From af1b09430479a48f92e5ec058a45e85120bed39a Mon Sep 17 00:00:00 2001
From: Dario Cillerai <dcillera@redhat.com>
Date: Wed, 19 Jun 2024 20:46:35 +0200
Subject: [PATCH] Changes & tidy ups for proxy

---
 bssl-compat/BUILD                                   |  6 +-----
 bssl-compat/CMakeLists.txt                          |  6 ------
 bssl-compat/patch/include/openssl/rsa.h.sh          |  1 -
 bssl-compat/patch/include/openssl/ssl.h.sh          |  1 -
 .../source/RSA_padding_add_PKCS1_PSS_mgf1.cc        | 13 -------------
 bssl-compat/source/SSL_was_key_usage_invalid.cc     |  9 ---------
 bssl-compat/source/bio_meth_map.cpp                 |  5 +----
 .../transport_sockets/tls/context_impl.cc           |  8 ++++----
 8 files changed, 6 insertions(+), 43 deletions(-)
 delete mode 100644 bssl-compat/source/RSA_padding_add_PKCS1_PSS_mgf1.cc
 delete mode 100644 bssl-compat/source/SSL_was_key_usage_invalid.cc

diff --git a/bssl-compat/BUILD b/bssl-compat/BUILD
index a8aba5f8ee..923e080517 100644
--- a/bssl-compat/BUILD
+++ b/bssl-compat/BUILD
@@ -15,11 +15,7 @@ cmake(
     visibility = ["//visibility:public"],
     generate_crosstool_file = False,
     tags = ["requires-network"],
-    env = { "GOCACHE" : "/tmp",
-            "CMAKE_C_COMPILER" : "clang",
-            "CMAKE_CXX_COMPILER" : "clang++",
-            "Clang_ROOT" : "/usr/lib/llvm"
-},
+    env = { "Clang_ROOT" : "/usr/lib/llvm" },
 
     build_args = [ "-j" ]
 )
diff --git a/bssl-compat/CMakeLists.txt b/bssl-compat/CMakeLists.txt
index f4c1d396b0..a616ecc405 100644
--- a/bssl-compat/CMakeLists.txt
+++ b/bssl-compat/CMakeLists.txt
@@ -10,10 +10,6 @@ endif()
 set(OPENSSL_URL      https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.13.tar.gz)
 set(OPENSSL_URL_HASH e74504ed7035295ec7062b1da16c15b57ff2a03cd2064a28d8c39458cacc45fc)
 
-# dcillera - commented out as they're declared in function "cmake" of Bazel BUILD file 
-# SET (CMAKE_C_COMPILER    "clang")
-# SET (CMAKE_CXX_COMPILER  "clang++")
-
 set(CMAKE_C_STANDARD 11)
 set(CMAKE_CXX_STANDARD 17)
 
@@ -119,7 +115,6 @@ add_library(bssl-compat STATIC
   source/RSA_decrypt.cc
   source/RSA_encrypt.cc
   source/RSA_generate_key_ex.cc
-  source/RSA_padding_add_PKCS1_PSS_mgf1.cc
   source/RSA_private_key_from_bytes.cc
   source/RSA_public_key_from_bytes.cc
   source/RSA_sign_pss_mgf1.cc
@@ -189,7 +184,6 @@ add_library(bssl-compat STATIC
   source/SSL_set_renegotiate_mode.cc
   source/SSL_set_info_callback.cc
   source/SSL_set_verify.cc
-  source/SSL_was_key_usage_invalid.cc
   source/stack.c
   source/TLS_VERSION_to_string.cc
   source/TLS_with_buffers_method.cc
diff --git a/bssl-compat/patch/include/openssl/rsa.h.sh b/bssl-compat/patch/include/openssl/rsa.h.sh
index 91594965f6..5592534bbb 100755
--- a/bssl-compat/patch/include/openssl/rsa.h.sh
+++ b/bssl-compat/patch/include/openssl/rsa.h.sh
@@ -24,7 +24,6 @@ uncomment.sh "$1" --comment -h \
 --uncomment-func-decl RSA_add_pkcs1_prefix \
 --uncomment-func-decl RSA_public_key_from_bytes \
 --uncomment-func-decl RSA_private_key_from_bytes \
---uncomment-func-decl RSA_padding_add_PKCS1_PSS_mgf1 \
 --uncomment-macro-redef 'RSA_R_[a-zA-Z0-9_]*' \
 --uncomment-macro-redef 'RSA_[a-zA-Z0-9_]*_PADDING' \
 --uncomment-macro-redef RSA_F4 \
diff --git a/bssl-compat/patch/include/openssl/ssl.h.sh b/bssl-compat/patch/include/openssl/ssl.h.sh
index 47d9fc395e..036cb06e98 100755
--- a/bssl-compat/patch/include/openssl/ssl.h.sh
+++ b/bssl-compat/patch/include/openssl/ssl.h.sh
@@ -196,7 +196,6 @@ uncomment.sh "$1" --comment -h \
   --uncomment-func-decl SSL_CTX_set_private_key_method \
   --uncomment-func-decl SSL_send_fatal_alert \
   --uncomment-func-decl SSL_alert_desc_string_long \
-  --uncomment-func-decl SSL_was_key_usage_invalid \
   --uncomment-func-decl SSL_CTX_get_session_cache_mode \
 
 
diff --git a/bssl-compat/source/RSA_padding_add_PKCS1_PSS_mgf1.cc b/bssl-compat/source/RSA_padding_add_PKCS1_PSS_mgf1.cc
deleted file mode 100644
index 6fb143ca9a..0000000000
--- a/bssl-compat/source/RSA_padding_add_PKCS1_PSS_mgf1.cc
+++ /dev/null
@@ -1,13 +0,0 @@
-#include <openssl/rsa.h>
-#include <ossl.h>
-
-
-/**
- * This implementats some mappings only where necessary to support Envoy
- */
-extern "C" int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM,
-                                              const unsigned char *mHash,
-                                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
-                                              int sLenRequested) {
-      return ossl.ossl_RSA_padding_add_PKCS1_PSS_mgf1((ossl_RSA *)rsa, EM, mHash, Hash, mgf1Hash, sLenRequested);
-}
diff --git a/bssl-compat/source/SSL_was_key_usage_invalid.cc b/bssl-compat/source/SSL_was_key_usage_invalid.cc
deleted file mode 100644
index a234257f95..0000000000
--- a/bssl-compat/source/SSL_was_key_usage_invalid.cc
+++ /dev/null
@@ -1,9 +0,0 @@
-#include <openssl/ssl.h>
-#include <ossl.h>
-#include "log.h"
-
-
-extern "C" int SSL_was_key_usage_invalid(const SSL *ssl) {
-  bssl_compat_warn("SSL_was_key_usage_invalid() is not implemented");
-  return 0;
-}
diff --git a/bssl-compat/source/bio_meth_map.cpp b/bssl-compat/source/bio_meth_map.cpp
index af432221e6..a21d059b02 100644
--- a/bssl-compat/source/bio_meth_map.cpp
+++ b/bssl-compat/source/bio_meth_map.cpp
@@ -102,10 +102,7 @@ static ossl_BIO_METHOD *bio_method_new(const BIO_METHOD *bsslMethod) {
     ossl.ossl_BIO_meth_set_callback_ctrl(osslMethod, nullptr);
   }
   else {
-    // Simulate a segfault
-    volatile int* nasty_ptr = reinterpret_cast<int*>(0x0);
-    *(nasty_ptr) = 0; 
-   // bssl_compat_fatal("BIO_METHOD::callback_ctrl is not supported");
+    bssl_compat_fatal("BIO_METHOD::callback_ctrl is not supported");
   }
 
   return osslMethod;
diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc
index fa19cc76a7..8fb642218a 100644
--- a/source/extensions/transport_sockets/tls/context_impl.cc
+++ b/source/extensions/transport_sockets/tls/context_impl.cc
@@ -182,7 +182,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
         // even request client certs. So, instead, we should configure a callback to skip
         // validation and always supply the callback to boring SSL.
         SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
-#ifdef ENABLE_REVERIFY_ENFORCE_RSA  // Disabled as not implememnted in the bSSL layer
+#if 0  // Disabled as not implememnted in the bSSL layer
         SSL_CTX_set_reverify_on_resume(ctx, /*reverify_on_resume_enabled)=*/1);
 #endif
       }
@@ -571,14 +571,14 @@ void ContextImpl::logHandshake(SSL* ssl) const {
 #error "Delete preprocessor check below; no longer needed"
 #endif
 
-#if BORINGSSL_API_VERSION >= 18
+#if 0
   // Increment the `was_key_usage_invalid_` stats to indicate the given cert would have triggered an
   // error but is allowed because the enforcement that rsa key usage and tls usage need to be
   // matched has been disabled.
   if (SSL_was_key_usage_invalid(ssl)) {
     stats_.was_key_usage_invalid_.inc();
   }
-#endif // BORINGSSL_API_VERSION
+#endif
 }
 
 std::vector<Ssl::PrivateKeyMethodProviderSharedPtr> ContextImpl::getPrivateKeyMethodProviders() {
@@ -740,7 +740,7 @@ ClientContextImpl::newSsl(const Network::TransportSocketOptionsConstSharedPtr& o
     SSL_set_renegotiate_mode(ssl_con.get(), ssl_renegotiate_freely);
   }
 
-#ifdef ENABLE_REVERIFY_ENFORCE_RSA  // Disabled as not implememnted in the bSSL layer
+#if 0  // Disabled as not implememnted in the bSSL layer
   SSL_set_enforce_rsa_key_usage(ssl_con.get(), enforce_rsa_key_usage_);
 #endif