From ed262173d9fec1dee77beb3cccd13a0b5166c10e Mon Sep 17 00:00:00 2001 From: He Jie Xu Date: Wed, 24 Apr 2024 02:31:28 +0000 Subject: [PATCH 1/4] cryptomb: fix the fips build Signed-off-by: He Jie Xu --- bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch | 19 +++++++++++++++++++ bazel/repositories.bzl | 14 ++++++++++++++ .../private_key_providers/source/BUILD | 5 ++++- 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch diff --git a/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch b/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch new file mode 100644 index 000000000000..f6c542d35640 --- /dev/null +++ b/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch @@ -0,0 +1,19 @@ +diff --git a/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c b/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c +index e6db178c..0a1ecc49 100644 +--- a/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c ++++ b/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c +@@ -16,9 +16,14 @@ + + #include + #include ++#include + + #include + ++static int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) { ++ return BN_bn2le_padded(to, tolen, a); ++} ++ + #if defined(_MSC_VER) && (_MSC_VER < 1920) + // Disable optimization for VS2017 due to AVX512 masking bug + #define DISABLE_OPTIMIZATION __pragma(optimize( "", off )) \ No newline at end of file diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 97197780819e..f6612348b235 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -310,6 +310,7 @@ def envoy_dependencies(skip_targets = []): _com_github_rules_proto_grpc() _com_github_unicode_org_icu() _com_github_intel_ipp_crypto_crypto_mb() + _com_github_intel_ipp_crypto_crypto_mb_fips() _com_github_intel_qatlib() _com_github_intel_qatzip() _com_github_qat_zstd() @@ -549,6 +550,19 @@ def _com_github_intel_ipp_crypto_crypto_mb(): build_file_content = BUILD_ALL_CONTENT, ) +def _com_github_intel_ipp_crypto_crypto_mb_fips(): + # Temporary fix for building ipp-crypto when boringssl-fips is used. + # Build will fail if bn2lebinpad patch is applied. Remove this archive + # when upstream dependency fixes this issue. + external_http_archive( + name = "com_github_intel_ipp_crypto_crypto_mb_fips", + patches = ["@envoy//bazel/foreign_cc:ipp-crypto-bn2lebinpad.patch"], + patch_args = ["-p1"], + build_file_content = BUILD_ALL_CONTENT, + # Use existing ipp-crypto repository location name to avoid redefinition. + location_name = "com_github_intel_ipp_crypto_crypto_mb", + ) + def _com_github_intel_qatlib(): external_http_archive( name = "com_github_intel_qatlib", diff --git a/contrib/cryptomb/private_key_providers/source/BUILD b/contrib/cryptomb/private_key_providers/source/BUILD index 55381c6b5f80..2daacaa61e9c 100644 --- a/contrib/cryptomb/private_key_providers/source/BUILD +++ b/contrib/cryptomb/private_key_providers/source/BUILD @@ -24,7 +24,10 @@ envoy_cmake( defines = [ "OPENSSL_USE_STATIC_LIBS=TRUE", ], - lib_source = "@com_github_intel_ipp_crypto_crypto_mb//:all", + lib_source = select({ + "//bazel:boringssl_fips": "@com_github_intel_ipp_crypto_crypto_mb_fips//:all", + "//conditions:default": "@com_github_intel_ipp_crypto_crypto_mb//:all", + }), out_lib_dir = "lib/intel64", out_static_libs = ["libcrypto_mb.a"], tags = ["skip_on_windows"], From 5c67feae1fadcec55d7e37a729d23aa3b1babdb4 Mon Sep 17 00:00:00 2001 From: He Jie Xu Date: Wed, 24 Apr 2024 05:10:46 +0000 Subject: [PATCH 2/4] force the ci compile_time_options job build with contrib extension Signed-off-by: He Jie Xu --- ci/do_ci.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/do_ci.sh b/ci/do_ci.sh index f712098006d2..1e2a35886948 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -467,7 +467,7 @@ case $CI_TARGET in --define wasm=wasmtime \ --define enable_logging=disabled \ -c fastbuild \ - @envoy//source/exe:envoy-static \ + @envoy//contrib/exe:envoy-static \ --build_tag_filters=-nofips collect_build_profile build ;; From 6b7389517309c621d2712ea4282517e2a2e3c99f Mon Sep 17 00:00:00 2001 From: He Jie Xu Date: Wed, 24 Apr 2024 11:50:55 +0000 Subject: [PATCH 3/4] Revert "force the ci compile_time_options job build with contrib extension" This reverts commit 5c67feae1fadcec55d7e37a729d23aa3b1babdb4. Signed-off-by: He Jie Xu --- ci/do_ci.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 1e2a35886948..f712098006d2 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -467,7 +467,7 @@ case $CI_TARGET in --define wasm=wasmtime \ --define enable_logging=disabled \ -c fastbuild \ - @envoy//contrib/exe:envoy-static \ + @envoy//source/exe:envoy-static \ --build_tag_filters=-nofips collect_build_profile build ;; From 63fb743fa3163296f329acc504911864f354d63e Mon Sep 17 00:00:00 2001 From: He Jie Xu Date: Wed, 24 Apr 2024 11:58:17 +0000 Subject: [PATCH 4/4] fix format Signed-off-by: He Jie Xu --- bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch b/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch index f6c542d35640..22d003fcec7c 100644 --- a/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch +++ b/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch @@ -16,4 +16,4 @@ index e6db178c..0a1ecc49 100644 + #if defined(_MSC_VER) && (_MSC_VER < 1920) // Disable optimization for VS2017 due to AVX512 masking bug - #define DISABLE_OPTIMIZATION __pragma(optimize( "", off )) \ No newline at end of file + #define DISABLE_OPTIMIZATION __pragma(optimize( "", off ))