From ad9176f245c4616c9101172365427b1478ced1fb Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Fri, 23 Apr 2021 12:49:47 +0530 Subject: [PATCH 01/16] fix fips_mode stat Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 9 +++++---- source/common/version/version.h | 2 +- source/server/server.cc | 2 +- test/common/common/version_test.cc | 3 +++ test/server/server_test.cc | 2 +- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index 8b013dde01cbe..2be8fb3dfe7b2 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -36,12 +36,13 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { return *result; } -bool VersionInfo::sslFipsCompliant() { - bool fipsCompliant = false; +const std::string& VersionInfo::fipsMode() { #ifdef BORINGSSL_FIPS - fipsCompliant = true; + static const std::string fips_mode = "1"; +#else + static const std::string fips_mode = "0"; #endif - return fipsCompliant; + return fips_mode; } const std::string& VersionInfo::buildType() { diff --git a/source/common/version/version.h b/source/common/version/version.h index 345ef2714c066..1b532571dd99b 100644 --- a/source/common/version/version.h +++ b/source/common/version/version.h @@ -23,7 +23,7 @@ class VersionInfo { // Repository information and build type. static const std::string& version(); // FIPS Compliance of envoy build - static bool sslFipsCompliant(); + static const std::string& fipsMode(); static const envoy::config::core::v3::BuildVersion& buildVersion(); diff --git a/source/server/server.cc b/source/server/server.cc index 666da1c2ed8b1..d8abf4be6f8aa 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -399,7 +399,7 @@ void InstanceImpl::initialize(const Options& options, } } server_stats_->version_.set(version_int); - if (VersionInfo::sslFipsCompliant()) { + if (!VersionInfo::fipsMode().empty() && VersionInfo::fipsMode() == "1") { server_compilation_settings_stats_->fips_mode_.set(1); } diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index 5177f5ac1661f..dbd0148e11325 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -11,6 +11,7 @@ class VersionInfoTestPeer { public: static const std::string& buildType() { return VersionInfo::buildType(); } static const std::string& sslVersion() { return VersionInfo::sslVersion(); } + static const std::string& fipsMode() { return VersionInfo::fipsMode(); } static envoy::config::core::v3::BuildVersion makeBuildVersion(const char* version) { return VersionInfo::makeBuildVersion(version); } @@ -34,6 +35,7 @@ TEST(VersionTest, BuildVersion) { fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value()); EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); + EXPECT_EQ(VersionInfoTestPeer::fipsMode(), "0"); EXPECT_EQ(VersionInfoTestPeer::sslVersion(), fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value()); } @@ -45,6 +47,7 @@ TEST(VersionTest, MakeBuildVersionWithLabel) { EXPECT_EQ(3, build_version.version().patch()); const auto& fields = build_version.metadata().fields(); EXPECT_GE(fields.size(), 1); + EXPECT_EQ(VersionInfoTestPeer::fipsMode(), "0"); EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value()); } diff --git a/test/server/server_test.cc b/test/server/server_test.cc index b885422ebad90..15c9ae2b53c7d 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -367,7 +367,7 @@ TEST_P(ServerInstanceImplTest, ValidateFIPSModeStat) { auto server_thread = startTestServer("test/server/test_data/server/proxy_version_bootstrap.yaml", true); - if (VersionInfo::sslFipsCompliant()) { + if (VersionInfo::fipsMode() == "1") { EXPECT_EQ( 1L, TestUtility::findGauge(stats_store_, "server.compilation_settings.fips_mode")->value()); } else { From 84062458d3ed2f48b9363b18e5213d8e87ed6e4a Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Fri, 23 Apr 2021 15:11:15 +0530 Subject: [PATCH 02/16] change to bool Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 7 +++---- source/common/version/version.h | 2 +- source/server/server.cc | 2 +- test/common/common/version_test.cc | 6 +++--- test/server/server_test.cc | 2 +- 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index 2be8fb3dfe7b2..65bf4ae3cc4b9 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -36,11 +36,10 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { return *result; } -const std::string& VersionInfo::fipsMode() { +bool VersionInfo::fipsMode() { + static bool fips_mode = false; #ifdef BORINGSSL_FIPS - static const std::string fips_mode = "1"; -#else - static const std::string fips_mode = "0"; + fips_mode = true; #endif return fips_mode; } diff --git a/source/common/version/version.h b/source/common/version/version.h index 1b532571dd99b..7d50f22ab8788 100644 --- a/source/common/version/version.h +++ b/source/common/version/version.h @@ -23,7 +23,7 @@ class VersionInfo { // Repository information and build type. static const std::string& version(); // FIPS Compliance of envoy build - static const std::string& fipsMode(); + static bool fipsMode(); static const envoy::config::core::v3::BuildVersion& buildVersion(); diff --git a/source/server/server.cc b/source/server/server.cc index d8abf4be6f8aa..8b9290cb17705 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -399,7 +399,7 @@ void InstanceImpl::initialize(const Options& options, } } server_stats_->version_.set(version_int); - if (!VersionInfo::fipsMode().empty() && VersionInfo::fipsMode() == "1") { + if (VersionInfo::fipsMode()) { server_compilation_settings_stats_->fips_mode_.set(1); } diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index dbd0148e11325..91ca2e41e3ffe 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -11,7 +11,7 @@ class VersionInfoTestPeer { public: static const std::string& buildType() { return VersionInfo::buildType(); } static const std::string& sslVersion() { return VersionInfo::sslVersion(); } - static const std::string& fipsMode() { return VersionInfo::fipsMode(); } + static bool fipsMode() { return VersionInfo::fipsMode(); } static envoy::config::core::v3::BuildVersion makeBuildVersion(const char* version) { return VersionInfo::makeBuildVersion(version); } @@ -35,7 +35,7 @@ TEST(VersionTest, BuildVersion) { fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value()); EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); - EXPECT_EQ(VersionInfoTestPeer::fipsMode(), "0"); + EXPECT_FALSE(VersionInfoTestPeer::fipsMode()); EXPECT_EQ(VersionInfoTestPeer::sslVersion(), fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value()); } @@ -47,7 +47,7 @@ TEST(VersionTest, MakeBuildVersionWithLabel) { EXPECT_EQ(3, build_version.version().patch()); const auto& fields = build_version.metadata().fields(); EXPECT_GE(fields.size(), 1); - EXPECT_EQ(VersionInfoTestPeer::fipsMode(), "0"); + EXPECT_FALSE(VersionInfoTestPeer::fipsMode()); EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value()); } diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 15c9ae2b53c7d..1e6897083b049 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -367,7 +367,7 @@ TEST_P(ServerInstanceImplTest, ValidateFIPSModeStat) { auto server_thread = startTestServer("test/server/test_data/server/proxy_version_bootstrap.yaml", true); - if (VersionInfo::fipsMode() == "1") { + if (VersionInfo::fipsMode()) { EXPECT_EQ( 1L, TestUtility::findGauge(stats_store_, "server.compilation_settings.fips_mode")->value()); } else { From bd10cca8af01913eef173bcda1702e198c2a1536 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Fri, 23 Apr 2021 15:34:17 +0530 Subject: [PATCH 03/16] change method name Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 8 ++++---- source/common/version/version.h | 2 +- source/server/server.cc | 2 +- test/common/common/version_test.cc | 6 +++--- test/server/server_test.cc | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index 65bf4ae3cc4b9..f7a74ed5b57a4 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -36,12 +36,12 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { return *result; } -bool VersionInfo::fipsMode() { - static bool fips_mode = false; +bool VersionInfo::sslFipsCompliant() { + static bool fipsCompliant = false; #ifdef BORINGSSL_FIPS - fips_mode = true; + fipsCompliant = true; #endif - return fips_mode; + return fipsCompliant; } const std::string& VersionInfo::buildType() { diff --git a/source/common/version/version.h b/source/common/version/version.h index 7d50f22ab8788..345ef2714c066 100644 --- a/source/common/version/version.h +++ b/source/common/version/version.h @@ -23,7 +23,7 @@ class VersionInfo { // Repository information and build type. static const std::string& version(); // FIPS Compliance of envoy build - static bool fipsMode(); + static bool sslFipsCompliant(); static const envoy::config::core::v3::BuildVersion& buildVersion(); diff --git a/source/server/server.cc b/source/server/server.cc index 8b9290cb17705..666da1c2ed8b1 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -399,7 +399,7 @@ void InstanceImpl::initialize(const Options& options, } } server_stats_->version_.set(version_int); - if (VersionInfo::fipsMode()) { + if (VersionInfo::sslFipsCompliant()) { server_compilation_settings_stats_->fips_mode_.set(1); } diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index 91ca2e41e3ffe..235a1f8115d8a 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -11,7 +11,7 @@ class VersionInfoTestPeer { public: static const std::string& buildType() { return VersionInfo::buildType(); } static const std::string& sslVersion() { return VersionInfo::sslVersion(); } - static bool fipsMode() { return VersionInfo::fipsMode(); } + static bool sslFipsCompliant() { return VersionInfo::sslFipsCompliant(); } static envoy::config::core::v3::BuildVersion makeBuildVersion(const char* version) { return VersionInfo::makeBuildVersion(version); } @@ -35,7 +35,7 @@ TEST(VersionTest, BuildVersion) { fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value()); EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); - EXPECT_FALSE(VersionInfoTestPeer::fipsMode()); + EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); EXPECT_EQ(VersionInfoTestPeer::sslVersion(), fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value()); } @@ -47,7 +47,7 @@ TEST(VersionTest, MakeBuildVersionWithLabel) { EXPECT_EQ(3, build_version.version().patch()); const auto& fields = build_version.metadata().fields(); EXPECT_GE(fields.size(), 1); - EXPECT_FALSE(VersionInfoTestPeer::fipsMode()); + EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value()); } diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 1e6897083b049..b885422ebad90 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -367,7 +367,7 @@ TEST_P(ServerInstanceImplTest, ValidateFIPSModeStat) { auto server_thread = startTestServer("test/server/test_data/server/proxy_version_bootstrap.yaml", true); - if (VersionInfo::fipsMode()) { + if (VersionInfo::sslFipsCompliant()) { EXPECT_EQ( 1L, TestUtility::findGauge(stats_store_, "server.compilation_settings.fips_mode")->value()); } else { From 8ea6d96a816e36dbf17fadb43eb6a1ace8af81f4 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Fri, 23 Apr 2021 16:00:44 +0530 Subject: [PATCH 04/16] fix condition Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index f7a74ed5b57a4..ba6ca74f76d84 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -37,9 +37,10 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { } bool VersionInfo::sslFipsCompliant() { - static bool fipsCompliant = false; #ifdef BORINGSSL_FIPS - fipsCompliant = true; + static bool fipsCompliant = true; +#else + static bool fipsCompliant = false; #endif return fipsCompliant; } From 839463ce987f6cf72ad504efdfbd68e4b5f46575 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Mon, 26 Apr 2021 13:33:17 +0530 Subject: [PATCH 05/16] debug fips build in CI Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index ba6ca74f76d84..ba5801c17a43c 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -37,11 +37,25 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { } bool VersionInfo::sslFipsCompliant() { -#ifdef BORINGSSL_FIPS - static bool fipsCompliant = true; -#else - static bool fipsCompliant = false; -#endif + const std::string fips_ssl_version = "BoringSSL-FIPS"; + bool fipsCompliant = false; + if (VersionInfo::sslVersion() == fips_ssl_version) { + fipsCompliant = true; + std::cout << "In BORINGSSL_FIPS\n"; + std::cout << "SSL Version:" << VersionInfo::sslVersion(); + } else { + std::cout << "In non-fips\n"; + std::cout << "SSL Version:" << VersionInfo::sslVersion(); + } + //#ifdef BORINGSSL_FIPS + // static bool fipsCompliant = true; + // std::cout << "In BORINGSSL_FIPS\n"; + // std::cout << "SSL Version:" << VersionInfo::sslVersion(); + //#else + // static bool fipsCompliant = false; + // std::cout << "In non-fips\n"; + // std::cout << "SSL Version:" << VersionInfo::sslVersion(); + //#endif return fipsCompliant; } From bc0247f2b560e40d25f6bc0d6bfc622cc9cbe411 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Mon, 26 Apr 2021 15:55:35 +0530 Subject: [PATCH 06/16] debug fips stat in ci Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index ba5801c17a43c..59d62c53805e2 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -47,15 +47,11 @@ bool VersionInfo::sslFipsCompliant() { std::cout << "In non-fips\n"; std::cout << "SSL Version:" << VersionInfo::sslVersion(); } - //#ifdef BORINGSSL_FIPS - // static bool fipsCompliant = true; - // std::cout << "In BORINGSSL_FIPS\n"; - // std::cout << "SSL Version:" << VersionInfo::sslVersion(); - //#else - // static bool fipsCompliant = false; - // std::cout << "In non-fips\n"; - // std::cout << "SSL Version:" << VersionInfo::sslVersion(); - //#endif +#ifdef BORINGSSL_FIPS + std::cout << "In ifdef block BORINGSSL_FIPS\n"; +#else + std::cout << "In non-fips\n"; +#endif return fipsCompliant; } From 3c9ad43bbd9996e7923ee2420031dd07c3532b54 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Mon, 26 Apr 2021 16:09:17 +0530 Subject: [PATCH 07/16] debug fips stat in ci Signed-off-by: Ravindra Akella --- test/common/common/version_test.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index 235a1f8115d8a..1ad45aafb455a 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -35,6 +35,11 @@ TEST(VersionTest, BuildVersion) { fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value()); EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); +#ifdef BORINGSSL_FIPS + std::cout << "In ifdef block BORINGSSL_FIPS\n"; +#else + std::cout << "In non-fips\n"; +#endif EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); EXPECT_EQ(VersionInfoTestPeer::sslVersion(), fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value()); @@ -47,6 +52,11 @@ TEST(VersionTest, MakeBuildVersionWithLabel) { EXPECT_EQ(3, build_version.version().patch()); const auto& fields = build_version.metadata().fields(); EXPECT_GE(fields.size(), 1); +#ifdef BORINGSSL_FIPS + std::cout << "From Test --> In ifdef block BORINGSSL_FIPS\n"; +#else + std::cout << "From Test --> In non-fips\n"; +#endif EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value()); } From ff44858869d2dc02e00388e559941d6392f3931e Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Mon, 26 Apr 2021 20:04:04 +0530 Subject: [PATCH 08/16] debug fips stat in ci- change debug msg Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 12 ++++++------ test/common/common/version_test.cc | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index 59d62c53805e2..8b00d31637b01 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -41,16 +41,16 @@ bool VersionInfo::sslFipsCompliant() { bool fipsCompliant = false; if (VersionInfo::sslVersion() == fips_ssl_version) { fipsCompliant = true; - std::cout << "In BORINGSSL_FIPS\n"; - std::cout << "SSL Version:" << VersionInfo::sslVersion(); + std::cout << "From Code --> In BORINGSSL_FIPS\n"; + std::cout << "From Code --> SSL Version:" << VersionInfo::sslVersion(); } else { - std::cout << "In non-fips\n"; - std::cout << "SSL Version:" << VersionInfo::sslVersion(); + std::cout << "From Code --> In non-fips\n"; + std::cout << "From Code --> SSL Version:" << VersionInfo::sslVersion(); } #ifdef BORINGSSL_FIPS - std::cout << "In ifdef block BORINGSSL_FIPS\n"; + std::cout << "\n From Code --> In ifdef block BORINGSSL_FIPS\n"; #else - std::cout << "In non-fips\n"; + std::cout << "\n From Code --> In non-fips\n"; #endif return fipsCompliant; } diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index 1ad45aafb455a..da5c8ffa70dcc 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -36,9 +36,9 @@ TEST(VersionTest, BuildVersion) { EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); #ifdef BORINGSSL_FIPS - std::cout << "In ifdef block BORINGSSL_FIPS\n"; + std::cout << "From Test --> In ifdef block BORINGSSL_FIPS\n"; #else - std::cout << "In non-fips\n"; + std::cout << "From Test --> In non-fips\n"; #endif EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); EXPECT_EQ(VersionInfoTestPeer::sslVersion(), From 77249056054404a0777849cbf62e62d5573e9791 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Tue, 27 Apr 2021 15:01:23 +0530 Subject: [PATCH 09/16] use versioninfo.sslversion to generate fips_mode stat Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 10 ---------- test/common/common/version_test.cc | 23 +++++++++++------------ 2 files changed, 11 insertions(+), 22 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index 8b00d31637b01..f2641b3ec04a0 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -41,17 +41,7 @@ bool VersionInfo::sslFipsCompliant() { bool fipsCompliant = false; if (VersionInfo::sslVersion() == fips_ssl_version) { fipsCompliant = true; - std::cout << "From Code --> In BORINGSSL_FIPS\n"; - std::cout << "From Code --> SSL Version:" << VersionInfo::sslVersion(); - } else { - std::cout << "From Code --> In non-fips\n"; - std::cout << "From Code --> SSL Version:" << VersionInfo::sslVersion(); } -#ifdef BORINGSSL_FIPS - std::cout << "\n From Code --> In ifdef block BORINGSSL_FIPS\n"; -#else - std::cout << "\n From Code --> In non-fips\n"; -#endif return fipsCompliant; } diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index da5c8ffa70dcc..10a0271f95619 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -5,6 +5,7 @@ #include "gtest/gtest.h" namespace Envoy { +const std::string fips_ssl_version = "BoringSSL-FIPS"; // Class for accessing private members of the VersionInfo class. class VersionInfoTestPeer { @@ -35,12 +36,11 @@ TEST(VersionTest, BuildVersion) { fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value()); EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); -#ifdef BORINGSSL_FIPS - std::cout << "From Test --> In ifdef block BORINGSSL_FIPS\n"; -#else - std::cout << "From Test --> In non-fips\n"; -#endif - EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); + if (VersionInfoTestPeer::sslVersion() == fips_ssl_version) { + EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant()); + } else { + EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); + } EXPECT_EQ(VersionInfoTestPeer::sslVersion(), fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value()); } @@ -52,12 +52,11 @@ TEST(VersionTest, MakeBuildVersionWithLabel) { EXPECT_EQ(3, build_version.version().patch()); const auto& fields = build_version.metadata().fields(); EXPECT_GE(fields.size(), 1); -#ifdef BORINGSSL_FIPS - std::cout << "From Test --> In ifdef block BORINGSSL_FIPS\n"; -#else - std::cout << "From Test --> In non-fips\n"; -#endif - EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); + if (VersionInfoTestPeer::sslVersion() == fips_ssl_version) { + EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant()); + } else { + EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); + } EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value()); } From 8bd10d25ee020c68944b8af427a1f0b29fea4130 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Tue, 27 Apr 2021 17:32:33 +0530 Subject: [PATCH 10/16] use ENVOY_SSL_FIPS as compiletime option Signed-off-by: Ravindra Akella --- source/common/version/BUILD | 2 +- source/common/version/version.cc | 10 +++++----- test/common/common/version_test.cc | 21 ++++++++++----------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/source/common/version/BUILD b/source/common/version/BUILD index 99300df7e6518..f915d75560e95 100644 --- a/source/common/version/BUILD +++ b/source/common/version/BUILD @@ -59,7 +59,7 @@ envoy_cc_library( name = "version_lib", srcs = ["version.cc"], copts = envoy_select_boringssl( - ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], + ["-DENVOY_SSL_FIPS, -DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""], ), deps = [ diff --git a/source/common/version/version.cc b/source/common/version/version.cc index f2641b3ec04a0..81d60fe1ecfa2 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -37,11 +37,11 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { } bool VersionInfo::sslFipsCompliant() { - const std::string fips_ssl_version = "BoringSSL-FIPS"; - bool fipsCompliant = false; - if (VersionInfo::sslVersion() == fips_ssl_version) { - fipsCompliant = true; - } +#ifdef ENVOY_SSL_FIPS + static bool fipsCompliant = true; +#else + static bool fipsCompliant = false; +#endif return fipsCompliant; } diff --git a/test/common/common/version_test.cc b/test/common/common/version_test.cc index 10a0271f95619..379d539b85ddb 100644 --- a/test/common/common/version_test.cc +++ b/test/common/common/version_test.cc @@ -5,7 +5,6 @@ #include "gtest/gtest.h" namespace Envoy { -const std::string fips_ssl_version = "BoringSSL-FIPS"; // Class for accessing private members of the VersionInfo class. class VersionInfoTestPeer { @@ -36,11 +35,11 @@ TEST(VersionTest, BuildVersion) { fields.at(BuildVersionMetadataKeys::get().RevisionStatus).string_value()); EXPECT_EQ(VersionInfoTestPeer::buildType(), fields.at(BuildVersionMetadataKeys::get().BuildType).string_value()); - if (VersionInfoTestPeer::sslVersion() == fips_ssl_version) { - EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant()); - } else { - EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); - } +#ifdef ENVOY_SSL_FIPS + EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant()); +#else + EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); +#endif EXPECT_EQ(VersionInfoTestPeer::sslVersion(), fields.at(BuildVersionMetadataKeys::get().SslVersion).string_value()); } @@ -52,11 +51,11 @@ TEST(VersionTest, MakeBuildVersionWithLabel) { EXPECT_EQ(3, build_version.version().patch()); const auto& fields = build_version.metadata().fields(); EXPECT_GE(fields.size(), 1); - if (VersionInfoTestPeer::sslVersion() == fips_ssl_version) { - EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant()); - } else { - EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); - } +#ifdef ENVOY_SSL_FIPS + EXPECT_TRUE(VersionInfoTestPeer::sslFipsCompliant()); +#else + EXPECT_FALSE(VersionInfoTestPeer::sslFipsCompliant()); +#endif EXPECT_EQ("foo-bar", fields.at(BuildVersionMetadataKeys::get().BuildLabel).string_value()); } From 597455ec4767ce230fd35b29a50a46f49fb95bfb Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Tue, 27 Apr 2021 19:14:12 +0530 Subject: [PATCH 11/16] fix build options for fips Signed-off-by: Ravindra Akella --- source/common/version/BUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/version/BUILD b/source/common/version/BUILD index f915d75560e95..4c4e41dea8f19 100644 --- a/source/common/version/BUILD +++ b/source/common/version/BUILD @@ -59,7 +59,7 @@ envoy_cc_library( name = "version_lib", srcs = ["version.cc"], copts = envoy_select_boringssl( - ["-DENVOY_SSL_FIPS, -DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], + ["-DENVOY_SSL_FIPS -DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""], ), deps = [ From 8a4fb1a984bec242aba12512ec7174de6a46eadc Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Wed, 28 Apr 2021 07:02:55 +0530 Subject: [PATCH 12/16] set ENVOY_SSL_FIPS in bazel build for test/common Signed-off-by: Ravindra Akella --- test/common/common/BUILD | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/common/common/BUILD b/test/common/common/BUILD index b210f21c49eca..6875316a9c860 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -5,6 +5,7 @@ load( "envoy_cc_fuzz_test", "envoy_cc_test", "envoy_package", + "envoy_select_boringssl", ) licenses(["notice"]) # Apache 2 @@ -389,6 +390,9 @@ envoy_cc_test( envoy_cc_test( name = "version_test", srcs = ["version_test.cc"], + copts = envoy_select_boringssl( + ["-DENVOY_SSL_FIPS"], + ), external_deps = [ "abseil_strings", ], From 58410eebb1b38e0344c7266510ddf3f4e6c929c3 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Wed, 28 Apr 2021 12:42:54 +0530 Subject: [PATCH 13/16] fix ENVOY_SSL_FIPS argument Signed-off-by: Ravindra Akella --- source/common/version/BUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/version/BUILD b/source/common/version/BUILD index 4c4e41dea8f19..fb79e73da3602 100644 --- a/source/common/version/BUILD +++ b/source/common/version/BUILD @@ -59,7 +59,7 @@ envoy_cc_library( name = "version_lib", srcs = ["version.cc"], copts = envoy_select_boringssl( - ["-DENVOY_SSL_FIPS -DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], + ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\"", "-DENVOY_SSL_FIPS"], ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""], ), deps = [ From ba2eb67b1503e767f117fc91d842b151364de315 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Wed, 28 Apr 2021 12:56:26 +0530 Subject: [PATCH 14/16] fix copts in test/common bazel build file Signed-off-by: Ravindra Akella --- test/common/common/BUILD | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/common/common/BUILD b/test/common/common/BUILD index 6875316a9c860..da737aa053bd5 100644 --- a/test/common/common/BUILD +++ b/test/common/common/BUILD @@ -390,9 +390,7 @@ envoy_cc_test( envoy_cc_test( name = "version_test", srcs = ["version_test.cc"], - copts = envoy_select_boringssl( - ["-DENVOY_SSL_FIPS"], - ), + copts = envoy_select_boringssl(["-DENVOY_SSL_FIPS"]), external_deps = [ "abseil_strings", ], From 7228d969d95759c21f1ef55e7e95ff4b6ff9828b Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Wed, 28 Apr 2021 15:36:54 +0530 Subject: [PATCH 15/16] fix format error Signed-off-by: Ravindra Akella --- source/common/version/BUILD | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/common/version/BUILD b/source/common/version/BUILD index fb79e73da3602..6626e2da9e229 100644 --- a/source/common/version/BUILD +++ b/source/common/version/BUILD @@ -59,7 +59,10 @@ envoy_cc_library( name = "version_lib", srcs = ["version.cc"], copts = envoy_select_boringssl( - ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\"", "-DENVOY_SSL_FIPS"], + [ + "-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\"", + "-DENVOY_SSL_FIPS", + ], ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""], ), deps = [ From 09a49269e562fc501f35a7b52c13479aec024055 Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Wed, 28 Apr 2021 19:14:30 +0530 Subject: [PATCH 16/16] remove static variable Signed-off-by: Ravindra Akella --- source/common/version/version.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source/common/version/version.cc b/source/common/version/version.cc index 81d60fe1ecfa2..f1d80c8e19e4b 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -38,11 +38,10 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { bool VersionInfo::sslFipsCompliant() { #ifdef ENVOY_SSL_FIPS - static bool fipsCompliant = true; + return true; #else - static bool fipsCompliant = false; + return false; #endif - return fipsCompliant; } const std::string& VersionInfo::buildType() {