore the envoy-openssl binary has no concept of being built for one mode or the other. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…f BoringSSL Some tests check for things like JA3 fingerprints and/or received byte counts, which vary between BoringSSL and OpenSSL due to slightly different client hello contents etc. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
The ErrTest.test_SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM test was failing to compile because it was referring to SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM rather than the prefixed ossl_SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM. The previously generated implementations of SSL_CTX_get_session_cache_mode() and X509_STORE_CTX_get0_chain() have been replaced with hand written ones, with the addition of some const casting to remove compiler warnings. Finally, the OpenSSL version is increased from 3.0.8 to 3.0.13 Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
A non-null callback was previously disallowed simply because there were no tests. However, when building Envoy with google grpc, the callback capability is required, and without it some of the grpc_client_integration_test fails. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
* Boringssl s390x fix * rules python fix for s390x * Update to minimum python version supported on s390x Signed-off-by: Surender Yadav <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Dependabot already runs upstream on envoyproxy/envoy, so we get all of the updates that it makes each time we synchronize. Duplicating the same checks here just creates duplicates/noise. Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
…set_enforce_rsa_key_usage Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
envoyproxy/envoy#40544 Fix a bug where the `tls_inspector` times out when used with the `http_inspector` and it gets a large client hello. Envoy was set up with both `http_inspector` and `tls_inspector` present. We noticed `tls_inspector` timing out when receiving a large client hello (>8 KB). <!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing [email protected] where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) --> Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Yuval Kohavi <[email protected]> Co-authored-by: Yuval Kohavi <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…guraton combination (#39740)" (#40503) There is a request that to have ext_proc FULL_DUPLEX_STREAMED mode support fail_open to certain stage, like before the 1st chunk of data is shipped to the ext_proc server. This is doable. This PR reverts "Ext_proc: do not support fail_open+FULL_DUPLEX_STREAMED configuraton combination (#39740)", i.e, commit 4861b20. A follow up PR will implement the above fail-open behavior. --------- Signed-off-by: Yanjun Xiang <[email protected]> Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…(#40714) Co-authored-by: botengyao <[email protected]> Signed-off-by: code <[email protected]> Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
**Summary of changes**:
* Release images:
- Update Ubuntu and distroless base images.
* Bug fixes
- Assorted bug fixes for ext_proc, TLS inspector, and HTTP listeners.
**Docker images**:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.1
**Docs**:
https://www.envoyproxy.io/docs/envoy/v1.35.1/
**Release notes**:
https://www.envoyproxy.io/docs/envoy/v1.35.1/version_history/v1.35/v1.35.1
**Full changelog**:
envoyproxy/envoy@v1.35.0...v1.35.1
Signed-off-by: Dario Cillerai <[email protected]>
Commit Message: deps: upgrading GO to v1.24.6 in dependency_imports.bzl Additional Description: Attempt to solve the issue that has been seen today in some PRs: ``` compilepkg: missing strict dependencies: /mnt/engflow/worker/work/3/exec/external/org_golang_google_grpc/internal/status/status.go: import of "google.golang.org/genproto/googleapis/rpc/status" ``` ([example](https://github.com/envoyproxy/envoy/actions/runs/17246350777/job/48936907349#step:17:601)) Signed-off-by: Adi Suissa-Peleg <[email protected]> Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
When using cookie names prefixed with `__Secure-` or `__Host-`, browsers require the `Secure` attribute to be present on the `Set-Cookie` header for any modification, including deletion. The OAuth2 filter did not add this attribute when generating the `Set-Cookie` headers to clear the OAuth cookies. This caused the browser to ignore the deletion request for prefixed cookies, effectively preventing the user from being signed out correctly. This patch fixes the behavior to set the `Secure` attribute when either prefix is found. Signed-off-by: Tony Allen <[email protected]> Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Boteng Yao <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Fix for GHSA-g9vw-6pvx-7gmw Signed-off-by: Yan Avlasov <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Yan Avlasov <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…re wrong (#40891) (#40943) Commit Message: stats: fix a bug where the prometheus name of ssl certificate stats are wrong Additional Description: See #40891 Risk Level: low. Testing: unit. Docs Changes: n/a. Release Notes: added. Platform Specific Features: n/a. Signed-off-by: WangBaiping <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
Created by Envoy publish bot for @yanavlasov **Summary of changes**: * Security fixes: - Fix for OAuth cookie issue [CVE-2025-55162](GHSA-95j4-hw7f-v2rh). - Fix UAF in DNS resolution [CVE-2025-54588](GHSA-g9vw-6pvx-7gmw). **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.2 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.35.2/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.35.2/version_history/v1.35/v1.35.2 **Full changelog**: envoyproxy/envoy@v1.35.1...v1.35.2 Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com> Signed-off-by: Dario Cillerai <[email protected]>
Back port #40996 to 1.35 Signed-off-by: Ted Poole <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
…ed properly (#40856) (#40904) Commit Message: router: fix a bug where header mutations may not be processed properly Additional Description: The envoyproxy/envoy#39534 introduced a bug where the `response_headers_to_add`` may be processed multiple times for local responses from the router filter. The sendLocalReply method will call the `finalizeResponseHeaders()` and the envoyproxy/envoy#39534 updated the code and make the `finalizeResponseHeaders()` be called in the modify_headers_ callback. This finally resulted in this problem. Risk Level: low. Testing: integration. Docs Changes: n/a. Release Notes: added. Platform Specific Features: n/a. Signed-off-by: WangBaiping <[email protected]> Signed-off-by: code <[email protected]> Signed-off-by: Dario Cillerai <[email protected]>
dcillera
force-pushed
the
my-rebase-1.35-new-boring-hcval
branch
2 times, most recently
from
645a875 to
18bc29d
Compare
Signed-off-by: Jonh Wendell <[email protected]>
Signed-off-by: Jonh Wendell <[email protected]>
Make it use libstdc++ instead of Envoy's default libc++. Signed-off-by: Jonh Wendell <[email protected]>
Signed-off-by: Jonh Wendell <[email protected]>
|
/retest |
1 similar comment
|
/retest |
jwendell
force-pushed
the
my-rebase-1.35-new-boring-hcval
branch
3 times, most recently
from
1ee498c to
e56a079
Compare
Signed-off-by: Jonh Wendell <[email protected]>
jwendell
force-pushed
the
my-rebase-1.35-new-boring-hcval
branch
from
e56a079 to
6bf194c
Compare
Signed-off-by: Jonh Wendell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All OpenSSL related commits has been merged into upstream Envoy to get envoy-openssl 1.35.
BoringSSL updated to version 0.20250514.0 in the bssl compatibility layer.
Some modifications in the bssl compatibility layer about the order of operations.