envoyproxy · tedjpoole · Jul 30, 2025 · Jul 23, 2025
diff --git a/.github/workflows/envoy-openssl.yml b/.github/workflows/envoy-openssl.yml
@@ -26,7 +26,7 @@ jobs:
       uses: envoyproxy/toolshed/gh-actions/[email protected]
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - run: |
-        ./ci/run_envoy_docker.sh './ci/do_ci.sh gcc //test/...'
+        ./ci/run_envoy_docker.sh './ci/do_ci.sh gcc //test/common/router:route_fuzz_test'
       env:
         BAZEL_BUILD_EXTRA_OPTIONS: >-
           --config=remote-envoy-engflow

diff --git a/bazel/external/openssl.BUILD b/bazel/external/openssl.BUILD
@@ -0,0 +1,21 @@
+load("@rules_foreign_cc//foreign_cc:configure.bzl", "configure_make")
+
+licenses(["notice"])  # Apache 2
+
+filegroup(
+    name = "all",
+    srcs = glob(["**"]),
+    visibility = ["//visibility:public"],
+)
+
+configure_make(
+    name = "openssl",
+    lib_source = ":all",
+    configure_in_place = True,
+    configure_command = "Configure",
+    targets = ["build_sw", "install_sw"],
+    args = ["-j"],
+    out_lib_dir = "lib64",
+    out_shared_libs = ["libssl.so.3", "libcrypto.so.3"],
+    visibility = ["//visibility:public"],
+)
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -135,6 +135,8 @@ def envoy_dependencies(skip_targets = []):
     # Setup external Bazel rules
     _foreign_cc_dependencies()
 
+    _openssl()
+
     # Binding to an alias pointing to the bssl-compat layer
     native.bind(
         name = "ssl",
@@ -300,6 +302,12 @@ def _aws_lc():
         build_file = "@envoy//bazel/external:aws_lc.BUILD",
     )
 
+def _openssl():
+    external_http_archive(
+        name = "openssl",
+        build_file = "@envoy//bazel/external:openssl.BUILD",
+    )
+
 def _com_github_openhistogram_libcircllhist():
     external_http_archive(
         name = "com_github_openhistogram_libcircllhist",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -172,6 +172,20 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         release_date = "2025-06-27",
         cpe = "cpe:2.3:a:google:boringssl:*",
     ),
+    openssl = dict(
+        project_name = "OpenSSL",
+        project_desc = "TLS/SSL and crypto library",
+        project_url = "https://github.com/openssl/openssl",
+        version = "3.0.16",
+        sha256 = "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86",
+        strip_prefix = "openssl-{version}",
+        urls = ["https://github.com/openssl/openssl/releases/download/openssl-{version}/openssl-{version}.tar.gz"],
+        use_category = ["controlplane", "dataplane_core"],
+        release_date = "2025-02-11",
+        cpe = "cpe:2.3:a:openssl:openssl:*",
+        license = "Apache-2.0",
+        license_url = "https://github.com/openssl/openssl/blob/openssl-{version}/LICENSE.txt",
+    ),
     aspect_bazel_lib = dict(
         project_name = "Aspect Bazel helpers",
         project_desc = "Base Starlark libraries and basic Bazel rules which are useful for constructing rulesets and BUILD files",

diff --git a/bssl-compat/BUILD b/bssl-compat/BUILD
@@ -1,4 +1,5 @@
 load("@rules_foreign_cc//foreign_cc:defs.bzl", "cmake")
+load(":filter_shared_libs.bzl", "filter_out_shared_libs")
 
 filegroup(
     name = "srcs",
@@ -7,27 +8,53 @@ filegroup(
 
 licenses(["notice"])  # Apache 2
 
+filegroup(
+    name = "openssl-libssl",
+    srcs = ["@openssl//:openssl"],
+    output_group = "libssl.so.3",
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "openssl-libcrypto",
+    srcs = ["@openssl//:openssl"],
+    output_group = "libcrypto.so.3",
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "openssl-libs",
+    srcs = [
+        ":openssl-libssl",
+        ":openssl-libcrypto",
+    ],
+    visibility = ["//visibility:private"],
+)
+
 cmake(
-    name = "bssl-compat",
+    name = "bssl-compat-build",
     lib_source = ":srcs",
     out_shared_libs = [],
     out_static_libs = ["libbssl-compat.a"],
-    visibility = ["//visibility:public"],
+    visibility = ["//visibility:private"],
     generate_crosstool_file = False,
-    out_binaries = ["utests-bssl-compat"],
-    build_args = [ "-j" ]
-)
-
-filegroup(
-    name = "bssl-compat-utests-bssl-compat",
-    srcs = [":bssl-compat"],
-    output_group = "utests-bssl-compat",
+    build_args = [ "-j" ],
+    deps = ["@openssl//:openssl"],
+    cache_entries = {
+        "OPENSSL_ROOT_DIR": "$$EXT_BUILD_DEPS/openssl",
+    },
+    # Add the OpenSSL shared libraries as a *data* dependency, so they get
+    # propagated to dependant targets, and made available in their runfiles
+    # directory when they run, so libbssl-compat.a can dlopen() them.
+    data = [":openssl-libs"],
 )
 
-sh_test(
-    name = "utests-bssl-compat",
-    size = "small",
-    srcs = [":bssl-compat-utests-bssl-compat"],
+# This target is identical to :bssl-compat-build but with the OpenSSL shared
+# libraries dependency filtered out, to stop dependants linking against them.
+filter_out_shared_libs(
+    name = "bssl-compat",
+    dep = ":bssl-compat-build",
+    visibility = ["//visibility:public"],
 )
 
 alias(

diff --git a/bssl-compat/CMakeLists.txt b/bssl-compat/CMakeLists.txt
@@ -7,9 +7,6 @@ if(POLICY CMP0135)
   cmake_policy(SET CMP0135 NEW)
 endif()
 
-set(OPENSSL_URL      https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.13.tar.gz)
-set(OPENSSL_URL_HASH e74504ed7035295ec7062b1da16c15b57ff2a03cd2064a28d8c39458cacc45fc)
-
 set(CMAKE_C_STANDARD 11)
 set(CMAKE_CXX_STANDARD 17)
 
@@ -38,6 +35,8 @@ add_dependencies(bssl-gen ossl-gen) # generate ossl headers before bssl headers
 
 # custom mappings
 add_library(bssl-compat STATIC
+  source/ossl_dlfcn.c
+  source/ossl_init_debug.cc
   source/ASN1_TIME_free.cc
   source/BASIC_CONSTRAINTS_free.cc
   source/BASIC_CONSTRAINTS_new.cc
@@ -702,6 +701,7 @@ target_add_bssl_source(bssl-compat
 )
 target_compile_definitions(bssl-compat PUBLIC ossl_OPENSSL_SUPPRESS_DEPRECATED)
 target_include_directories(bssl-compat PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/include)
+target_include_directories(bssl-compat PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/source)
 target_include_directories(bssl-compat PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/include)
 target_include_directories(bssl-compat PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/source)
 target_link_libraries(bssl-compat INTERFACE ${CMAKE_DL_LIBS})

diff --git a/bssl-compat/cmake/openssl.cmake b/bssl-compat/cmake/openssl.cmake
@@ -5,19 +5,5 @@ if(OpenSSL_FOUND)
     get_filename_component(OPENSSL_LIBRARY_DIR ${OPENSSL_CRYPTO_LIBRARY} DIRECTORY)
     message(STATUS "Found OpenSSL ${OPENSSL_VERSION} (${OPENSSL_LIBRARY_DIR})")
 else()
-    message(STATUS "Building OpenSSL (${OPENSSL_URL})")
-    include(ExternalProject)
-    set(OPENSSL_SOURCE_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl/source)
-    set(OPENSSL_CONFIG_CMD ${OPENSSL_SOURCE_DIR}/config)
-    set(OPENSSL_INSTALL_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl/install)
-    set(OPENSSL_INCLUDE_DIR ${OPENSSL_INSTALL_DIR}/include)
-    set(OPENSSL_LIBRARY_DIR ${OPENSSL_INSTALL_DIR}/lib)
-    ExternalProject_Add(OpenSSL
-        URL ${OPENSSL_URL}
-        URL_HASH SHA256=${OPENSSL_URL_HASH}
-        SOURCE_DIR ${OPENSSL_SOURCE_DIR}
-        CONFIGURE_COMMAND ${OPENSSL_CONFIG_CMD} --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
-        TEST_COMMAND ""
-        INSTALL_COMMAND make install_sw
-    )
+    message(FATAL_ERROR "OpenSSL 3.0 not found. Aborting.")
 endif()
diff --git a/bssl-compat/filter_shared_libs.bzl b/bssl-compat/filter_shared_libs.bzl
@@ -0,0 +1,58 @@
+"""Rule to filter out shared libraries from a cc target's dependencies."""
+
+def _filter_shared_libs_impl(ctx):
+    dep = ctx.attr.dep
+    cc_info = dep[CcInfo]
+
+    # Get the original linking context
+    linking_context = cc_info.linking_context
+
+    # Filter out shared libraries from linker inputs
+    filtered_linker_inputs = []
+    for linker_input in linking_context.linker_inputs.to_list():
+        # Only keep static libraries
+        filtered_libraries = []
+        for lib in linker_input.libraries:
+            if lib.static_library or lib.pic_static_library:
+                filtered_libraries.append(lib)
+
+        if filtered_libraries:
+            filtered_linker_inputs.append(
+                cc_common.create_linker_input(
+                    owner = linker_input.owner,
+                    libraries = depset(filtered_libraries),
+                    user_link_flags = depset(linker_input.user_link_flags),
+                )
+            )
+
+    # Create new linking context with filtered inputs
+    new_linking_context = cc_common.create_linking_context(
+        linker_inputs = depset(filtered_linker_inputs),
+    )
+
+    # Create new CcInfo with filtered linking context
+    new_cc_info = CcInfo(
+        compilation_context = cc_info.compilation_context,
+        linking_context = new_linking_context,
+    )
+
+    default_info = dep[DefaultInfo]
+    return [
+        new_cc_info,
+        DefaultInfo(
+            files = default_info.files,
+            data_runfiles = default_info.data_runfiles,
+            default_runfiles = default_info.default_runfiles,
+        ),
+    ]
+
+filter_out_shared_libs = rule(
+    implementation = _filter_shared_libs_impl,
+    attrs = {
+        "dep": attr.label(
+            mandatory = True,
+            providers = [CcInfo],
+        ),
+    },
+    provides = [CcInfo],
+)
diff --git a/bssl-compat/prefixer/prefixer.cpp b/bssl-compat/prefixer/prefixer.cpp
@@ -265,12 +265,9 @@ class MyFrontendAction: public clang::ASTFrontendAction {
       if (prefixable(token.getLocation())) {
         std::string name = pp.getSpelling(token);
         m_identifiers.insert(name);
-        if (name == "SHLIB_VERSION_NUMBER") {
+        if (name == "OPENSSL_VERSION_MAJOR") {
           const auto &token = directive->getMacroInfo()->getReplacementToken(0);
           m_shlibversion = std::string(token.getLiteralData(), token.getLength());
-          // Remove the quotation marks.
-          m_shlibversion = m_shlibversion.substr(1, m_shlibversion.size() - 1);
-          m_shlibversion.pop_back();
         }
       }
     }
@@ -440,9 +437,10 @@ void MyFrontendAction::EndSourceFileAction() {
     std::map<std::string,std::vector<Function>> funcmap;
 
     for(const auto &f : m_functions) {
-      std::string header = f.getHeader(srcmgr);
+      std::filesystem::path header = f.getHeader(srcmgr);
+      header = header.lexically_relative(opt::incdir());
       if(funcmap.find(header) == funcmap.end()) {
-        hstr << "#include \"" << header <<"\"" << std::endl;
+        hstr << "#include \"" << header.string() <<"\"" << std::endl;
       }
       funcmap[header].push_back(f);
     }
@@ -474,9 +472,11 @@ void MyFrontendAction::EndSourceFileAction() {
     std::ofstream cstr (opt::cfile());
 
     cstr << "//" << std::endl << "// THIS FILE IS GENERATED BY THE PREFIXER TOOL DO NOT EDIT" << std::endl << "//" << std::endl
+         << "#include <link.h>" << std::endl
          << "#include <dlfcn.h>" << std::endl
          << "#include <errno.h>" << std::endl
          << "#include <assert.h>" << std::endl
+         << "#include \"ossl_dlfcn.h\"" << std::endl
          << "#include \"" << opt::prefix << ".h\"" << std::endl
          << std::endl
          << "#define LIBCRYPTO_SO \"libcrypto.so" << (m_shlibversion.size() ? "." + m_shlibversion : "") << "\"" << std::endl
@@ -495,18 +495,19 @@ void MyFrontendAction::EndSourceFileAction() {
          << "  const char *s = symbol + " << opt::prefix.size() + 1 << ";" << std::endl
          << "  if ((result = dlsym(libcrypto, s)) != NULL) return result;" << std::endl
          << "  if((result = dlsym(libssl, s)) != NULL) return result;" << std::endl
-         << "//fprintf(stderr, \"dlsym(%s) : %s\\n\", s, dlerror());" << std::endl
-         << "//exit(ELIBACC);" << std::endl
          << "  return NULL;" << std::endl
          << "}" << std::endl
          << std::endl
+         << "void " << opt::prefix << "_init_debug(void);" << std::endl
+         << std::endl
          << "static void " << opt::prefix << "_init(void) {" << std::endl
-         << "  if((libcrypto = dlopen(LIBCRYPTO_SO, RTLD_NOW | RTLD_LOCAL)) == NULL) {" << std::endl
+         << "  " << opt::prefix << "_init_debug();" << std::endl
+         << "  if((libcrypto = ossl_dlopen(LIBCRYPTO_SO)) == NULL) {" << std::endl
          << "    fprintf(stderr, \"dlopen(%s) : %s\\n\", LIBCRYPTO_SO, dlerror());" << std::endl
          << "    exit(ELIBACC);" << std::endl
          << "  }" << std::endl
          << std::endl
-         << "  if((libssl = dlopen(LIBSSL_SO, RTLD_NOW | RTLD_LOCAL)) == NULL) {" << std::endl
+         << "  if((libssl = ossl_dlopen(LIBSSL_SO)) == NULL) {" << std::endl
          << "    fprintf(stderr, \"dlopen(%s) : %s\\n\", LIBSSL_SO, dlerror());" << std::endl
          << "    exit(ELIBACC);" << std::endl
          << "  }" << std::endl
@@ -713,7 +714,7 @@ int main(int argc, const char **argv) {
           globflags |= GLOB_APPEND;
         }
         for (auto i = 0; i < globbuf.gl_pathc; i++) {
-          auto p = std::filesystem::proximate(globbuf.gl_pathv[i], srcpath);
+          auto p = std::filesystem::path(globbuf.gl_pathv[i]).lexically_relative(srcpath);
           opt::headers[p] = true;
         }
         globfree (&globbuf);
@@ -727,7 +728,7 @@ int main(int argc, const char **argv) {
           globflags |= GLOB_APPEND;
         }
         for (auto i = 0; i < globbuf.gl_pathc; i++) {
-          auto p = std::filesystem::proximate(globbuf.gl_pathv[i], srcpath);
+          auto p = std::filesystem::path(globbuf.gl_pathv[i]).lexically_relative(srcpath);
           opt::headers[p] = false;
         }
         globfree (&globbuf);
@@ -758,6 +759,8 @@ int main(int argc, const char **argv) {
             std::filesystem::remove(dsthdr);
           }
           std::filesystem::copy_file(srcpath / hdr, dsthdr);
+          std::filesystem::permissions(dsthdr, std::filesystem::perms::owner_write |
+                                               std::filesystem::perms::owner_read);
         }
       }
 

diff --git a/bssl-compat/source/ossl_dlfcn.c b/bssl-compat/source/ossl_dlfcn.c
@@ -0,0 +1,31 @@
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "ossl_dlfcn.h"
+
+
+void* ossl_dlopen(const char* name) {
+  void* handle = NULL;
+  const char* runfiles_dir = getenv("RUNFILES_DIR");
+
+  if (runfiles_dir) {
+    char fullpath[PATH_MAX];
+    snprintf(fullpath, sizeof(fullpath), "%s/%s/%s", runfiles_dir,
+             "envoy/external/openssl/openssl/lib64", name);
+    handle = dlopen(fullpath, RTLD_NOW | RTLD_LOCAL | RTLD_DEEPBIND);
+  }
+  else {
+    handle = dlopen(name, RTLD_NOW | RTLD_LOCAL | RTLD_DEEPBIND);
+  }
+
+  if(handle) {
+    char origin[PATH_MAX];
+    if (dlinfo(handle, RTLD_DI_ORIGIN, origin) == 0) {
+      fprintf(stderr, "bssl-compat: Loaded %s from %s\n", name, origin);
+    }
+  }
+
+  return handle;
+}
diff --git a/bssl-compat/source/ossl_dlfcn.h b/bssl-compat/source/ossl_dlfcn.h
@@ -0,0 +1,6 @@
+#ifndef OSSL_DLFCN_H
+#define OSSL_DLFCN_H
+
+void* ossl_dlopen(const char* name);
+
+#endif // OSSL_DLFCN_H