update: Fix QUIC-related features & Disable tracing functions for rel…

…ease version - source/: Disable tracing functions for release version - contrib/cryptomb/: Temporarily disable QUIC-related features due to OpenSSL QUIC support limitations - contrib/qat/: Temporarily disable QUIC-related features due to OpenSSL QUIC support limitations
boanlab · Dec 13, 2024 · 8cadb3d · 8cadb3d
1 parent 7fb0c4c
commit 8cadb3d
Show file tree

Hide file tree

Showing 31 changed files with 483 additions and 205 deletions.
diff --git a/bazel/external/quiche.BUILD b/bazel/external/quiche.BUILD
@@ -4178,7 +4178,7 @@ envoy_quic_cc_library(
     ],
 )
 
-envoy_cc_library(
+envoy_quic_cc_library(
     name = "quic_core_types_lib",
     srcs = [
         "quiche/quic/core/quic_connection_id.cc",
@@ -4190,11 +4190,7 @@ envoy_cc_library(
         "quiche/quic/core/quic_packet_number.h",
         "quiche/quic/core/quic_types.h",
     ],
-    copts = quiche_copts,
     external_deps = ["ssl"],
-    repository = "@envoy",
-    tags = ["nofips"],
-    visibility = ["//visibility:public"],
     deps = [
         ":quic_core_crypto_random_lib",
         ":quic_core_error_codes_lib",
@@ -5569,4 +5565,4 @@ envoy_cc_library(
         "@com_google_absl//absl/time",
         "@com_google_absl//absl/types:span",
     ],
-)
+)
diff --git a/source/common/common/random_generator.cc b/source/common/common/random_generator.cc
@@ -31,17 +31,22 @@ uint64_t RandomGeneratorImpl::random() {
   //       2048 |  4,594 |  6% faster
   //       4096 |  4,424 |  4% faster
   //       8192 |  4,386 |  1% faster
-
+  ENVOY_LOG_MISC(info, "[+]{} ", "RandomGeneratorImpl::random-step1");
   const size_t prefetch = 256;
   static thread_local uint64_t buffered[prefetch];
   static thread_local size_t buffered_idx = prefetch;
+   ENVOY_LOG_MISC(info, "[+]{} ", "RandomGeneratorImpl::random-step2");
 
   if (buffered_idx >= prefetch) {
     int rc = RAND_bytes(reinterpret_cast<uint8_t*>(buffered), sizeof(buffered));
+     ENVOY_LOG_MISC(info, "[+]{} ", "RandomGeneratorImpl::random-step3");
+    if(rc != 1)
+      ENVOY_LOG_MISC(info, "[-] Error in {} ", "RandomGeneratorImpl::random-RAND_bytes");
     ASSERT(rc == 1);
     buffered_idx = 0;
   }
 
+   ENVOY_LOG_MISC(info, "[+]{} ", "RandomGeneratorImpl::random-step4");
   // Consume uint64_t from the buffer.
   return buffered[buffered_idx++];
 }

diff --git a/source/common/network/raw_buffer_socket.cc b/source/common/network/raw_buffer_socket.cc
@@ -97,6 +97,7 @@ RawBufferSocketFactory::createTransportSocket(TransportSocketOptionsConstSharedP
 }
 
 TransportSocketPtr RawBufferSocketFactory::createDownstreamTransportSocket() const {
+  ENVOY_LOG_MISC(info, "[+]RawBufferSocketFactory - {}", "createDownstreamTransportSocket");
   return std::make_unique<RawBufferSocket>();
 }
 

diff --git a/source/common/version/BUILD b/source/common/version/BUILD
@@ -58,13 +58,7 @@ envoy_cc_library(
 envoy_cc_library(
     name = "version_lib",
     srcs = ["version.cc"],
-    copts = envoy_select_boringssl(
-        [
-            "-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\"",
-            "-DENVOY_SSL_FIPS",
-        ],
-        ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""],
-    ),
+    copts = ["-DENVOY_SSL_VERSION=\\\"OpenSSL\\\""],
     external_deps = ["ssl"],
     tags = ["notidy"],
     deps = [

diff --git a/source/exe/BUILD b/source/exe/BUILD
@@ -30,6 +30,10 @@ envoy_cc_binary(
     }),
     stamped = True,
     deps = [":envoy_main_entry_lib"],
+    linkopts = [
+        "-Wl,--no-as-needed",
+        "-Wl,--allow-shlib-undefined",
+    ],
 )
 
 envoy_cc_library(

diff --git a/source/exe/main.cc b/source/exe/main.cc
@@ -21,5 +21,6 @@ int main(int argc, char** argv) {
   }
   return EXIT_SUCCESS;
 #endif
+  //printf("[+] Envoy main function start!\n");
   return Envoy::MainCommon::main(argc, argv);
 }
diff --git a/source/exe/main_common.cc b/source/exe/main_common.cc
@@ -90,6 +90,7 @@ int MainCommon::main(int argc, char** argv, PostServerHook hook) {
   // handling, such as running in a chroot jail.
   absl::InitializeSymbolizer(argv[0]);
 #endif
+  //printf("[+] MainCommon::main - main function!\n");
   Thread::MainThread main_thread;
   std::unique_ptr<Envoy::MainCommon> main_common;
 
@@ -99,6 +100,7 @@ int MainCommon::main(int argc, char** argv, PostServerHook hook) {
   TRY_ASSERT_MAIN_THREAD {
     main_common = std::make_unique<Envoy::MainCommon>(argc, argv);
     Envoy::Server::Instance* server = main_common->server();
+    //printf("[+] MainCommon::main - Envoy::Server::Instance\n");
     if (server != nullptr && hook != nullptr) {
       hook(*server);
     }

diff --git a/source/extensions/filters/common/lua/BUILD b/source/extensions/filters/common/lua/BUILD
@@ -4,25 +4,40 @@ load(
     "envoy_extension_package",
 )
 
+load("//bazel:envoy_internal.bzl", "envoy_external_dep_path")
+load("@bazel_skylib//rules:common_settings.bzl", "bool_flag")
+
 licenses(["notice"])  # Apache 2
 
 envoy_extension_package()
 
+bool_flag(
+    name = "luajit2",
+    build_setting_default = False,
+)
+
+config_setting(
+    name = "with_luajit2",
+    flag_values = {
+        ":luajit2": "True",
+    },
+)
+
 envoy_cc_library(
     name = "lua_lib",
     srcs = ["lua.cc"],
     hdrs = ["lua.h"],
-    external_deps = [
-        "luajit",
-    ],
     deps = [
         "//envoy/thread_local:thread_local_interface",
         "//source/common/common:assert_lib",
         "//source/common/common:c_smart_ptr_lib",
         "//source/common/common:lock_guard_lib",
         "//source/common/common:thread_lib",
         "//source/common/protobuf",
-    ],
+    ] + select({
+        ":with_luajit2": [envoy_external_dep_path("luajit2")],
+        "//conditions:default": [envoy_external_dep_path("luajit")],
+    }),
 )
 
 envoy_cc_library(

diff --git a/source/extensions/filters/listener/tls_inspector/tls_inspector.cc b/source/extensions/filters/listener/tls_inspector/tls_inspector.cc
@@ -64,6 +64,7 @@ Config::Config(
                                      max_client_hello_size_, size_t(TLS_MAX_CLIENT_HELLO)));
   }
 
+  ENVOY_LOG_MISC(info, "[+]Config::Config - {}", "SSL_CTX_set_min_proto_versio");
   SSL_CTX_set_min_proto_version(ssl_ctx_.get(), TLS_MIN_SUPPORTED_VERSION);
   SSL_CTX_set_max_proto_version(ssl_ctx_.get(), TLS_MAX_SUPPORTED_VERSION);
   SSL_CTX_set_options(ssl_ctx_.get(), SSL_OP_NO_TICKET);
@@ -89,7 +90,7 @@ Config::Config(
 
         // Return an error to stop the handshake; we have what we wanted already.
         *out_alert = SSL_AD_USER_CANCELLED;
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
+        return SSL_TLSEXT_ERR_OK;
       });
 }
 
@@ -98,7 +99,9 @@ bssl::UniquePtr<SSL> Config::newSsl() { return bssl::UniquePtr<SSL>{SSL_new(ssl_
 Filter::Filter(const ConfigSharedPtr& config)
     : config_(config), ssl_(config_->newSsl()),
       requested_read_bytes_(config->initialReadBufferSize()) {
+  ENVOY_LOG_MISC(info, "[+]Filter::Filter- {}", "SSL_set_app_data");
   SSL_set_app_data(ssl_.get(), this);
+  ENVOY_LOG_MISC(info, "[+]Filter::Filter- {}", "SSL_set_accept_state");
   SSL_set_accept_state(ssl_.get());
 }
 
@@ -172,15 +175,18 @@ Network::FilterStatus Filter::onData(Network::ListenerFilterBuffer& buffer) {
 ParseState Filter::parseClientHello(const void* data, size_t len,
                                     uint64_t bytes_already_processed) {
   // Ownership remains here though we pass a reference to it in `SSL_set0_rbio()`.
+  ENVOY_LOG_MISC(info, "[+]Filter::parseClientHello- {}", "IO_new_mem_buf");
   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(data, len));
 
   // Make the mem-BIO return that there is more data
   // available beyond it's end.
   BIO_set_mem_eof_return(bio.get(), -1);
 
   // We only do reading as we abort the handshake early.
+  ENVOY_LOG_MISC(info, "[+]Filter::parseClientHello- {}", "SSL_set0_rbio");
   SSL_set0_rbio(ssl_.get(), bssl::UpRef(bio).release());
 
+  ENVOY_LOG_MISC(info, "[+]Filter::parseClientHello- {}", "SSL_do_handshake");
   int ret = SSL_do_handshake(ssl_.get());
 
   // This should never succeed because an error is always returned from the SNI callback.

diff --git a/source/extensions/tracers/datadog/.gitignore b/source/extensions/tracers/datadog/.gitignore
@@ -0,0 +1,2 @@
+# Prevent the exclusion of the diagram used in the readme.
+!diagram.svg
diff --git a/source/extensions/transport_sockets/starttls/starttls_socket.cc b/source/extensions/transport_sockets/starttls/starttls_socket.cc
@@ -34,6 +34,7 @@ Network::TransportSocketPtr StartTlsSocketFactory::createTransportSocket(
 
 Network::TransportSocketPtr
 StartTlsDownstreamSocketFactory::createDownstreamTransportSocket() const {
+  ENVOY_LOG_MISC(info, "[+]StartTlsDownstreamSocketFactory - {}", "createDownstreamTransportSocket");
   return std::make_unique<StartTlsSocket>(raw_socket_factory_->createDownstreamTransportSocket(),
                                           tls_socket_factory_->createDownstreamTransportSocket(),
                                           nullptr);

diff --git a/source/extensions/transport_sockets/tcp_stats/config.cc b/source/extensions/transport_sockets/tcp_stats/config.cc
@@ -55,6 +55,7 @@ DownstreamTcpStatsSocketFactory::DownstreamTcpStatsSocketFactory(
 
 Network::TransportSocketPtr
 DownstreamTcpStatsSocketFactory::createDownstreamTransportSocket() const {
+ENVOY_LOG_MISC(info, "[+]DownstreamTcpStatsSocketFactory - {}", "createDownstreamTransportSocket");
 #if defined(__linux__)
   auto inner_socket = transport_socket_factory_->createDownstreamTransportSocket();
   if (inner_socket == nullptr) {

diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc
@@ -58,6 +58,7 @@ int DefaultCertValidator::initializeSslContexts(std::vector<SSL_CTX*> contexts,
   int verify_mode_validation_context = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 
   if (config_ != nullptr) {
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "trustChainVerification()");
     envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext::
         TrustChainVerification verification = config_->trustChainVerification();
     if (verification == envoy::extensions::transport_sockets::tls::v3::
@@ -69,79 +70,104 @@ int DefaultCertValidator::initializeSslContexts(std::vector<SSL_CTX*> contexts,
   }
 
   if (config_ != nullptr && !config_->caCert().empty() && !provides_certificates) {
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "caCertPath()");
     ca_file_path_ = config_->caCertPath();
-    bssl::UniquePtr<BIO> bio(
-        BIO_new_mem_buf(const_cast<char*>(config_->caCert().data()), config_->caCert().size()));
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "BIO_new_mem_buf()");
+    bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(const_cast<char*>(config_->caCert().data()), config_->caCert().size()));
     RELEASE_ASSERT(bio != nullptr, "");
+
     // Based on BoringSSL's X509_load_cert_crl_file().
-    bssl::UniquePtr<STACK_OF(X509_INFO)> list(
-        PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr));
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "PEM_X509_INFO_read_bio()");
+    bssl::UniquePtr<STACK_OF(X509_INFO)> list(PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr));
     if (list == nullptr) {
+      printf("[-]DefaultCertValidator::initializeSslContexts - %s\n", "failed PEM_X509_INFO_read_bio()!");
       throw EnvoyException(
           absl::StrCat("Failed to load trusted CA certificates from ", config_->caCertPath()));
     }
+    //printf("[+]DefaultCertValidator::initializeSslContexts - certPath: %s\n", config_->caCertPath().c_str());
 
+    //printf("[+]DefaultCertValidator::initializeSslContexts - Number of contexts: %zu\n", contexts.size());
     for (auto& ctx : contexts) {
+      //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "SSL_CTX_get_cert_store()");
       X509_STORE* store = SSL_CTX_get_cert_store(ctx);
+
       if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_intermediate_ca")) {
+        //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "X509_STORE_set_flags()");
         X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
       }
+
       bool has_crl = false;
       for (const X509_INFO* item : list.get()) {
         if (item->x509) {
-          X509_STORE_add_cert(store, item->x509);
+          //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "X509_STORE_add_cert()");
+          int aa = X509_STORE_add_cert(store, item->x509);
+          //printf("[+]DefaultCertValidator::initializeSslContexts - X509_STORE_add_cert() result: %d\n", aa);
           if (ca_cert_ == nullptr) {
+            //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "X509_up_ref()");
             X509_up_ref(item->x509);
+            //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "ca_cert_.reset()");
             ca_cert_.reset(item->x509);
           }
         }
         if (item->crl) {
+          //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "X509_STORE_add_crl()");
           X509_STORE_add_crl(store, item->crl);
           has_crl = true;
         }
       }
+
       if (ca_cert_ == nullptr) {
+        printf("[-]DefaultCertValidator::initializeSslContexts - %s\n", "ca_cert_ == nullptr");
         throw EnvoyException(
             absl::StrCat("Failed to load trusted CA certificates from ", config_->caCertPath()));
       }
+
       if (has_crl) {
+        printf("[-]DefaultCertValidator::initializeSslContexts - %s\n", "X509_STORE_set_flags()-2");
         X509_STORE_set_flags(store, config_->onlyVerifyLeafCertificateCrl()
                                         ? X509_V_FLAG_CRL_CHECK
                                         : X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
       }
       verify_mode = SSL_VERIFY_PEER;
       verify_trusted_ca_ = true;
 
+      //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "config_->allowExpiredCertificate()");
       if (config_->allowExpiredCertificate()) {
+        printf("[-]DefaultCertValidator::initializeSslContexts - %s\n", "CertValidatorUtil::setIgnoreCertificateExpiration()");
         CertValidatorUtil::setIgnoreCertificateExpiration(store);
+      } else {
+        //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "config_->allowExpiredCertificate() - nextstep");
       }
     }
   }
 
+  //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "certificateRevocationList().empty()");
   if (config_ != nullptr && !config_->certificateRevocationList().empty()) {
-    bssl::UniquePtr<BIO> bio(
-        BIO_new_mem_buf(const_cast<char*>(config_->certificateRevocationList().data()),
-                        config_->certificateRevocationList().size()));
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "BIO_new_mem_buf()-2");
+    bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(const_cast<char*>(config_->certificateRevocationList().data()), config_->certificateRevocationList().size()));
     RELEASE_ASSERT(bio != nullptr, "");
 
     // Based on BoringSSL's X509_load_cert_crl_file().
-    bssl::UniquePtr<STACK_OF(X509_INFO)> list(
-        PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr));
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "PEM_X509_INFO_read_bio()-2");
+    bssl::UniquePtr<STACK_OF(X509_INFO)> list(PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr));
     if (list == nullptr) {
       throw EnvoyException(
           absl::StrCat("Failed to load CRL from ", config_->certificateRevocationListPath()));
     }
 
     for (auto& ctx : contexts) {
+      //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "SSL_CTX_get_cert_store()-2");
       X509_STORE* store = SSL_CTX_get_cert_store(ctx);
       if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_intermediate_ca")) {
+        //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "X509_STORE_set_flags()-2");
         X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
       }
       for (const X509_INFO* item : list.get()) {
         if (item->crl) {
           X509_STORE_add_crl(store, item->crl);
         }
       }
+      //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "X509_STORE_set_flags()-2");
       X509_STORE_set_flags(store, config_->onlyVerifyLeafCertificateCrl()
                                       ? X509_V_FLAG_CRL_CHECK
                                       : X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
@@ -150,9 +176,10 @@ int DefaultCertValidator::initializeSslContexts(std::vector<SSL_CTX*> contexts,
 
   const Envoy::Ssl::CertificateValidationContextConfig* cert_validation_config = config_;
   if (cert_validation_config != nullptr) {
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "subjectAltNameMatchers().empty()");
     if (!cert_validation_config->subjectAltNameMatchers().empty()) {
-      for (const envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher& matcher :
-           cert_validation_config->subjectAltNameMatchers()) {
+      //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "cert_validation_config->subjectAltNameMatchers()");
+      for (const envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher& matcher : cert_validation_config->subjectAltNameMatchers()) {
         auto san_matcher = createStringSanMatcher(matcher);
         if (san_matcher == nullptr) {
           throw EnvoyException(
@@ -163,11 +190,14 @@ int DefaultCertValidator::initializeSslContexts(std::vector<SSL_CTX*> contexts,
       verify_mode = verify_mode_validation_context;
     }
 
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "verifyCertificateHashList().empty()");
     if (!cert_validation_config->verifyCertificateHashList().empty()) {
+      //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "cert_validation_config->verifyCertificateHashList()");
       for (auto hash : cert_validation_config->verifyCertificateHashList()) {
         // Remove colons from the 95 chars long colon-separated "fingerprint"
         // in order to get the hex-encoded string.
         if (hash.size() == 95) {
+          //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "hash.erase()");
           hash.erase(std::remove(hash.begin(), hash.end(), ':'), hash.end());
         }
         const auto& decoded = Hex::decode(hash);
@@ -179,6 +209,7 @@ int DefaultCertValidator::initializeSslContexts(std::vector<SSL_CTX*> contexts,
       verify_mode = verify_mode_validation_context;
     }
 
+    //printf("[+]DefaultCertValidator::initializeSslContexts - %s\n", "verifyCertificateSpkiList().empty()");
     if (!cert_validation_config->verifyCertificateSpkiList().empty()) {
       for (const auto& hash : cert_validation_config->verifyCertificateSpkiList()) {
         const auto decoded = Base64::decode(hash);
-Original file line number
+Diff line change
@@ Expand Up @@
     }
     TransportSocketPtr RawBufferSocketFactory::createDownstreamTransportSocket() const {
+      ENVOY_LOG_MISC(info, "[+]RawBufferSocketFactory - {}", "createDownstreamTransportSocket");
       return std::make_unique<RawBufferSocket>();
     }
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Prevent the exclusion of the diagram used in the readme.
		!diagram.svg