envoyproxy · lizan · Sep 27, 2021 · Mar 18, 2021 · Aug 24, 2021 · Aug 24, 2021
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -203,3 +203,4 @@ extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
 /contrib/mysql_proxy/ @rshriram @venilnoronha
 /contrib/postgres_proxy/ @fabriziomello @cpakulski @dio
 /contrib/sxg/ @cpapazian @rgs1 @alyssawilk
+/contrib/cryptomb/ @rojkov @ipuustin
diff --git a/api/BUILD b/api/BUILD
@@ -64,6 +64,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/network/mysql_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/rocketmq_proxy/v3:pkg",
+        "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",
         "//envoy/admin/v3:pkg",
         "//envoy/config/accesslog/v3:pkg",
         "//envoy/config/bootstrap/v3:pkg",

diff --git a/api/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/BUILD b/api/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto b/api/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto
@@ -0,0 +1,44 @@
+syntax = "proto3";
+
+package envoy.extensions.private_key_providers.cryptomb.v3alpha;
+
+import "envoy/config/core/v3/base.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.private_key_providers.cryptomb.v3alpha";
+option java_outer_classname = "CryptombProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: CryptoMb private key provider]
+// [#extension: envoy.tls.key_providers.cryptomb]
+
+// A CryptoMbPrivateKeyMethodConfig message specifies how the CryptoMb private
+// key provider is configured. The private key provider provides `SIMD`
+// processing for RSA sign and decrypt operations (ECDSA signing uses regular
+// BoringSSL functions). The provider works by gathering the operations into a
+// worker-thread specific queue, and processing the queue using `ipp-crypto`
+// library when the queue is full or when a timer expires.
+// [#extension-category: envoy.tls.key_providers]
+message CryptoMbPrivateKeyMethodConfig {
+  // Private key to use in the private key provider. If set to inline_bytes or
+  // inline_string, the value needs to be the private key in PEM format.
+  config.core.v3.DataSource private_key = 1 [(udpa.annotations.sensitive) = true];
+
+  // How long to wait until the per-thread processing queue should be
+  // processed. If the processing queue gets full (eight sign or decrypt
+  // requests are received) it is processed immediately. However, if the
+  // queue is not filled before the delay has expired, the requests
+  // already in the queue are processed, even if the queue is not full.
+  // In effect, this value controls the balance between latency and
+  // throughput. The duration needs to be set to a non-zero value.
+  google.protobuf.Duration poll_delay = 2 [(validate.rules).duration = {
+    required: true
+    gt {}
+  }];
+}
diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -16,6 +16,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/network/mysql_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/rocketmq_proxy/v3:pkg",
+        "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",
         "//envoy/admin/v3:pkg",
         "//envoy/config/accesslog/v3:pkg",
         "//envoy/config/bootstrap/v3:pkg",

diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -190,6 +190,7 @@ def envoy_dependencies(skip_targets = []):
     _com_github_google_tcmalloc()
     _com_github_gperftools_gperftools()
     _com_github_grpc_grpc()
+    _com_github_intel_ipp_crypto_crypto_mb()
     _com_github_jbeder_yaml_cpp()
     _com_github_libevent_libevent()
     _com_github_luajit_luajit()
@@ -376,6 +377,12 @@ def _com_github_google_libsxg():
         actual = "@envoy//bazel/foreign_cc:libsxg",
     )
 
+def _com_github_intel_ipp_crypto_crypto_mb():
+    external_http_archive(
+        name = "com_github_intel_ipp_crypto_crypto_mb",
+        build_file_content = BUILD_ALL_CONTENT,
+    )
+
 def _com_github_jbeder_yaml_cpp():
     external_http_archive(
         name = "com_github_jbeder_yaml_cpp",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -260,6 +260,22 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         release_date = "2021-06-07",
         cpe = "cpe:2.3:a:grpc:grpc:*",
     ),
+    com_github_intel_ipp_crypto_crypto_mb = dict(
+        project_name = "libipp-crypto",
+        project_desc = "Intel® Integrated Performance Primitives Cryptography",
+        project_url = "https://github.com/intel/ipp-crypto",
+        # The required BoringSSL compatibility patches are present in the
+        # "development" branch, but not yet in the release branch. The target
+        # release for the patches is 2021.4.
+        version = "4048dac1617bf33ff85d37a4b8f68f21342263b7",
+        sha256 = "4316589a7c0afa5788b84b04510283dab0979bf6d3b0aa0e4ef0fe540675af5e",
+        strip_prefix = "ipp-crypto-{version}",
+        urls = ["https://github.com/intel/ipp-crypto/archive/{version}.tar.gz"],
+        release_date = "2021-07-07",
+        use_category = ["dataplane_ext"],
+        extensions = ["envoy.tls.key_providers.cryptomb"],
+        cpe = "N/A",
+    ),
     com_github_luajit_luajit = dict(
         project_name = "LuaJIT",
         project_desc = "Just-In-Time compiler for Lua",

diff --git a/contrib/all_contrib_extensions.bzl b/contrib/all_contrib_extensions.bzl
@@ -1,4 +1,14 @@
 load(":contrib_build_config.bzl", "CONTRIB_EXTENSIONS")
 
-def envoy_all_contrib_extensions():
-    return [v + "_envoy_extension" for v in CONTRIB_EXTENSIONS.values()]
+# linter requires indirection for @bazel_tools definitions
+def envoy_contrib_linux_x86_64_constraints():
+    return [
+        "@bazel_tools//platforms:linux",
+        "@bazel_tools//platforms:x86_64",
+    ]
+
+ARM64_SKIP_CONTRIB_TARGETS = ["envoy.tls.key_providers.cryptomb"]
+PPC_SKIP_CONTRIB_TARGETS = ["envoy.tls.key_providers.cryptomb"]
+
+def envoy_all_contrib_extensions(denylist = []):
+    return [v + "_envoy_extension" for k, v in CONTRIB_EXTENSIONS.items() if not k in denylist]
diff --git a/contrib/contrib_build_config.bzl b/contrib/contrib_build_config.bzl
@@ -16,4 +16,10 @@ CONTRIB_EXTENSIONS = {
     "envoy.filters.network.mysql_proxy":                        "//contrib/mysql_proxy/filters/network/source:config",
     "envoy.filters.network.postgres_proxy":                     "//contrib/postgres_proxy/filters/network/source:config",
     "envoy.filters.network.rocketmq_proxy":                     "//contrib/rocketmq_proxy/filters/network/source:config",
+
+    #
+    # Private key providers
+    #
+
+    "envoy.tls.key_providers.cryptomb":                         "//contrib/cryptomb/private_key_providers/source:config",
 }
diff --git a/contrib/cryptomb/private_key_providers/source/BUILD b/contrib/cryptomb/private_key_providers/source/BUILD
@@ -0,0 +1,113 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_contrib_extension",
+    "envoy_cc_library",
+    "envoy_cmake_external",
+    "envoy_contrib_package",
+)
+load(
+    "//contrib:all_contrib_extensions.bzl",
+    "envoy_contrib_linux_x86_64_constraints",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_contrib_package()
+
+envoy_cmake_external(
+    name = "ipp-crypto",
+    cache_entries = {
+        "BORINGSSL": "on",
+    },
+    defines = [
+        "OPENSSL_USE_STATIC_LIBS=TRUE",
+    ],
+    lib_source = "@com_github_intel_ipp_crypto_crypto_mb//:all",
+    static_libraries = ["libcrypto_mb.a"],
+    tags = ["skip_on_windows"],
+    target_compatible_with = envoy_contrib_linux_x86_64_constraints(),
+    visibility = ["//visibility:private"],
+    working_directory = "sources/ippcp/crypto_mb",
+    deps = ["@boringssl//:ssl"],
+)
+
+envoy_cc_library(
+    name = "ipp_crypto_wrapper_lib",
+    hdrs = ["ipp_crypto.h"] + select({
+        "//bazel:linux_x86_64": [
+            "ipp_crypto_impl.h",
+        ],
+        "//conditions:default": [
+        ],
+    }),
+    defines = select({
+        "//bazel:linux_x86_64": [],
+        "//conditions:default": [
+            "IPP_CRYPTO_DISABLED=1",
+        ],
+    }),
+    external_deps = ["ssl"],
+    repository = "@envoy",
+    deps = select({
+        "//bazel:linux_x86_64": [
+            ":ipp-crypto",
+        ],
+        "//conditions:default": [],
+    }),
+)
+
+envoy_cc_library(
+    name = "cryptomb_private_key_provider_lib",
+    srcs = [
+        "cryptomb_private_key_provider.cc",
+    ],
+    hdrs = [
+        "cryptomb_private_key_provider.h",
+    ],
+    external_deps = ["ssl"],
+    repository = "@envoy",
+    visibility = ["//visibility:public"],
+    deps = [
+        ":ipp_crypto_wrapper_lib",
+        "//envoy/api:api_interface",
+        "//envoy/event:dispatcher_interface",
+        "//envoy/registry",
+        "//envoy/server:transport_socket_config_interface",
+        "//envoy/singleton:manager_interface",
+        "//envoy/ssl/private_key:private_key_config_interface",
+        "//envoy/ssl/private_key:private_key_interface",
+        "//source/common/common:logger_lib",
+        "//source/common/common:thread_lib",
+        "//source/common/config:datasource_lib",
+        "@envoy_api//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_contrib_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    defines = select({
+        "//bazel:linux_x86_64": [],
+        "//conditions:default": [
+            "IPP_CRYPTO_DISABLED=1",
+        ],
+    }),
+    deps = [
+        "//envoy/registry",
+        "//envoy/ssl/private_key:private_key_config_interface",
+        "//envoy/ssl/private_key:private_key_interface",
+        "//source/common/common:logger_lib",
+        "//source/common/config:utility_lib",
+        "//source/common/protobuf:utility_lib",
+        "@envoy_api//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg_cc_proto",
+        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
+    ] + select({
+        "//bazel:linux_x86_64": [
+            ":cryptomb_private_key_provider_lib",
+            ":ipp_crypto_wrapper_lib",
+        ],
+        "//conditions:default": [
+        ],
+    }),
+)
diff --git a/contrib/cryptomb/private_key_providers/source/config.cc b/contrib/cryptomb/private_key_providers/source/config.cc
@@ -0,0 +1,57 @@
+#include "contrib/cryptomb/private_key_providers/source/config.h"
+
+#include <memory>
+
+#include "envoy/registry/registry.h"
+#include "envoy/server/transport_socket_config.h"
+
+#include "source/common/common/logger.h"
+#include "source/common/config/utility.h"
+#include "source/common/protobuf/message_validator_impl.h"
+#include "source/common/protobuf/utility.h"
+
+#ifndef IPP_CRYPTO_DISABLED
+#include "contrib/cryptomb/private_key_providers/source/ipp_crypto_impl.h"
+#include "contrib/cryptomb/private_key_providers/source/cryptomb_private_key_provider.h"
+#endif
+
+#include "contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.pb.h"
+#include "contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.pb.validate.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace PrivateKeyMethodProvider {
+namespace CryptoMb {
+
+Ssl::PrivateKeyMethodProviderSharedPtr
+CryptoMbPrivateKeyMethodFactory::createPrivateKeyMethodProviderInstance(
+    const envoy::extensions::transport_sockets::tls::v3::PrivateKeyProvider& proto_config,
+    Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) {
+  ProtobufTypes::MessagePtr message =
+      std::make_unique<envoy::extensions::private_key_providers::cryptomb::v3alpha::
+                           CryptoMbPrivateKeyMethodConfig>();
+
+  Config::Utility::translateOpaqueConfig(proto_config.typed_config(),
+                                         ProtobufMessage::getNullValidationVisitor(), *message);
+  const envoy::extensions::private_key_providers::cryptomb::v3alpha::CryptoMbPrivateKeyMethodConfig
+      conf =
+          MessageUtil::downcastAndValidate<const envoy::extensions::private_key_providers::
+                                               cryptomb::v3alpha::CryptoMbPrivateKeyMethodConfig&>(
+              *message, private_key_provider_context.messageValidationVisitor());
+  Ssl::PrivateKeyMethodProviderSharedPtr provider = nullptr;
+#ifdef IPP_CRYPTO_DISABLED
+  throw EnvoyException("X86_64 architecture is required for cryptomb provider.");
+#else
+  IppCryptoSharedPtr ipp = std::make_shared<IppCryptoImpl>();
+  provider =
+      std::make_shared<CryptoMbPrivateKeyMethodProvider>(conf, private_key_provider_context, ipp);
+#endif
+  return provider;
+}
+
+REGISTER_FACTORY(CryptoMbPrivateKeyMethodFactory, Ssl::PrivateKeyMethodProviderInstanceFactory);
+
+} // namespace CryptoMb
+} // namespace PrivateKeyMethodProvider
+} // namespace Extensions
+} // namespace Envoy
diff --git a/contrib/cryptomb/private_key_providers/source/config.h b/contrib/cryptomb/private_key_providers/source/config.h
@@ -0,0 +1,25 @@
+#pragma once
+
+#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
+#include "envoy/ssl/private_key/private_key.h"
+#include "envoy/ssl/private_key/private_key_config.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace PrivateKeyMethodProvider {
+namespace CryptoMb {
+
+class CryptoMbPrivateKeyMethodFactory : public Ssl::PrivateKeyMethodProviderInstanceFactory,
+                                        public Logger::Loggable<Logger::Id::connection> {
+public:
+  // Ssl::PrivateKeyMethodProviderInstanceFactory
+  Ssl::PrivateKeyMethodProviderSharedPtr createPrivateKeyMethodProviderInstance(
+      const envoy::extensions::transport_sockets::tls::v3::PrivateKeyProvider& message,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) override;
+  std::string name() const override { return "cryptomb"; };
+};
+
+} // namespace CryptoMb
+} // namespace PrivateKeyMethodProvider
+} // namespace Extensions
+} // namespace Envoy