envoyproxy · htuch · Dec 27, 2018 · Dec 22, 2018 · htuch · Dec 27, 2018
diff --git a/bazel/BUILD b/bazel/BUILD
@@ -139,12 +139,12 @@ config_setting(
 )
 
 # Alias pointing to the selected version of BoringSSL:
-# - BoringSSL FIPS from @envoy_deps//:boringssl_fips,
+# - BoringSSL FIPS from @boringssl_fips//:ssl,
 # - non-FIPS BoringSSL from @boringssl//:ssl.
 alias(
     name = "boringssl",
     actual = select({
-        "//bazel:boringssl_fips": "//external:boringssl_fips",
+        "//bazel:boringssl_fips": "@boringssl_fips//:ssl",
         "//conditions:default": "@boringssl//:ssl",
     }),
 )
diff --git a/bazel/external/boringssl_fips.BUILD b/bazel/external/boringssl_fips.BUILD
@@ -0,0 +1,33 @@
+load(":genrule_cmd.bzl", "genrule_cmd")
+
+cc_library(
+    name = "crypto",
+    srcs = [
+        "crypto/libcrypto.a",
+    ],
+    hdrs = glob(["boringssl/include/openssl/*.h"]),
+    defines = ["BORINGSSL_FIPS"],
+    includes = ["boringssl/include"],
+    visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "ssl",
+    srcs = [
+        "ssl/libssl.a",
+    ],
+    hdrs = glob(["boringssl/include/openssl/*.h"]),
+    includes = ["boringssl/include"],
+    visibility = ["//visibility:public"],
+    deps = [":crypto"],
+)
+
+genrule(
+    name = "build",
+    srcs = glob(["boringssl/**"]),
+    outs = [
+        "crypto/libcrypto.a",
+        "ssl/libssl.a",
+    ],
+    cmd = genrule_cmd("@envoy//bazel/external:boringssl_fips.genrule_cmd"),
+)
diff --git a/bazel/external/boringssl_fips.genrule_cmd b/bazel/external/boringssl_fips.genrule_cmd
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+set -e
+
+# BoringSSL build as described in the Security Policy for BoringCrypto module (2018-10-25):
+# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3318.pdf
+
+# This works only on Linux-x86_64.
+if [[ `uname` != "Linux" || `uname -m` != "x86_64" ]]; then
+  echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64."
+  exit 1
+fi
+
+# Bazel magic.
+ROOT=$$(dirname $(rootpath boringssl/BUILDING.md))/..
+pushd $$ROOT
+
+# Build tools requirements:
+# - Clang compiler version 6.0.1 (http://releases.llvm.org/download.html)
+# - Go programming language version 1.10.3 (https://golang.org/dl/)
+# - Ninja build system version 1.8.2 (https://github.com/ninja-build/ninja/releases)
+
+# Override $$PATH for build tools, to avoid picking up anything else.
+export PATH="$$(dirname `which cmake`):/usr/bin:/bin"
+
+# Clang 6.0.1
+VERSION=6.0.1
+SHA256=7ea204ecd78c39154d72dfc0d4a79f7cce1b2264da2551bb2eef10e266d54d91
+PLATFORM="x86_64-linux-gnu-ubuntu-16.04"
+
+curl -sLO https://releases.llvm.org/"$$VERSION"/clang+llvm-"$$VERSION"-"$$PLATFORM".tar.xz \
+  && echo "$$SHA256" clang+llvm-"$$VERSION"-"$$PLATFORM".tar.xz | sha256sum --check
+tar xf clang+llvm-"$$VERSION"-"$$PLATFORM".tar.xz
+
+export HOME="$$PWD"
+printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > $${HOME}/toolchain
+export PATH="$$PWD/clang+llvm-$$VERSION-$$PLATFORM/bin:$$PATH"
+
+if [[ `clang --version | head -1 | awk '{print $$3}'` != "$$VERSION" ]]; then
+  echo "ERROR: Clang version doesn't match."
+  exit 1
+fi
+
+# Go 1.10.3
+VERSION=1.10.3
+SHA256=fa1b0e45d3b647c252f51f5e1204aba049cde4af177ef9f2181f43004f901035
+PLATFORM="linux-amd64"
+
+curl -sLO https://dl.google.com/go/go"$$VERSION"."$$PLATFORM".tar.gz \
+  && echo "$$SHA256" go"$$VERSION"."$$PLATFORM".tar.gz | sha256sum --check
+tar xf go"$$VERSION"."$$PLATFORM".tar.gz
+
+export GOROOT="$$PWD/go"
+export PATH="$$GOROOT/bin:$$PATH"
+
+if [[ `go version | awk '{print $$3}'` != "go$$VERSION" ]]; then
+  echo "ERROR: Go version doesn't match."
+  exit 1
+fi
+
+# Ninja 1.8.2
+VERSION=1.8.2
+SHA256=d2fea9ff33b3ef353161ed906f260d565ca55b8ca0568fa07b1d2cab90a84a07
+PLATFORM="linux"
+
+curl -sLO https://github.com/ninja-build/ninja/releases/download/v"$$VERSION"/ninja-"$$PLATFORM".zip \
+  && echo "$$SHA256" ninja-"$$PLATFORM".zip | sha256sum --check
+unzip ninja-"$$PLATFORM".zip
+
+export PATH="$$PWD:$$PATH"
+
+if [[ `ninja --version` != "$$VERSION" ]]; then
+  echo "ERROR: Ninja version doesn't match."
+  exit 1
+fi
+
+# Clean after previous build.
+rm -rf boringssl/build
+
+# Build BoringSSL.
+cd boringssl
+mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=$${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
+ninja
+ninja run_tests
+
+# Verify correctness of the FIPS build.
+if [[ `tool/bssl isfips` != "1" ]]; then
+  echo "ERROR: BoringSSL tool didn't report FIPS build."
+  exit 1
+fi
+
+# Move compiled libraries to the expected destinations.
+popd
+mv $$ROOT/boringssl/build/crypto/libcrypto.a $(execpath crypto/libcrypto.a)
+mv $$ROOT/boringssl/build/ssl/libssl.a $(execpath ssl/libssl.a)
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -11,7 +11,6 @@ load("@bazel_tools//tools/cpp:lib_cc_configure.bzl", "get_env_var")
 
 # dict of {build recipe name: longform extension name,}
 PPC_SKIP_TARGETS = {"luajit": "envoy.filters.http.lua"}
-NO_BORINGSSL_FIPS = "boringssl_fips"
 
 # go version for rules_go
 GO_VERSION = "1.10.4"
@@ -261,21 +260,24 @@ def envoy_dependencies(path = "@envoy_deps//", skip_targets = []):
                 actual = path + ":" + t,
             )
 
-    # Binding for //external:ssl pointing to the selected version of BoringSSL.
-    native.bind(
-        name = "ssl",
-        actual = "@envoy//bazel:boringssl",
-    )
-
     # Treat Envoy's overall build config as an external repo, so projects that
     # build Envoy as a subcomponent can easily override the config.
     if "envoy_build_config" not in native.existing_rules().keys():
         _default_envoy_build_config(name = "envoy_build_config")
 
+    # Binding to an alias pointing to the selected version of BoringSSL:
+    # - BoringSSL FIPS from @boringssl_fips//:ssl,
+    # - non-FIPS BoringSSL from @boringssl//:ssl.
+    _boringssl()
+    _boringssl_fips()
+    native.bind(
+        name = "ssl",
+        actual = "@envoy//bazel:boringssl",
+    )
+
     # The long repo names (`com_github_fmtlib_fmt` instead of `fmtlib`) are
     # semi-standard in the Bazel community, intended to avoid both duplicate
     # dependencies and name conflicts.
-    _boringssl()
     _com_google_absl()
     _com_github_bombela_backward()
     _com_github_circonus_labs_libcircllhist()
@@ -307,6 +309,16 @@ def envoy_dependencies(path = "@envoy_deps//", skip_targets = []):
 def _boringssl():
     _repository_impl("boringssl")
 
+def _boringssl_fips():
+    location = REPOSITORY_LOCATIONS["boringssl_fips"]
+    genrule_repository(
+        name = "boringssl_fips",
+        urls = location["urls"],
+        sha256 = location["sha256"],
+        genrule_cmd_file = "@envoy//bazel/external:boringssl_fips.genrule_cmd",
+        build_file = "@envoy//bazel/external:boringssl_fips.BUILD",
+    )
+
 def _com_github_bombela_backward():
     _repository_impl(
         name = "com_github_bombela_backward",
@@ -583,8 +595,6 @@ def _apply_dep_blacklist(ctxt, recipes):
     skip_list = []
     if _is_linux_ppc(ctxt):
         skip_list += PPC_SKIP_TARGETS.keys()
-    if not _is_linux_x86_64(ctxt):
-        skip_list.append(NO_BORINGSSL_FIPS)
     for t in recipes:
         if t not in skip_list:
             newlist.append(t)

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -10,6 +10,11 @@ REPOSITORY_LOCATIONS = dict(
         # chromium-71.0.3578.80
         urls = ["https://github.com/google/boringssl/archive/77e47de9e16ec8865d1bc6d614dd918141f094d2.tar.gz"],
     ),
+    boringssl_fips = dict(
+        sha256 = "b12ad676ee533824f698741bd127f6fbc82c46344398a6d78d25e62c6c418c73",
+        # fips-20180730
+        urls = ["https://commondatastorage.googleapis.com/chromium-boringssl-docs/fips/boringssl-66005f41fbc3529ffe8d007708756720529da20d.tar.xz"],
+    ),
     com_google_absl = dict(
         sha256 = "e35082e88b9da04f4d68094c05ba112502a5063712f3021adfa465306d238c76",
         strip_prefix = "abseil-cpp-cc8dcd307b76a575d2e3e0958a4fe4c7193c2f68",

diff --git a/bazel/target_recipes.bzl b/bazel/target_recipes.bzl
@@ -4,7 +4,6 @@
 TARGET_RECIPES = {
     "ares": "cares",
     "benchmark": "benchmark",
-    "boringssl_fips": "boringssl_fips",
     "event": "libevent",
     "tcmalloc_and_profiler": "gperftools",
     "luajit": "luajit",

diff --git a/ci/build_container/build_recipes/boringssl_fips.sh b/ci/build_container/build_recipes/boringssl_fips.sh
diff --git a/ci/prebuilt/BUILD b/ci/prebuilt/BUILD
@@ -27,26 +27,6 @@ cc_library(
     includes = ["thirdparty_build/include"],
 )
 
-cc_library(
-    name = "boringcrypto_fips",
-    srcs = [
-        "thirdparty_build/lib/libcrypto.a",
-    ],
-    hdrs = glob(["thirdparty_build/include/openssl/**/*.h"]),
-    defines = ["BORINGSSL_FIPS"],
-    includes = ["thirdparty_build/include"],
-)
-
-cc_library(
-    name = "boringssl_fips",
-    srcs = [
-        "thirdparty_build/lib/libssl.a",
-    ],
-    hdrs = glob(["thirdparty_build/include/openssl/**/*.h"]),
-    includes = ["thirdparty_build/include"],
-    deps = [":boringcrypto_fips"],
-)
-
 cc_library(
     name = "event",
     srcs = select({