diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 725f4400286d5..ace23b0674154 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -76,17 +76,17 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_desc = "Minimal OpenSSL fork", project_url = "https://github.com/google/boringssl", # To update BoringSSL, which tracks Chromium releases: - # 1. Open https://omahaproxy.appspot.com/ and note of linux/dev release. + # 1. Open https://omahaproxy.appspot.com/ and note of linux/beta release. # 2. Open https://chromium.googlesource.com/chromium/src/+/refs/tags//DEPS and note . - # 3. Find a commit in BoringSSL's "main-with-bazel" branch that merges . + # 3. Find a commit in BoringSSL's "master-with-bazel" branch that merges . # - # chromium-94.0.4606.81 (linux/dev) - version = "648cbaf033401b7fe7acdce02f275b06a88aab5c", - sha256 = "579cb415458e9f3642da0a39a72f79fdfe6dc9c1713b3a823f1e276681b9703e", + # chromium-99.0.4844.17 (linux/beta) + version = "5416e4f16bffdc24e71e84d6e3977eed73c6f6b3", + sha256 = "864cb8005739db6f2b615ed167ba12a88a7f5c54e39c911e1c271fdfad21a3e7", strip_prefix = "boringssl-{version}", urls = ["https://github.com/google/boringssl/archive/{version}.tar.gz"], use_category = ["controlplane", "dataplane_core"], - release_date = "2021-07-15", + release_date = "2022-01-05", cpe = "cpe:2.3:a:google:boringssl:*", ), boringssl_fips = dict( diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 00bd8f86eedca..34ddcb322edb6 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -157,12 +157,20 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, return 0; } - // Set the trust bundle's certificate store on the context, and do the verification. - store_ctx->ctx = trust_bundle; + // Set the trust bundle's certificate store on a copy of the context, and do the verification. + bssl::UniquePtr new_store_ctx(X509_STORE_CTX_new()); + if (!X509_STORE_CTX_init(new_store_ctx.get(), trust_bundle, &leaf_cert, + X509_STORE_CTX_get0_untrusted(store_ctx)) || + !X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(new_store_ctx.get()), + X509_STORE_CTX_get0_param(store_ctx))) { + stats_.fail_verify_error_.inc(); + return 0; + } if (allow_expired_certificate_) { - X509_STORE_CTX_set_verify_cb(store_ctx, CertValidatorUtil::ignoreCertificateExpirationCallback); + X509_STORE_CTX_set_verify_cb(new_store_ctx.get(), + CertValidatorUtil::ignoreCertificateExpirationCallback); } - auto ret = X509_verify_cert(store_ctx); + auto ret = X509_verify_cert(new_store_ctx.get()); if (!ret) { if (ssl_extended_info) { ssl_extended_info->setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus::Failed); diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index a91e7ae38cfd1..236bfdcd48478 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -72,8 +72,8 @@ declare -a KNOWN_LOW_COVERAGE=( "source/extensions/tracers/xray:96.2" "source/extensions/tracers/zipkin:96.1" "source/extensions/transport_sockets:95.3" -"source/extensions/transport_sockets/tls:94.5" -"source/extensions/transport_sockets/tls/cert_validator:95.7" +"source/extensions/transport_sockets/tls:94.4" +"source/extensions/transport_sockets/tls/cert_validator:95.3" "source/extensions/transport_sockets/tls/ocsp:96.5" "source/extensions/transport_sockets/tls/private_key:77.8" "source/extensions/wasm_runtime/wamr:0.0" # Not enabled in coverage build