├── .gitignore ├── common ├── .commonfiles.sha ├── config │ ├── mdl.rb │ ├── .hadolint.yml │ ├── tslint.json │ ├── .yamllint.yml │ ├── .golangci-format.yml │ ├── sass-lint.yml │ └── license-lint.yml └── scripts │ ├── copyright-banner-go.txt │ ├── format_go.sh │ ├── lint_go.sh │ ├── lint_copyright_banner.sh │ ├── fix_copyright_banner.sh │ ├── check_clean_repo.sh │ ├── report_build_info.sh │ ├── run.sh │ └── gobuild.sh ├── fuzz ├── .gitignore ├── Cargo.toml └── fuzz_targets │ ├── baggage.rs │ └── protobuf.rs ├── Makefile.overrides.mk ├── vendor └── boringssl-fips │ ├── linux_arm64 │ ├── build │ │ ├── ssl │ │ │ └── libssl.a │ │ └── crypto │ │ │ └── libcrypto.a │ └── Dockerfile.v1 │ ├── linux_x86_64 │ ├── build │ │ ├── ssl │ │ │ └── libssl.a │ │ └── crypto │ │ │ └── libcrypto.a │ └── Dockerfile.v1 │ └── include │ └── openssl │ ├── is_boringssl.h │ ├── dtls1.h │ ├── safestack.h │ ├── buffer.h │ ├── srtp.h │ ├── asn1_mac.h │ ├── obj_mac.h │ ├── objects.h │ ├── opensslv.h │ ├── ossl_typ.h │ ├── pkcs12.h │ ├── e_os2.h │ ├── siphash.h │ ├── chacha.h │ ├── poly1305.h │ ├── blake2.h │ ├── opensslconf.h │ ├── hkdf.h │ ├── cmac.h │ ├── engine.h │ ├── rc4.h │ ├── pool.h │ ├── rand.h │ ├── blowfish.h │ ├── type_check.h │ ├── cast.h │ └── hrss.h ├── src ├── test_helpers │ ├── fake-jwt │ ├── mesh_config.yaml │ ├── helpers.rs │ └── ca.rs ├── tls │ ├── key.pem │ ├── cert-chain.pem │ ├── gen-certs.sh │ ├── root-cert.pem │ ├── cert.key │ ├── ca-key.pem │ └── cert.crt ├── proxy │ └── util.rs ├── lib.rs ├── tls.rs ├── xds.rs ├── xds │ └── types.rs ├── identity.rs ├── metrics │ ├── meta.rs │ └── xds.rs ├── main.rs ├── identity │ └── auth.rs ├── version.rs ├── stats.rs ├── readiness.rs ├── readiness │ └── server.rs ├── time.rs ├── signal.rs ├── metrics.rs └── telemetry.rs ├── proto ├── README.md ├── citadel.proto ├── google │ └── protobuf │ │ ├── empty.proto │ │ ├── struct.proto │ │ └── wrappers.proto ├── authorization.proto └── workload.proto ├── CONTRIBUTING.md ├── .cargo └── config.toml ├── .devcontainer └── devcontainer.json ├── SUPPORT.md ├── deny.toml ├── .gitattributes ├── benches └── README.md ├── BUGS-AND-FEATURE-REQUESTS.md ├── examples └── localhost.yaml ├── Makefile.core.mk ├── ARCHITECTURE.md ├── scripts ├── release.sh ├── local.sh ├── tproxy.sh └── ztunnel-redirect.sh ├── tests └── README.md ├── Makefile ├── Cargo.toml ├── docker └── remote-env │ └── Dockerfile ├── LOCAL.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | out/ 2 | var/ 3 | .idea/ 4 | .vscode/ 5 | -------------------------------------------------------------------------------- /common/.commonfiles.sha: -------------------------------------------------------------------------------- 1 | 8ea4a747e9c010ca9eb7969749ee0b0bf528ecf0 2 | -------------------------------------------------------------------------------- /fuzz/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | corpus 3 | artifacts 4 | coverage 5 | -------------------------------------------------------------------------------- /Makefile.overrides.mk: -------------------------------------------------------------------------------- 1 | # Use the build container by default 2 | BUILD_WITH_CONTAINER ?= 1 3 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_arm64/build/ssl/libssl.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sync/ztunnel/master/vendor/boringssl-fips/linux_arm64/build/ssl/libssl.a -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_x86_64/build/ssl/libssl.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sync/ztunnel/master/vendor/boringssl-fips/linux_x86_64/build/ssl/libssl.a -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_arm64/build/crypto/libcrypto.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sync/ztunnel/master/vendor/boringssl-fips/linux_arm64/build/crypto/libcrypto.a -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_x86_64/build/crypto/libcrypto.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sync/ztunnel/master/vendor/boringssl-fips/linux_x86_64/build/crypto/libcrypto.a -------------------------------------------------------------------------------- /src/test_helpers/fake-jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -------------------------------------------------------------------------------- /proto/README.md: -------------------------------------------------------------------------------- 1 | # proto 2 | 3 | The `.proto` files in this directory are manually copies from their original repos 4 | and may be edited by hand to remove fields that the zTunnel doesn't need. 5 | -------------------------------------------------------------------------------- /src/test_helpers/mesh_config.yaml: -------------------------------------------------------------------------------- 1 | defaultConfig: 2 | statusPort: 15888 3 | proxyAdminPort: 15099 4 | proxyMetadata: 5 | ISTIO_META_FOO: "foo" 6 | ISTIO_META_FOOBAR: "foobar" 7 | 8 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution guidelines 2 | 3 | So you want to hack on Istio? Yay! Please refer to Istio's overall 4 | [contribution guidelines](https://github.com/istio/community/blob/master/CONTRIBUTING.md) 5 | to find out how you can help. 6 | -------------------------------------------------------------------------------- /src/tls/key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PRIVATE KEY----- 2 | MHcCAQEEIBZXoOt+cw8pQf7FLzx30tNGMddRfJB52OPIeKFqWKAcoAoGCCqGSM49 3 | AwEHoUQDQgAEWq9gZiGAILyZjq0qQnhUO/ST8vHMOPsxBPH6q+e5P7pjKeY12RBg 4 | aXnQSGPqn5iT1xIq2vRPdnUppHyuQCjFsQ== 5 | -----END EC PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | target-dir = "out/rust" 3 | [env] 4 | BORING_BSSL_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } 5 | BORING_BSSL_INCLUDE_PATH = { value = "vendor/boringssl-fips/include/", force = true, relative = true } 6 | -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ztunnel build-tools", 3 | "dockerFile": "../docker/remote-env/Dockerfile", 4 | "privileged": true, 5 | // "remoteUser": "gitpod", 6 | "runArgs": [ "-v","/var/run/docker.sock:/var/run/docker.sock" ], 7 | "onCreateCommand": "cargo build" 8 | } 9 | -------------------------------------------------------------------------------- /common/config/mdl.rb: -------------------------------------------------------------------------------- 1 | all 2 | rule 'MD002', :level => 1 3 | rule 'MD007', :indent => 4 4 | rule 'MD013', :line_length => 160, :code_blocks => false, :tables => false 5 | rule 'MD026', :punctuation => ".,;:!" 6 | exclude_rule 'MD013' 7 | exclude_rule 'MD014' 8 | exclude_rule 'MD030' 9 | exclude_rule 'MD032' 10 | exclude_rule 'MD033' 11 | exclude_rule 'MD041' 12 | exclude_rule 'MD046' 13 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | Here are some resources to help you understand and use Istio: 4 | 5 | - For in-depth information about how to use Istio, visit [istio.io](https://istio.io) 6 | - To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) 7 | - To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) 8 | -------------------------------------------------------------------------------- /deny.toml: -------------------------------------------------------------------------------- 1 | [licenses] 2 | allow = ["Apache-2.0", 3 | "CC-BY-3.0", 4 | "ISC", 5 | "AFL-2.1", 6 | "AFL-3.0", 7 | "Artistic-1.0", 8 | "Artistic-2.0", 9 | "Apache-1.1", 10 | "BSD-1-Clause", 11 | "BSD-2-Clause", 12 | "BSD-3-Clause", 13 | "0BSD", 14 | "FTL", 15 | "LPL-1.02", 16 | "MS-PL", 17 | "MIT", 18 | "NCSA", 19 | "OpenSSL", 20 | "PHP-3.0", 21 | "TCP-wrappers", 22 | "W3C", 23 | "Xnet", 24 | "Zlib", 25 | "Unicode-DFS-2016"] 26 | unused-allowed-license = "allow" 27 | copyleft = "deny" -------------------------------------------------------------------------------- /common/config/.hadolint.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | ignored: 9 | - DL3008 10 | - DL3059 11 | 12 | trustedRegistries: 13 | - gcr.io 14 | - docker.io 15 | - quay.io 16 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.descriptor linguist-generated=true 2 | *.descriptor -diff -merge 3 | *.descriptor_set linguist-generated=true 4 | *.descriptor_set -diff -merge 5 | *.pb.html linguist-generated=true 6 | *.pb.go linguist-generated=true 7 | *.gen.go linguist-generated=true 8 | *.gen.yaml linguist-generated=true 9 | *.gen.json linguist-generated=true 10 | *_pb2.py linguist-generated=true 11 | go.sum merge=union 12 | vendor/** linguist-vendored 13 | common/** linguist-vendored 14 | archive/** linquist-vendored 15 | **/vmlinux.h linquist-vendored 16 | -------------------------------------------------------------------------------- /benches/README.md: -------------------------------------------------------------------------------- 1 | # Benchmarks 2 | 3 | This folder provides Rust benchmarks. 4 | 5 | ## Running 6 | 7 | ```shell 8 | $ cargo bench # Just run benchmarks 9 | $ cargo bench -- --quick # Just run benchmarks, with less samples 10 | $ cargo bench -- --profile-time 10s # run benchmarks with cpu profile; results will be in out/rust/criterion///profile/profile.pb 11 | $ # Compare to a baseline 12 | $ cargo bench -- --save-baseline # save baseline 13 | $ # ...change something... 14 | $ cargo bench -- --baseline # compare against it 15 | ``` 16 | -------------------------------------------------------------------------------- /BUGS-AND-FEATURE-REQUESTS.md: -------------------------------------------------------------------------------- 1 | # Bugs and Feature Requests 2 | 3 | You can report bugs and feature requests to the Istio team in one of three places: 4 | 5 | - [Product Bugs and Feature Requests](https://github.com/istio/istio/issues) 6 | - [Documentation Bugs and Feature Requests](https://github.com/istio/istio.io/issues) 7 | - [Community and Governance Issues](https://github.com/istio/community/issues) 8 | 9 | For security vulnerabilities, please don't report a bug (which is public) and instead follow 10 | [these procedures](https://istio.io/about/security-vulnerabilities/). 11 | -------------------------------------------------------------------------------- /common/scripts/copyright-banner-go.txt: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | -------------------------------------------------------------------------------- /fuzz/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ztunnel-fuzz" 3 | version = "0.0.0" 4 | publish = false 5 | edition = "2021" 6 | 7 | [package.metadata] 8 | cargo-fuzz = true 9 | 10 | [dependencies] 11 | hyper = "0.14.18" 12 | libfuzzer-sys = "0.4" 13 | prost = "0.11" 14 | anyhow = "1.0.65" 15 | 16 | [dependencies.ztunnel] 17 | path = ".." 18 | 19 | # Prevent this from interfering with workspaces 20 | [workspace] 21 | members = ["."] 22 | 23 | [profile.release] 24 | debug = 1 25 | 26 | [[bin]] 27 | name = "protobuf" 28 | path = "fuzz_targets/protobuf.rs" 29 | test = false 30 | doc = false 31 | 32 | [[bin]] 33 | name = "baggage" 34 | path = "fuzz_targets/baggage.rs" 35 | test = false 36 | doc = false 37 | -------------------------------------------------------------------------------- /common/config/tslint.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultSeverity": "error", 3 | "extends": [ 4 | "tslint:recommended" 5 | ], 6 | "rules": { 7 | "max-line-length": { 8 | "options": [160] 9 | }, 10 | "arrow-parens": false, 11 | "new-parens": true, 12 | "no-arg": true, 13 | "no-bitwise": true, 14 | "no-conditional-assignment": true, 15 | "no-consecutive-blank-lines": true, 16 | "no-console": { 17 | "severity": "warning", 18 | "options": ["debug", "info", "log", "time", "timeEnd", "trace"] 19 | }, 20 | "no-shadowed-variable": false, 21 | "eofline": false 22 | }, 23 | "jsRules": {}, 24 | "rulesDirectory": [] 25 | } -------------------------------------------------------------------------------- /examples/localhost.yaml: -------------------------------------------------------------------------------- 1 | # This shows an example local config for ztunnel that adds a workload for localhost. 2 | # This allows local testing by sending requests through the local ztunnel to other servers running on localhost. 3 | workloads: 4 | - name: local 5 | namespace: default 6 | serviceAccount: default 7 | workloadIp: "127.0.0.1" 8 | protocol: HBONE 9 | node: local 10 | vips: 11 | "127.10.0.1": 12 | 80: 8080 13 | # Define another local address, but this one uses TCP. This allows testing HBONE and TCP with one config. 14 | - name: local-tcp 15 | namespace: default 16 | serviceAccount: default 17 | workloadIp: "127.0.0.2" 18 | protocol: TCP 19 | node: local 20 | vips: 21 | "127.10.0.1": 22 | 80: 8080 23 | policies: 24 | - action: Allow 25 | groups: 26 | - - - not_destination_ports: 27 | - 9999 28 | name: deny-9999 29 | namespace: default 30 | scope: Namespace 31 | -------------------------------------------------------------------------------- /src/proxy/util.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::io::{Error, ErrorKind}; 16 | 17 | pub fn is_runtime_shutdown(e: &Error) -> bool { 18 | if e.kind() == ErrorKind::Other 19 | && e.to_string() == "A Tokio 1.x context was found, but it is being shutdown." 20 | { 21 | return true; 22 | } 23 | false 24 | } 25 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/is_boringssl.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2017, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | // This header is provided in order to catch include path errors in consuming 16 | // BoringSSL. 17 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/dtls1.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/safestack.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/buffer.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "buf.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/srtp.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "ssl.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/asn1_mac.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2016, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "asn1.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/obj_mac.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2016, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "nid.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/objects.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "obj.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/opensslv.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "crypto.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/ossl_typ.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "base.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/pkcs12.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "pkcs8.h" 19 | -------------------------------------------------------------------------------- /common/config/.yamllint.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | rules: 9 | braces: disable 10 | brackets: disable 11 | colons: enable 12 | commas: disable 13 | comments: disable 14 | comments-indentation: disable 15 | document-end: disable 16 | document-start: disable 17 | empty-lines: disable 18 | empty-values: disable 19 | hyphens: enable 20 | indentation: disable 21 | key-duplicates: enable 22 | key-ordering: disable 23 | line-length: disable 24 | new-line-at-end-of-file: disable 25 | new-lines: enable 26 | octal-values: disable 27 | quoted-strings: disable 28 | trailing-spaces: disable 29 | truthy: disable 30 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/e_os2.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2018, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include 19 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | pub mod admin; 16 | pub mod app; 17 | pub mod baggage; 18 | pub mod config; 19 | pub mod identity; 20 | pub mod metrics; 21 | pub mod proxy; 22 | pub mod rbac; 23 | pub mod readiness; 24 | pub mod signal; 25 | pub mod socket; 26 | pub mod stats; 27 | pub mod telemetry; 28 | pub mod time; 29 | pub mod tls; 30 | pub mod version; 31 | pub mod workload; 32 | pub mod xds; 33 | 34 | pub mod hyper_util; 35 | pub mod test_helpers; 36 | -------------------------------------------------------------------------------- /src/tls/cert-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICvTCCAaWgAwIBAgIUQ2FU8Z3dYVdDRuETtIWfUiNXnGwwDQYJKoZIhvcNAQEL 3 | BQAwGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDAgFw0yMzAzMTExODMxMjhaGA8y 4 | Mjk2MTIyNDE4MzEyOFowLDEqMCgGA1UEAwwhZGVmYXVsdC5kZWZhdWx0LnN2Yy5j 5 | bHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWq9gZiGAILyZ 6 | jq0qQnhUO/ST8vHMOPsxBPH6q+e5P7pjKeY12RBgaXnQSGPqn5iT1xIq2vRPdnUp 7 | pHyuQCjFsaOBszCBsDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAU 8 | BggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0RBDAwLoYsc3BpZmZlOi8vY2x1c3Rl 9 | ci5sb2NhbC9ucy9kZWZhdWx0L3NhL2RlZmF1bHQwHQYDVR0OBBYEFGOxzRi20djB 10 | yZNgb0vllmQM+d1tMB8GA1UdIwQYMBaAFD8k4f1arkuwR+URhKAe2ITZKZ7VMA0G 11 | CSqGSIb3DQEBCwUAA4IBAQCDlg2/9dLTcLGMZ3SgL0gE2ZYkO/qp2vl6Q7Zzp4e7 12 | cIozTKVpgTplyYd55CV+4qOupQrr/Od2aemvGDxvPQbsmdF2SkUaR1/vxPZL/NB9 13 | wzisiOaNW2vVhNmZOMC5XRYhU/yv2dP54A3VYTuQ1N2f+jktRyIcLeZ2EFlQsTvS 14 | n9HA547pz2szOhMb2kTxu0cXTPZK0tkvZ/6TG0vZ3pb2kur1AdxDa05cocQc8WH5 15 | tBJ2G6dV7GSDk/epg/Ped7t8HBPjKKodhN4Nj2E32DVFurhdnOZSXha2l2ctbFqS 16 | DFl5F8PfO7f6532uWdyJW6Awj0BFp79g/gz0/fQw8P0H 17 | -----END CERTIFICATE----- 18 | -------------------------------------------------------------------------------- /src/tls/gen-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Specifically using RSA as this makes the signing deterministic, which is 4 | # useful for tests. 5 | openssl genrsa -f4 -out ca-key.pem 6 | openssl req -x509 -new -nodes -key "ca-key.pem" -days 100000 -out "root-cert.pem" -subj "/O=cluster.local" 7 | 8 | openssl ecparam -name prime256v1 -genkey -noout -out key.pem 9 | cat > "client.conf" < anyhow::Result<()> { 27 | let mut hm = HeaderMap::new(); 28 | hm.append(BAGGAGE_HEADER, HeaderValue::from_bytes(data)?); 29 | parse_baggage_header(hm.get_all(BAGGAGE_HEADER))?; 30 | Ok(()) 31 | } 32 | -------------------------------------------------------------------------------- /src/tls.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | pub mod boring; 16 | 17 | use std::sync::Arc; 18 | 19 | pub use crate::tls::boring::*; 20 | use ::boring::error::ErrorStack; 21 | use hyper::http::uri::InvalidUri; 22 | 23 | #[derive(thiserror::Error, Debug, Clone)] 24 | pub enum Error { 25 | #[error("invalid operation: {0:?}")] 26 | SslError(#[from] ErrorStack), 27 | 28 | #[error("invalid root certificate: {0}")] 29 | InvalidRootCert(ErrorStack), 30 | 31 | #[error("invalid uri: {0}")] 32 | InvalidUri(#[from] Arc), 33 | } 34 | 35 | impl From for Error { 36 | fn from(err: InvalidUri) -> Self { 37 | Error::InvalidUri(Arc::new(err)) 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /common/scripts/lint_go.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | if [[ "${ARTIFACTS}" != "" ]]; then 25 | golangci-lint run -v -c ./common/config/.golangci.yml --out-format colored-line-number,junit-xml:"${ARTIFACTS}"/junit-lint.xml 26 | else 27 | golangci-lint run -v -c ./common/config/.golangci.yml 28 | fi 29 | -------------------------------------------------------------------------------- /fuzz/fuzz_targets/protobuf.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #![no_main] 16 | 17 | use libfuzzer_sys::fuzz_target; 18 | use ztunnel::xds::istio::workload::Workload as XdsWorkload; 19 | use ztunnel::xds::istio::security::Authorization as XdsAuthorization; 20 | use prost::Message; 21 | use ztunnel::workload::Workload; 22 | use ztunnel::rbac::Authorization; 23 | 24 | fuzz_target!(|data: &[u8]| { 25 | let _ = run_workload(data); 26 | let _ = run_rbac(data); 27 | }); 28 | 29 | fn run_workload(data: &[u8]) -> anyhow::Result<()> { 30 | Workload::try_from(&XdsWorkload::decode(data)?)?; 31 | Ok(()) 32 | } 33 | 34 | fn run_rbac(data: &[u8]) -> anyhow::Result<()> { 35 | Authorization::try_from(&XdsAuthorization::decode(data)?)?; 36 | Ok(()) 37 | } 38 | -------------------------------------------------------------------------------- /src/xds.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | mod client; 16 | 17 | pub use client::*; 18 | use tokio::sync::mpsc; 19 | mod types; 20 | use self::service::discovery::v3::DeltaDiscoveryRequest; 21 | pub use types::*; 22 | 23 | #[derive(thiserror::Error, Debug)] 24 | pub enum Error { 25 | #[error("gRPC error ({}): {}", .0.code(), .0.message())] 26 | GrpcStatus(#[from] tonic::Status), 27 | #[error("gRPC connection error ({}): {}", .0.code(), .0.message())] 28 | Connection(#[source] tonic::Status), 29 | /// Attempted to send on a MPSC channel which has been canceled 30 | #[error(transparent)] 31 | RequestFailure(#[from] Box>), 32 | #[error("failed to send on demand resource")] 33 | OnDemandSend(), 34 | } 35 | -------------------------------------------------------------------------------- /common/scripts/lint_copyright_banner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | ec=0 27 | for fn in "$@"; do 28 | if ! grep -L -q -e "Apache License, Version 2" "${fn}"; then 29 | echo "Missing license: ${fn}" 30 | ec=1 31 | fi 32 | 33 | if ! grep -L -q -e "Copyright" "${fn}"; then 34 | echo "Missing copyright: ${fn}" 35 | ec=1 36 | fi 37 | done 38 | 39 | exit $ec 40 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/siphash.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2019, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_SIPHASH_H 16 | #define OPENSSL_HEADER_SIPHASH_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // SipHash is a fast, secure PRF that is often used for hash tables. 26 | 27 | 28 | // SIPHASH_24 implements SipHash-2-4. See https://131002.net/siphash/siphash.pdf 29 | OPENSSL_EXPORT uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input, 30 | size_t input_len); 31 | 32 | 33 | #if defined(__cplusplus) 34 | } // extern C 35 | #endif 36 | 37 | #endif // OPENSSL_HEADER_SIPHASH_H 38 | -------------------------------------------------------------------------------- /Makefile.core.mk: -------------------------------------------------------------------------------- 1 | include common/Makefile.common.mk 2 | 3 | test: 4 | RUST_BACKTRACE=1 cargo test --benches --tests --bins 5 | 6 | test-root: export CARGO_TARGET_$(shell rustc -vV | sed -n 's|host: ||p' | tr [:lower:] [:upper:]| tr - _)_RUNNER = sudo -E 7 | test-root: 8 | RUST_BACKTRACE=1 cargo test --benches --tests --bins 9 | 10 | build: 11 | cargo build 12 | 13 | # Test that all important features build 14 | check-features: 15 | cargo check --features console 16 | (cd fuzz; cargo check) 17 | 18 | # target in common/Makefile.common.mk doesn't handle our third party vendored files; only check golang and rust codes 19 | lint-copyright: 20 | @${FINDFILES} \( -name '*.go' -o -name '*.rs' \) \( ! \( -name '*.gen.go' -o -name '*.pb.go' -o -name '*_pb2.py' \) \) -print0 |\ 21 | ${XARGS} common/scripts/lint_copyright_banner.sh 22 | 23 | lint: lint-scripts lint-yaml lint-markdown lint-licenses lint-copyright 24 | cargo clippy --benches --tests --bins 25 | 26 | check: 27 | cargo check 28 | 29 | cve-check: 30 | cargo deny check advisories 31 | 32 | license-check: 33 | cargo deny check licenses 34 | 35 | fix: fix-copyright-banner 36 | cargo clippy --fix --allow-staged --allow-dirty 37 | cargo fmt 38 | 39 | format: 40 | cargo fmt 41 | 42 | release: 43 | ./scripts/release.sh 44 | 45 | gen: format 46 | 47 | gen-check: gen check-clean-repo 48 | 49 | presubmit: export RUSTFLAGS = -D warnings 50 | presubmit: check-features test lint gen-check 51 | 52 | clean: 53 | cargo clean 54 | -------------------------------------------------------------------------------- /ARCHITECTURE.md: -------------------------------------------------------------------------------- 1 | # Architecture 2 | 3 | ## Threading/Runtimes 4 | 5 | Ztunnel runs two distinct async runtimes: 6 | * The "main" thread, runs a single threaded Tokio runtime for admin purposes, such as debug interfaces and XDS. This is isolated to avoid impacting the data plane. 7 | * The "worker" thread(s) run a multi-thread Tokio runtime to handle users requests. This defaults to 2 threads, but is configurable. 8 | 9 | ## Ports 10 | 11 | Ztunnel runs with the following ports: 12 | 13 | | Port | Purpose | 14 | |-------|---------------------------------------| 15 | | 15001 | Pod outbound traffic capture | 16 | | 15006 | Pod inbound plaintext traffic capture | 17 | | 15008 | Pod inbound HBONE traffic capture | 18 | | 15080 | Pod outbound `socks5` traffic | 19 | | 15021 | Readiness | 20 | | 15000 | Admin (Admin thread) (Localhost) | 21 | | 15020 | Metrics (Admin thread) | 22 | 23 | The three admin ports (Readiness, Admin, and Metrics) are intentionally split. 24 | 25 | * The readiness port ought to run on the "main" thread to ensure we are actually checking the path the data plan handles 26 | * The admin port must be only on localhost, and it should be on the admin thread for isolation 27 | * The metrics port should be on the admin thread to avoid isolation. 28 | This *could* be on the readiness port, but historically we had found that the stats query can be very expensive and lead to tail latencies in the data plane. 29 | -------------------------------------------------------------------------------- /scripts/release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Istio Authors 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -ex 18 | 19 | WD=$(dirname "$0") 20 | WD=$(cd "$WD" || exit; pwd) 21 | 22 | case $(uname -m) in 23 | x86_64) 24 | export ARCH=amd64;; 25 | aarch64) 26 | export ARCH=arm64 27 | # TODO(https://github.com/istio/ztunnel/issues/357) clean up this hack 28 | sed -i 's/x86_64/arm64/g' .cargo/config.toml 29 | ;; 30 | *) echo "unsupported architecture"; exit 1 ;; 31 | esac 32 | 33 | cargo build --release 34 | 35 | SHA="$(git rev-parse --verify HEAD)" 36 | RELEASE_NAME="ztunnel-${SHA}-${ARCH}" 37 | ls -lh "${WD}/../out/rust/release/ztunnel" 38 | DEST="${DEST:-gs://istio-build/ztunnel}" 39 | if [[ "$CI" == "" && "$DEST" == "gs://istio-build/ztunnel" ]]; then 40 | echo "Outside of CI, DEST must be explicitly set" 41 | exit 1 42 | fi 43 | gsutil cp "${WD}/../out/rust/release/ztunnel" "${DEST}/${RELEASE_NAME}" 44 | -------------------------------------------------------------------------------- /src/xds/types.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | // We don't control the codegen, so disable any code warnings in the 16 | // proto modules. 17 | #[allow(warnings)] 18 | #[allow(clippy::derive_partial_eq_without_eq)] 19 | pub mod service { 20 | pub mod discovery { 21 | pub mod v3 { 22 | tonic::include_proto!("envoy.service.discovery.v3"); 23 | } 24 | } 25 | } 26 | 27 | #[allow(warnings)] 28 | #[warn(clippy::derive_partial_eq_without_eq)] 29 | pub mod istio { 30 | pub mod workload { 31 | tonic::include_proto!("istio.workload"); 32 | } 33 | pub mod security { 34 | tonic::include_proto!("istio.security"); 35 | } 36 | pub mod ca { 37 | tonic::include_proto!("istio.v1.auth"); 38 | } 39 | } 40 | 41 | pub const WORKLOAD_TYPE: &str = "type.googleapis.com/istio.workload.Workload"; 42 | pub const AUTHORIZATION_TYPE: &str = "type.googleapis.com/istio.security.Authorization"; 43 | -------------------------------------------------------------------------------- /common/scripts/fix_copyright_banner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | WD=$(dirname "$0") 27 | WD=$(cd "$WD"; pwd) 28 | 29 | for fn in "$@"; do 30 | if ! grep -L -q -e "Apache License, Version 2" -e "Copyright" "${fn}"; then 31 | if [[ "${fn}" == *.go || "${fn}" == *.rs ]]; then 32 | newfile=$(cat "${WD}/copyright-banner-go.txt" "${fn}") 33 | echo "${newfile}" > "${fn}" 34 | echo "Fixing license: ${fn}" 35 | else 36 | echo "Cannot fix license: ${fn}. Unknown file type" 37 | fi 38 | fi 39 | done 40 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/chacha.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_CHACHA_H 16 | #define OPENSSL_HEADER_CHACHA_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | // ChaCha20. 25 | // 26 | // ChaCha20 is a stream cipher. See https://tools.ietf.org/html/rfc8439. 27 | 28 | 29 | // CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and 30 | // nonce and writes the result to |out|. If |in| and |out| alias, they must be 31 | // equal. The initial block counter is specified by |counter|. 32 | OPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, 33 | size_t in_len, const uint8_t key[32], 34 | const uint8_t nonce[12], uint32_t counter); 35 | 36 | 37 | #if defined(__cplusplus) 38 | } // extern C 39 | #endif 40 | 41 | #endif // OPENSSL_HEADER_CHACHA_H 42 | -------------------------------------------------------------------------------- /src/identity.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::tls; 16 | use std::str::Utf8Error; 17 | 18 | mod caclient; 19 | pub use caclient::*; 20 | 21 | mod manager; 22 | pub use manager::*; 23 | 24 | mod auth; 25 | pub use auth::*; 26 | 27 | pub mod mock { 28 | pub use super::caclient::mock::CaClient; 29 | pub use super::manager::mock::{ 30 | new_secret_manager, new_secret_manager_cfg, Config as SecretManagerConfig, 31 | }; 32 | } 33 | 34 | #[derive(thiserror::Error, Debug, Clone)] 35 | pub enum Error { 36 | #[error("failed to create CSR: {0}")] 37 | Signing(#[from] tls::Error), 38 | #[error("signing gRPC error ({}): {}", .0.code(), .0.message())] 39 | SigningRequest(#[from] tonic::Status), 40 | #[error("failed to process string: {0}")] 41 | Utf8(#[from] Utf8Error), 42 | #[error("did not find expected SAN: {0}")] 43 | SanError(Identity), 44 | #[error("chain returned from CA is empty for: {0}")] 45 | EmptyResponse(Identity), 46 | #[error("invalid spiffe identity: {0}")] 47 | Spiffe(String), 48 | #[error("the identity is no longer needed")] 49 | Forgotten, 50 | } 51 | -------------------------------------------------------------------------------- /src/metrics/meta.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use prometheus_client::encoding::EncodeLabelSet; 16 | use prometheus_client::metrics::family::Family; 17 | use prometheus_client::metrics::gauge::Gauge; 18 | use prometheus_client::registry::Registry; 19 | 20 | use crate::version; 21 | 22 | pub(super) struct Metrics {} 23 | 24 | #[derive(Clone, Hash, Debug, PartialEq, Eq, EncodeLabelSet)] 25 | pub struct IstioBuildLabel { 26 | component: String, 27 | tag: String, 28 | } 29 | 30 | impl Metrics { 31 | pub fn new(registry: &mut Registry) -> Self { 32 | let build_gauge: Family = Default::default(); 33 | registry.register("build", "Istio component build info", build_gauge.clone()); 34 | 35 | let tag = version::BuildInfo::new().istio_version; 36 | // Note: tag refers to the "Istio version", not the ztunnels own tag (which is an implementation detail to Istio). 37 | build_gauge 38 | .get_or_create(&IstioBuildLabel { 39 | component: "ztunnel".to_string(), 40 | tag, 41 | }) 42 | .set(1); 43 | 44 | Self {} 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/tls/cert.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAzfLnFU/WpgOzLgNIQbt5eFAQYv9dRtc5HWRMRdMCECT9ajRh 3 | yWjDFFC4jJ5eksz6dE3bPTEO22QxGkjSbpBvW8rjde0+QGJ5Wb+0FJTKKz6IFXoo 4 | E6HDuKiegCXKrq06TAvZXeyIwrku+Sl54LuUk8lqZpE3X0slydZLbXhty6uWrqDr 5 | 6jBAZvgFLhJOp+JGQhyLDswdM3m9ZBw2ZY1PcwTX0o1AYotc+QkYmg2Wrg/3yki4 6 | 7nyTSajDzERKmasnXM60y1RQOJxdXrubwFXbGSftgsN6F8DIqyowmOx1YHctSWT+ 7 | QWJr2f8DAXP7eYxI9Z7g6dFAZ23BQy5qeSd9JQIDAQABAoIBAQDLs7PpGnze284A 8 | dvKjQYFWBSsQIDDsfrhZX/kpHxptSYj14TXPdzVtBKJlQ8ebP++B1fhBwCJH0gPX 9 | UawB/A6JJlZxL+Vg3YXVxY2ixcBpoYIMbDTzpg7muLF9YuPkfiapTRcElY53u57A 10 | h8urAx5kRtZc+MliEfwgdTtJ3dILnbXxGanKfi+nz9P5YuLkKzqIolbqu9ZxlJFD 11 | /V4DKITA0IootE0OhCKP0GfeA6L9z3tH2OuEn/LXl2S8FbbFCeY4ji8FQBr2icSB 12 | pXdee0gYIrvrU8G0eoE0ZV9bAGXkRhA3057HF9RqlAqhRc012s4ojbl/q4uINdWp 13 | R+UiUecJAoGBAP4Pzo+NwS054kOgSYu+NMSi63j2OJD9aeHYJT6QwVYZurTMChxx 14 | x283Da4qsCBGI37YjU5Ygd6DYc0T57GXfeka8tZQb5+v/ZvV1oIY+pVN5cp0xben 15 | Ttm0qskF2H57TmPcH5atWkW7b5CjrSo7DYFtd6jKzzoAJ9uPH4DCM5ufAoGBAM+F 16 | IRkSmzAPpiyPA1P7OlWy0vQLsNrFwZ59HOmovpQTgDLVW5Xbq+etEiAXmSvuxBU0 17 | OKiHMgGK2Pmg/vsM3mUVskrx+bDk+6GGM52feqa8N1rtxDTjamI5EHx29896jX/U 18 | HGSW+8YYVZ/jbSSneY71AO1E2INsNEi1Ei5qWTC7AoGABOdnNEwnK2lPncCNSt48 19 | BIOkiewuwVWy4oIaje+bW78ZZH3/v/bOQ65LXE5EogrYio1BhP6eWx4sGBpHQZ1L 20 | 9+DmSQ66aNmryoNBJbe3toQPaG4Clv3qvrcHCORM/nwA0lqgXXcxI+FvUNpn8EW9 21 | h/8F7UMk5tiz7EAB+qlE978CgYAJBj8UOgzpoCSX13hLlKdKxsYJuuBsAyGSZNp3 22 | BtGS2u4+R6z97Vmib5JUNvKASJfaXDUCjy6LhqA86tVr0XlyZ+ki/TbgjHSs54sj 23 | FaZdzd2SZLidnC4qK1UeNIY+TZQNtQmvDinQyYofs+IxL99HajwqFU5dGL2FU+qA 24 | fjt2tQKBgQDrnpSRmAhhGcazmNVnzF8PVJGPwY4clGKB2jo6ru57tL0QRc/N+5pJ 25 | 8boLB7CqRpC0mHpijJLKkLoJ0oVoC9jsn3e8tfVuVqbO3AfwdB+nkABQVHRxRRGt 26 | AlUeHXbjlY7OpemfK3smhLGBoOZKJVL7cKwyJc5MTPjcUgMwlwbW5w== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /tests/README.md: -------------------------------------------------------------------------------- 1 | # Integration tests 2 | 3 | This folder contains integration tests for ztunnel. 4 | 5 | ## Direct tests 6 | 7 | These are tests in `direct.rs`, which simply run a ztunnel in process and make assertions. 8 | This is the preferred option for most tests, if possible. 9 | 10 | Helpers are available to use a fake CA and local XDS config, to avoid reliance on components outside of `ztunnel`. 11 | 12 | For more advanced testing, see [Namespaced](#namespaced). 13 | 14 | ## Namespaced 15 | 16 | Many scenarios in ztunnel are reliant on being deployed in an environment with redirection in place. 17 | In order to support these, the tests in `namespaced.rs` come with a framework to run components in different network namespaces. 18 | This simulates a single node in Kubernetes. 19 | 20 | Tests can run "workloads" in a namespace, such as: 21 | 22 | ```rust 23 | manager 24 | .workload_builder("client") 25 | .on_local_node() 26 | .register()? 27 | .run(|| { ... commands run here are in a network namespace ...}) 28 | ``` 29 | 30 | For more information, see the docs under `WorkloadManager`. 31 | 32 | Running these tests requires root. To run tests under sudo, `make test-root` can be used. 33 | When not running as root, the tests are skipped. 34 | Warning: rust doesn't allow reporting a test was skipped, so it just appears to pass; in CI we enforce it always runs as root to avoid missing tests. 35 | 36 | If namespaces get in a broken state, they can be cleaned up with: 37 | 38 | ```shell 39 | ip -j netns ls | jq -r '.[].name' | grep '^test_' | xargs -n1 sudo ip netns del 40 | ``` 41 | 42 | ## Kubernetes 43 | 44 | Tests run in a full Kubernetes environment are handled in [`istio/istio`](https://github.com/istio/istio). 45 | This repo only runs a standalone `ztunnel` tests. 46 | -------------------------------------------------------------------------------- /src/tls/ca-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHgk8TybbndFMc 3 | PgmmnXVg+2vkBLkGPgT0yiXZzHo9LATH1DG09eiS5GDRYK49VFRx3KUqCB6HKdrH 4 | d9kmOG3W6JEHKKfgY7ZOeY0OOii2LCYG9jcL2KNbfBNWnrSahRle65nmWxWHmovu 5 | qu4jI5WwhgLu/1JyibHRp2iUIDfHbtE9Sg4I6ij8h6nbLvZG6QqohFzEZsOPwRIR 6 | Rs5iA9qFAygd+nblW3c0hJudUL4FOSC1yIMla3ozeQhbAvlvsY3jlyxM7XxxVKKm 7 | 98FoZAbhMZq/NSdoRlvaVCydsJEIHX1z+4LTJAehMisP8SHmjZi8zyBq19Nc0GCH 8 | WU7g8DGNAgMBAAECggEADVkf0s5aZSpwfBF/gk0DIzG3InqZaXxBRyJ2PVfzrr+Q 9 | 81C0YavZO2i5vJB4H+TSQIr3ZvRDnJ31hAZ1+hto5+nH+D9lWfs54Y663AKSojua 10 | cLlM7gc4yMBop9E2+qagj6v6MEIUUu4JYja/94xkMbsJm7Vr7ftd8Q2/DrgIG1jl 11 | tK8cJ4Cybmnw8IzGaa+bBW0ZAkT4F/qOdVax/3kac4gKQrDTvQawvqyULqisTyQU 12 | 8TfG0yDema9CwoqSR8El7PgdXBRCwO8Z9YlKn1TaWP2rkIVB6sJQmqjTRmjjEFKl 13 | zzuolc0EJcvlvbDhZz1R1cJSiOftY/yPgjRNRlM1iQKBgQDr20jaTnObQoLG/UxL 14 | fC7ntCK372RkcnDaz1uMAGXmmxkle+ohRRZDrQ8ExMAy+o9K+oml5Y72lxy+YElm 15 | eF6uZxe+GL7FKekVw18AAS9fMqMcLGRpVA2/gWEqfE9CgXqy4fCE8zO5NmBHUtEr 16 | y+CLHq792kQQBxDyJXQ5df01uQKBgQDYjFRSRXSOzN654a61GVcelqr6apr7La5s 17 | IWeVVdx8lU0k59tiWQf7+EwK7dMtChYAVZm8mokGpqEvf8cV+cttALEYoWmIfL94 18 | IByi1PRsBbkgUNKOWVWe/ae2DoM3A5hJ/H5mDJFGRN4W9zl/uSlRzkiFC6c7Pxj6 19 | an0Hmj3EdQKBgC5mVH3GI04vFoVJPaI4Cw5ATPg8m1Z7gSI62vq+9U0ZxCewqg3j 20 | ho7H1AWPI3SkAF6yzTOa5rYyYlA9pxMGqTHMTEp0mcs2BInohp78nLIwxw/618I0 21 | 7AN504DFNd6SlG3urx+orMtKHETL0SS5ljIoVirQrsUsbrQElEndoXPZAoGAItzc 22 | ym4CKOdUyEpMLT3KJ9OL7UrybpPZK/Fo0sMC/0+uHs3xJPE+dtNvsqa9Q9gG2MDv 23 | Qk0C2H5FHveMXr5bgM4GtPdvnRiwXq+UzKZKP4XgWxKIA4DgZvthX88QUvASOX8b 24 | /mPxk4WM19evex+dRl1WkYzhvIkZBV/Vhz7OyO0CgYEAihR+kOzBBDcRDDitEHVc 25 | J/pztxlDrkszpvE6iqeYh8Ayc5eebiAevVJiYXtftPK6Jsl9G5vEreG9jxQSYiQQ 26 | Qc1DEVfmewqURAr1fuiVPHCuw1rEj6ySVtyAIQmsNYshMgK41llE9AAXK0TtuH4O 27 | 3IOig0kNPjzk5LMRuveJSHs= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /common/scripts/check_clean_repo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Istio Authors 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | function write_patch_file() { 18 | if [ -z "${ARTIFACTS}" ]; then 19 | return 0 20 | fi 21 | 22 | PATCH_NAME="check-clean-repo-diff.patch" 23 | PATCH_OUT="${ARTIFACTS}/${PATCH_NAME}" 24 | git diff > "${PATCH_OUT}" 25 | 26 | [ -n "${JOB_NAME}" ] && [ -n "${BUILD_ID}" ] 27 | IN_PROW="$?" 28 | 29 | # Don't persist large diffs (30M+) on CI 30 | LARGE_FILE="$(find "${ARTIFACTS}" -name "${PATCH_NAME}" -type 'f' -size +30M)" 31 | if [ "${IN_PROW}" -eq 0 ] && [ -n "${LARGE_FILE}" ]; then 32 | rm "${PATCH_OUT}" 33 | echo "WARNING: patch file was too large to persist ($(du -h "${PATCH_OUT}"))" 34 | return 0 35 | fi 36 | outName="artifacts/${PATCH_OUT#"${ARTIFACTS}"/}" 37 | patchFile="${PROW_ARTIFACTS_BASE:-https://gcsweb.istio.io/gcs/istio-prow}/pr-logs/pull/${REPO_OWNER}_${REPO_NAME}/${PULL_NUMBER}/${JOB_NAME}/${BUILD_ID}/${outName}" 38 | echo "You can also try applying the patch file from the build artifacts: 39 | 40 | git apply <(curl -sL \"${patchFile}\") 41 | " 42 | } 43 | 44 | if [[ -n $(git status --porcelain) ]]; then 45 | git status 46 | git diff 47 | echo "ERROR: Some files need to be updated, please run 'make gen' and include any changed files in your PR" 48 | write_patch_file 49 | exit 1 50 | fi 51 | -------------------------------------------------------------------------------- /src/test_helpers/helpers.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::telemetry; 16 | use once_cell::sync::Lazy; 17 | use std::net::{IpAddr, SocketAddr}; 18 | use std::process::Command; 19 | use std::time::Instant; 20 | use tracing::debug; 21 | 22 | // Ensure that the `tracing` stack is only initialised once using `once_cell` 23 | static TRACING: Lazy<()> = Lazy::new(telemetry::setup_logging); 24 | 25 | pub fn initialize_telemetry() { 26 | Lazy::force(&TRACING); 27 | } 28 | 29 | pub fn with_ip(s: SocketAddr, ip: IpAddr) -> SocketAddr { 30 | SocketAddr::new(ip, s.port()) 31 | } 32 | 33 | pub fn run_command(cmd: &str) -> anyhow::Result<()> { 34 | let now = Instant::now(); 35 | debug!("running command {cmd}"); 36 | let output = Command::new("sh").arg("-c").arg(cmd).output()?; 37 | debug!( 38 | "command complete in {:?}; code={}, stdout={}, stderr={}", 39 | now.elapsed(), 40 | output.status, 41 | std::str::from_utf8(&output.stdout)?, 42 | std::str::from_utf8(&output.stderr)? 43 | ); 44 | if !output.status.success() { 45 | anyhow::bail!( 46 | "command {} exited with code={}, stdout={}, stderr={}", 47 | cmd.chars().take(50).collect::(), 48 | output.status, 49 | std::str::from_utf8(&output.stdout)?, 50 | std::str::from_utf8(&output.stderr)? 51 | ); 52 | } 53 | Ok(()) 54 | } 55 | -------------------------------------------------------------------------------- /common/scripts/report_build_info.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | if BUILD_GIT_REVISION=$(git rev-parse HEAD 2> /dev/null); then 25 | if [[ -z "${IGNORE_DIRTY_TREE}" ]] && [[ -n "$(git status --porcelain 2>/dev/null)" ]]; then 26 | BUILD_GIT_REVISION=${BUILD_GIT_REVISION}"-dirty" 27 | fi 28 | else 29 | BUILD_GIT_REVISION=unknown 30 | fi 31 | 32 | # Check for local changes 33 | tree_status="Clean" 34 | if [[ -z "${IGNORE_DIRTY_TREE}" ]] && ! git diff-index --quiet HEAD --; then 35 | tree_status="Modified" 36 | fi 37 | 38 | GIT_DESCRIBE_TAG=$(git describe --tags --always) 39 | HUB=${HUB:-"docker.io/istio"} 40 | 41 | # used by common/scripts/gobuild.sh 42 | echo "istio.io/pkg/version.buildVersion=${VERSION:-$BUILD_GIT_REVISION}" 43 | echo "istio.io/pkg/version.buildGitRevision=${BUILD_GIT_REVISION}" 44 | echo "istio.io/pkg/version.buildStatus=${tree_status}" 45 | echo "istio.io/pkg/version.buildTag=${GIT_DESCRIBE_TAG}" 46 | echo "istio.io/pkg/version.buildHub=${HUB}" 47 | echo "istio.io/pkg/version.buildOS=${BUILD_GOOS}" 48 | echo "istio.io/pkg/version.buildArch=${BUILD_GOARCH}" 49 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | extern crate core; 16 | #[cfg(feature = "gperftools")] 17 | extern crate gperftools; 18 | 19 | use tracing::info; 20 | use ztunnel::*; 21 | 22 | // #[global_allocator] 23 | // static GLOBAL: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc; 24 | 25 | // #[global_allocator] 26 | // static GLOBAL: tcmalloc::TCMalloc = tcmalloc::TCMalloc; 27 | 28 | fn main() -> anyhow::Result<()> { 29 | telemetry::setup_logging(); 30 | let config: config::Config = config::parse_config()?; 31 | 32 | // For now we don't need a complex CLI, so rather than pull in dependencies just use basic argv[1] 33 | match std::env::args().nth(1).as_deref() { 34 | None | Some("proxy") => (), 35 | Some("version") => return version(), 36 | Some(unknown) => { 37 | eprintln!("unknown command: {unknown}"); 38 | std::process::exit(1) 39 | } 40 | }; 41 | 42 | tokio::runtime::Builder::new_current_thread() 43 | .enable_all() 44 | .build() 45 | .unwrap() 46 | .block_on(async move { proxy(config).await }) 47 | } 48 | 49 | fn version() -> anyhow::Result<()> { 50 | println!("{}", version::BuildInfo::new()); 51 | Ok(()) 52 | } 53 | 54 | async fn proxy(cfg: config::Config) -> anyhow::Result<()> { 55 | info!("version: {}", version::BuildInfo::new()); 56 | info!("running with config: {}", serde_yaml::to_string(&cfg)?); 57 | app::build(cfg).await?.wait_termination().await 58 | } 59 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/poly1305.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_POLY1305_H 16 | #define OPENSSL_HEADER_POLY1305_H 17 | 18 | #include 19 | 20 | #ifdef __cplusplus 21 | extern "C" { 22 | #endif 23 | 24 | 25 | typedef uint8_t poly1305_state[512]; 26 | 27 | // CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an 28 | // authentication tag with the one-time key |key|. Note that |key| is a 29 | // one-time key and therefore there is no `reset' method because that would 30 | // enable several messages to be authenticated with the same key. 31 | OPENSSL_EXPORT void CRYPTO_poly1305_init(poly1305_state *state, 32 | const uint8_t key[32]); 33 | 34 | // CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called 35 | // zero or more times after poly1305_init. 36 | OPENSSL_EXPORT void CRYPTO_poly1305_update(poly1305_state *state, 37 | const uint8_t *in, size_t in_len); 38 | 39 | // CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16 40 | // byte authentication tag to |mac|. 41 | OPENSSL_EXPORT void CRYPTO_poly1305_finish(poly1305_state *state, 42 | uint8_t mac[16]); 43 | 44 | 45 | #if defined(__cplusplus) 46 | } // extern C 47 | #endif 48 | 49 | #endif // OPENSSL_HEADER_POLY1305_H 50 | -------------------------------------------------------------------------------- /src/metrics/xds.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue}; 16 | use prometheus_client::metrics::counter::Counter; 17 | use prometheus_client::metrics::family::Family; 18 | use prometheus_client::registry::Registry; 19 | 20 | use crate::metrics::Recorder; 21 | 22 | pub(super) struct Metrics { 23 | pub(super) connection_terminations: Family, 24 | } 25 | 26 | #[derive(Clone, Hash, Debug, PartialEq, Eq, EncodeLabelSet)] 27 | pub struct ConnectionTermination { 28 | pub reason: ConnectionTerminationReason, 29 | } 30 | 31 | #[derive(Copy, Clone, Hash, Debug, PartialEq, Eq, EncodeLabelValue)] 32 | pub enum ConnectionTerminationReason { 33 | ConnectionError, 34 | Error, 35 | Reconnect, 36 | Complete, 37 | } 38 | 39 | impl Metrics { 40 | pub fn new(registry: &mut Registry) -> Self { 41 | let connection_terminations = Family::default(); 42 | registry.register( 43 | "connection_terminations", 44 | "The total number of completed connections to xds server", 45 | connection_terminations.clone(), 46 | ); 47 | 48 | Self { 49 | connection_terminations, 50 | } 51 | } 52 | } 53 | 54 | impl Recorder for super::Metrics { 55 | fn record(&self, reason: &ConnectionTerminationReason, count: u64) { 56 | self.xds 57 | .connection_terminations 58 | .get_or_create(&ConnectionTermination { reason: *reason }) 59 | .inc_by(count); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/identity/auth.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::io; 16 | use std::path::PathBuf; 17 | 18 | use tonic::metadata::AsciiMetadataValue; 19 | use tonic::service::Interceptor; 20 | use tonic::{Code, Request, Status}; 21 | 22 | #[derive(Clone, Debug, PartialEq, Eq)] 23 | pub enum AuthSource { 24 | Token(PathBuf), 25 | } 26 | 27 | impl AuthSource { 28 | pub fn load(&self) -> io::Result> { 29 | match self { 30 | AuthSource::Token(path) => { 31 | let t = std::fs::read(path)?; 32 | 33 | if t.is_empty() { 34 | return Err(io::Error::new( 35 | io::ErrorKind::Other, 36 | "token file exists, but was empty", 37 | )); 38 | } 39 | Ok(t) 40 | } 41 | } 42 | } 43 | } 44 | 45 | impl Interceptor for AuthSource { 46 | fn call(&mut self, mut request: Request<()>) -> Result, Status> { 47 | let token = self 48 | .load() 49 | .map_err(|e| Status::new(Code::Unauthenticated, e.to_string())) 50 | .map(|mut t| { 51 | let mut bearer: Vec = b"Bearer ".to_vec(); 52 | bearer.append(&mut t); 53 | bearer 54 | }) 55 | .and_then(|b| { 56 | AsciiMetadataValue::try_from(b) 57 | .map_err(|e| Status::new(Code::Unauthenticated, e.to_string())) 58 | })?; 59 | 60 | request.metadata_mut().insert("authorization", token); 61 | Ok(request) 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/version.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::env; 16 | use std::fmt; 17 | use std::fmt::{Display, Formatter}; 18 | use std::string::String; 19 | 20 | const BUILD_VERSION: &str = env!("ZTUNNEL_BUILD_buildVersion"); 21 | const BUILD_GIT_REVISION: &str = env!("ZTUNNEL_BUILD_buildGitRevision"); 22 | const BUILD_STATUS: &str = env!("ZTUNNEL_BUILD_buildStatus"); 23 | const BUILD_TAG: &str = env!("ZTUNNEL_BUILD_buildTag"); 24 | const BUILD_RUST_VERSION: &str = env!("ZTUNNEL_BUILD_RUSTC_VERSION"); 25 | 26 | #[derive(serde::Serialize, Clone, Debug, Default)] 27 | pub struct BuildInfo { 28 | version: String, 29 | git_revision: String, 30 | rust_version: String, 31 | build_status: String, 32 | git_tag: String, 33 | pub istio_version: String, 34 | } 35 | 36 | impl BuildInfo { 37 | pub fn new() -> Self { 38 | BuildInfo { 39 | version: BUILD_VERSION.to_string(), 40 | git_revision: BUILD_GIT_REVISION.to_string(), 41 | rust_version: BUILD_RUST_VERSION.to_string(), 42 | build_status: BUILD_STATUS.to_string(), 43 | git_tag: BUILD_TAG.to_string(), 44 | istio_version: env::var("ISTIO_VERSION").unwrap_or_else(|_| "unknown".to_string()), 45 | } 46 | } 47 | } 48 | 49 | impl Display for BuildInfo { 50 | fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 51 | write!(f, "version.BuildInfo{{Version:\"{}\", GitRevision:\"{}\", RustVersion:\"{}\", BuildStatus:\"{}\", GitTag:\"{}\", IstioVersion:\"{}\"}}", 52 | self.version, self.git_revision, self.rust_version, self.build_status, self.git_tag, self.istio_version) 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /common/config/.golangci-format.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | service: 9 | # When updating this, also update the version stored in docker/build-tools/Dockerfile in the istio/tools repo. 10 | golangci-lint-version: 1.49.x # use the fixed version to not introduce new linters unexpectedly 11 | run: 12 | # timeout for analysis, e.g. 30s, 5m, default is 1m 13 | deadline: 20m 14 | build-tags: 15 | - integ 16 | - integfuzz 17 | # which dirs to skip: they won't be analyzed; 18 | # can use regexp here: generated.*, regexp is applied on full path; 19 | # default value is empty list, but next dirs are always skipped independently 20 | # from this option's value: 21 | # vendor$, third_party$, testdata$, examples$, Godeps$, builtin$ 22 | skip-dirs: 23 | - genfiles$ 24 | - vendor$ 25 | 26 | # which files to skip: they will be analyzed, but issues from them 27 | # won't be reported. Default value is empty list, but there is 28 | # no need to include all autogenerated files, we confidently recognize 29 | # autogenerated files. If it's not please let us know. 30 | skip-files: 31 | - ".*\\.pb\\.go" 32 | - ".*\\.gen\\.go" 33 | 34 | linters: 35 | disable-all: true 36 | enable: 37 | - goimports 38 | - gofumpt 39 | - gci 40 | fast: false 41 | 42 | linters-settings: 43 | gci: 44 | sections: 45 | - standard # Captures all standard packages if they do not match another section. 46 | - default # Contains all imports that could not be matched to another section type. 47 | - prefix(istio.io/) # Groups all imports with the specified Prefix. 48 | goimports: 49 | # put imports beginning with prefix after 3rd-party packages; 50 | # it's a comma-separated list of prefixes 51 | local-prefixes: istio.io/ 52 | 53 | issues: 54 | 55 | # Maximum issues count per one linter. Set to 0 to disable. Default is 50. 56 | max-per-linter: 0 57 | 58 | # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. 59 | max-same-issues: 0 60 | -------------------------------------------------------------------------------- /proto/citadel.proto: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | import "google/protobuf/struct.proto"; 18 | 19 | // Keep this package for backward compatibility. 20 | package istio.v1.auth; 21 | 22 | option go_package="istio.io/api/security/v1alpha1"; 23 | 24 | // Certificate request message. The authentication should be based on: 25 | // 1. Bearer tokens carried in the side channel; 26 | // 2. Client-side certificate via Mutual TLS handshake. 27 | // Note: the service implementation is REQUIRED to verify the authenticated caller is authorize to 28 | // all SANs in the CSR. The server side may overwrite any requested certificate field based on its 29 | // policies. 30 | message IstioCertificateRequest { 31 | // PEM-encoded certificate request. 32 | // The public key in the CSR is used to generate the certificate, 33 | // and other fields in the generated certificate may be overwritten by the CA. 34 | string csr = 1; 35 | // Optional: requested certificate validity period, in seconds. 36 | int64 validity_duration = 3; 37 | 38 | // $hide_from_docs 39 | // Optional: Opaque metadata provided by the XDS node to Istio. 40 | // Supported metadata: WorkloadName, WorkloadIP, ClusterID 41 | google.protobuf.Struct metadata = 4; 42 | } 43 | 44 | // Certificate response message. 45 | message IstioCertificateResponse { 46 | // PEM-encoded certificate chain. 47 | // The leaf cert is the first element, and the root cert is the last element. 48 | repeated string cert_chain = 1; 49 | } 50 | 51 | // Service for managing certificates issued by the CA. 52 | service IstioCertificateService { 53 | // Using provided CSR, returns a signed certificate. 54 | rpc CreateCertificate(IstioCertificateRequest) 55 | returns (IstioCertificateResponse) { 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/blake2.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_BLAKE2_H 16 | #define OPENSSL_HEADER_BLAKE2_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | #define BLAKE2B256_DIGEST_LENGTH (256 / 8) 26 | #define BLAKE2B_CBLOCK 128 27 | 28 | struct blake2b_state_st { 29 | uint64_t h[8]; 30 | uint64_t t_low, t_high; 31 | union { 32 | uint8_t bytes[BLAKE2B_CBLOCK]; 33 | uint64_t words[16]; 34 | } block; 35 | size_t block_used; 36 | }; 37 | 38 | // BLAKE2B256_Init initialises |b2b| to perform a BLAKE2b-256 hash. There are no 39 | // pointers inside |b2b| thus release of |b2b| is purely managed by the caller. 40 | OPENSSL_EXPORT void BLAKE2B256_Init(BLAKE2B_CTX *b2b); 41 | 42 | // BLAKE2B256_Update appends |len| bytes from |data| to the digest being 43 | // calculated by |b2b|. 44 | OPENSSL_EXPORT void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *data, 45 | size_t len); 46 | 47 | // BLAKE2B256_Final completes the digest calculated by |b2b| and writes 48 | // |BLAKE2B256_DIGEST_LENGTH| bytes to |out|. 49 | OPENSSL_EXPORT void BLAKE2B256_Final(uint8_t out[BLAKE2B256_DIGEST_LENGTH], 50 | BLAKE2B_CTX *b2b); 51 | 52 | // BLAKE2B256 writes the BLAKE2b-256 digset of |len| bytes from |data| to 53 | // |out|. 54 | OPENSSL_EXPORT void BLAKE2B256(const uint8_t *data, size_t len, 55 | uint8_t out[BLAKE2B256_DIGEST_LENGTH]); 56 | 57 | 58 | #if defined(__cplusplus) 59 | } // extern C 60 | #endif 61 | 62 | #endif // OPENSSL_HEADER_BLAKE2_H 63 | -------------------------------------------------------------------------------- /common/scripts/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | WD=$(dirname "$0") 27 | WD=$(cd "$WD"; pwd) 28 | 29 | export FOR_BUILD_CONTAINER=1 30 | # shellcheck disable=SC1090,SC1091 31 | source "${WD}/setup_env.sh" 32 | 33 | 34 | MOUNT_SOURCE="${MOUNT_SOURCE:-${PWD}}" 35 | MOUNT_DEST="${MOUNT_DEST:-/work}" 36 | 37 | read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}" 38 | 39 | [[ -t 1 ]] && DOCKER_RUN_OPTIONS+=("-it") 40 | [[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}") 41 | 42 | # $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the 43 | # following command only 44 | # shellcheck disable=SC2086 45 | "${CONTAINER_CLI}" run \ 46 | --rm \ 47 | "${DOCKER_RUN_OPTIONS[@]}" \ 48 | --init \ 49 | --sig-proxy=true \ 50 | ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \ 51 | $CONTAINER_OPTIONS \ 52 | --env-file <(env | grep -v ${ENV_BLOCKLIST}) \ 53 | -e IN_BUILD_CONTAINER=1 \ 54 | -e TZ="${TIMEZONE:-$TZ}" \ 55 | --mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \ 56 | --mount "type=volume,source=go,destination=/go" \ 57 | --mount "type=volume,source=gocache,destination=/gocache" \ 58 | --mount "type=volume,source=cache,destination=/home/.cache" \ 59 | --mount "type=volume,source=crates,destination=/home/.cargo/registry" \ 60 | ${CONDITIONAL_HOST_MOUNTS} \ 61 | -w "${MOUNT_DEST}" "${IMG}" "$@" 62 | -------------------------------------------------------------------------------- /src/stats.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::sync::Mutex; 16 | use std::{net::SocketAddr, sync::Arc}; 17 | 18 | use drain::Watch; 19 | use hyper::{Body, Request, Response}; 20 | use prometheus_client::encoding::text::encode; 21 | use prometheus_client::registry::Registry; 22 | 23 | use crate::config::Config; 24 | use crate::hyper_util::{empty_response, Server}; 25 | use crate::signal; 26 | 27 | pub struct Service { 28 | s: Server>, 29 | } 30 | 31 | impl Service { 32 | pub fn new( 33 | config: Config, 34 | registry: Registry, 35 | shutdown_trigger: signal::ShutdownTrigger, 36 | drain_rx: Watch, 37 | ) -> hyper::Result { 38 | Server::>::bind( 39 | "stats", 40 | config.stats_addr, 41 | shutdown_trigger, 42 | drain_rx, 43 | Mutex::new(registry), 44 | ) 45 | .map(|s| Service { s }) 46 | } 47 | 48 | pub fn address(&self) -> SocketAddr { 49 | self.s.address() 50 | } 51 | 52 | pub fn spawn(self) { 53 | self.s.spawn(|registry, req| async move { 54 | match req.uri().path() { 55 | "/metrics" => Ok(handle_metrics(registry, req).await), 56 | _ => Ok(empty_response(hyper::StatusCode::NOT_FOUND)), 57 | } 58 | }) 59 | } 60 | } 61 | 62 | async fn handle_metrics(reg: Arc>, _req: Request) -> Response { 63 | let mut buf = String::new(); 64 | let reg = reg.lock().unwrap(); 65 | encode(&mut buf, ®).unwrap(); 66 | 67 | Response::builder() 68 | .status(hyper::StatusCode::OK) 69 | .header( 70 | hyper::header::CONTENT_TYPE, 71 | "application/openmetrics-text;charset=utf-8;version=1.0.0", 72 | ) 73 | .body(Body::from(buf)) 74 | .unwrap() 75 | } 76 | -------------------------------------------------------------------------------- /common/config/sass-lint.yml: -------------------------------------------------------------------------------- 1 | ######################### 2 | ## Config for sass-lint 3 | ######################### 4 | # Linter Options 5 | options: 6 | # Don't merge default rules 7 | merge-default-rules: false 8 | # Raise an error if more than 50 warnings are generated 9 | max-warnings: 500 10 | # Rule Configuration 11 | rules: 12 | attribute-quotes: 13 | - 2 14 | - 15 | include: false 16 | bem-depth: 2 17 | border-zero: 2 18 | brace-style: 2 19 | class-name-format: 2 20 | clean-import-paths: 2 21 | declarations-before-nesting: 2 22 | empty-args: 2 23 | empty-line-between-blocks: 2 24 | extends-before-declarations: 2 25 | extends-before-mixins: 2 26 | final-newline: 2 27 | force-attribute-nesting: 0 28 | force-element-nesting: 0 29 | force-pseudo-nesting: 0 30 | function-name-format: 2 31 | hex-length: 0 32 | hex-notation: 2 33 | id-name-format: 2 34 | indentation: 35 | - 2 36 | - 37 | size: 4 38 | leading-zero: 39 | - 2 40 | - 41 | include: false 42 | max-file-line-count: 0 43 | max-file-length: 0 44 | mixins-before-declarations: 2 45 | no-attribute-selectors: 0 46 | no-color-hex: 0 47 | no-color-keywords: 0 48 | no-color-literals: 0 49 | no-combinators: 0 50 | no-css-comments: 2 51 | no-debug: 2 52 | no-disallowed-properties: 2 53 | no-duplicate-properties: 2 54 | no-empty-rulesets: 2 55 | no-extends: 2 56 | no-ids: 0 57 | no-invalid-hex: 2 58 | no-important: 0 59 | no-mergeable-selectors: 2 60 | no-misspelled-properties: 2 61 | no-qualifying-elements: 0 62 | no-trailing-whitespace: 2 63 | no-trailing-zero: 2 64 | no-transition-all: 0 65 | no-url-domains: 2 66 | no-url-protocols: 2 67 | no-warn: 2 68 | one-declaration-per-line: 2 69 | placeholder-in-extend: 2 70 | placeholder-name-format: 2 71 | property-sort-order: 0 72 | property-units: 2 73 | pseudo-element: 2 74 | quotes: 75 | - 2 76 | - 77 | style: double 78 | shorthand-values: 2 79 | single-line-per-selector: 0 80 | space-after-bang: 2 81 | space-after-colon: 2 82 | space-after-comma: 2 83 | space-around-operator: 2 84 | space-before-bang: 2 85 | space-before-brace: 2 86 | space-before-colon: 2 87 | space-between-parens: 2 88 | trailing-semicolon: 2 89 | url-quotes: 2 90 | variable-for-property: 91 | - 0 92 | - 93 | properties: 94 | - color 95 | - background-color 96 | - fill 97 | variable-name-format: 0 98 | zero-unit: 2 99 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/opensslconf.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #ifndef OPENSSL_HEADER_OPENSSLCONF_H 19 | #define OPENSSL_HEADER_OPENSSLCONF_H 20 | 21 | 22 | #define OPENSSL_NO_ASYNC 23 | #define OPENSSL_NO_BF 24 | #define OPENSSL_NO_BLAKE2 25 | #define OPENSSL_NO_BUF_FREELISTS 26 | #define OPENSSL_NO_CAMELLIA 27 | #define OPENSSL_NO_CAPIENG 28 | #define OPENSSL_NO_CAST 29 | #define OPENSSL_NO_CMS 30 | #define OPENSSL_NO_COMP 31 | #define OPENSSL_NO_CT 32 | #define OPENSSL_NO_DANE 33 | #define OPENSSL_NO_DEPRECATED 34 | #define OPENSSL_NO_DGRAM 35 | #define OPENSSL_NO_DYNAMIC_ENGINE 36 | #define OPENSSL_NO_EC_NISTP_64_GCC_128 37 | #define OPENSSL_NO_EC2M 38 | #define OPENSSL_NO_EGD 39 | #define OPENSSL_NO_ENGINE 40 | #define OPENSSL_NO_GMP 41 | #define OPENSSL_NO_GOST 42 | #define OPENSSL_NO_HEARTBEATS 43 | #define OPENSSL_NO_HW 44 | #define OPENSSL_NO_IDEA 45 | #define OPENSSL_NO_JPAKE 46 | #define OPENSSL_NO_KRB5 47 | #define OPENSSL_NO_MD2 48 | #define OPENSSL_NO_MDC2 49 | #define OPENSSL_NO_OCB 50 | #define OPENSSL_NO_OCSP 51 | #define OPENSSL_NO_RC2 52 | #define OPENSSL_NO_RC5 53 | #define OPENSSL_NO_RFC3779 54 | #define OPENSSL_NO_RIPEMD 55 | #define OPENSSL_NO_RMD160 56 | #define OPENSSL_NO_SCTP 57 | #define OPENSSL_NO_SEED 58 | #define OPENSSL_NO_SM2 59 | #define OPENSSL_NO_SM3 60 | #define OPENSSL_NO_SM4 61 | #define OPENSSL_NO_SRP 62 | #define OPENSSL_NO_SSL2 63 | #define OPENSSL_NO_SSL3 64 | #define OPENSSL_NO_SSL3_METHOD 65 | #define OPENSSL_NO_STATIC_ENGINE 66 | #define OPENSSL_NO_STORE 67 | #define OPENSSL_NO_WHIRLPOOL 68 | 69 | 70 | #endif // OPENSSL_HEADER_OPENSSLCONF_H 71 | -------------------------------------------------------------------------------- /src/readiness.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::telemetry; 16 | use std::collections::HashSet; 17 | use std::sync::{Arc, Mutex}; 18 | use tracing::info; 19 | mod server; 20 | pub use server::*; 21 | 22 | /// Ready tracks whether the process is ready. 23 | #[derive(Clone, Debug, Default)] 24 | pub struct Ready(Arc>>); 25 | 26 | impl Ready { 27 | pub fn new() -> Ready { 28 | Ready(Default::default()) 29 | } 30 | 31 | /// register_task allows a caller to add a dependency to be marked "ready". 32 | pub fn register_task(&self, name: &str) -> BlockReady { 33 | self.0.lock().unwrap().insert(name.to_string()); 34 | BlockReady { 35 | parent: self.to_owned(), 36 | name: name.to_string(), 37 | } 38 | } 39 | 40 | pub fn pending(&self) -> HashSet { 41 | self.0.lock().unwrap().clone() 42 | } 43 | } 44 | 45 | /// BlockReady blocks readiness until it is dropped. 46 | pub struct BlockReady { 47 | parent: Ready, 48 | name: String, 49 | } 50 | 51 | impl BlockReady { 52 | pub fn subtask(&self, name: &str) -> BlockReady { 53 | self.parent.register_task(name) 54 | } 55 | } 56 | 57 | impl Drop for BlockReady { 58 | fn drop(&mut self) { 59 | let mut pending = self.parent.0.lock().unwrap(); 60 | let removed = pending.remove(&self.name); 61 | debug_assert!(removed); // It is a bug to somehow remove something twice 62 | let left = pending.len(); 63 | let dur = telemetry::APPLICATION_START_TIME.elapsed(); 64 | if left == 0 { 65 | info!( 66 | "Task '{}' complete ({dur:?}), marking server ready", 67 | self.name 68 | ); 69 | } else { 70 | info!( 71 | "Task '{}' complete ({dur:?}), still awaiting {left} tasks", 72 | self.name 73 | ); 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | # Copyright Istio Authors 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # Unless required by applicable law or agreed to in writing, software 17 | # distributed under the License is distributed on an "AS IS" BASIS, 18 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | # See the License for the specific language governing permissions and 20 | # limitations under the License. 21 | 22 | SHELL := /bin/bash 23 | 24 | # allow optional per-repo overrides 25 | -include Makefile.overrides.mk 26 | 27 | # Set the environment variable BUILD_WITH_CONTAINER to use a container 28 | # to build the repo. The only dependencies in this mode are to have make and 29 | # docker. If you'd rather build with a local tool chain instead, you'll need to 30 | # figure out all the tools you need in your environment to make that work. 31 | export BUILD_WITH_CONTAINER ?= 0 32 | 33 | ifeq ($(BUILD_WITH_CONTAINER),1) 34 | 35 | # An export free of arguments in a Makefile places all variables in the Makefile into the 36 | # environment. This is needed to allow overrides from Makefile.overrides.mk. 37 | export 38 | 39 | RUN = ./common/scripts/run.sh 40 | 41 | MAKE_DOCKER = $(RUN) make --no-print-directory -e -f Makefile.core.mk 42 | 43 | %: 44 | @$(MAKE_DOCKER) $@ 45 | 46 | default: 47 | @$(MAKE_DOCKER) 48 | 49 | shell: 50 | @$(RUN) /bin/bash 51 | 52 | .PHONY: default shell 53 | 54 | else 55 | 56 | # If we are not in build container, we need a workaround to get environment properly set 57 | # Write to file, then include 58 | $(shell mkdir -p out) 59 | $(shell $(shell pwd)/common/scripts/setup_env.sh envfile > out/.env) 60 | include out/.env 61 | # An export free of arguments in a Makefile places all variables in the Makefile into the 62 | # environment. This behavior may be surprising to many that use shell often, which simply 63 | # displays the existing environment 64 | export 65 | 66 | export GOBIN ?= $(GOPATH)/bin 67 | include Makefile.core.mk 68 | 69 | endif 70 | -------------------------------------------------------------------------------- /proto/google/protobuf/empty.proto: -------------------------------------------------------------------------------- 1 | // Protocol Buffers - Google's data interchange format 2 | // Copyright 2008 Google Inc. All rights reserved. 3 | // https://developers.google.com/protocol-buffers/ 4 | // 5 | // Redistribution and use in source and binary forms, with or without 6 | // modification, are permitted provided that the following conditions are 7 | // met: 8 | // 9 | // * Redistributions of source code must retain the above copyright 10 | // notice, this list of conditions and the following disclaimer. 11 | // * Redistributions in binary form must reproduce the above 12 | // copyright notice, this list of conditions and the following disclaimer 13 | // in the documentation and/or other materials provided with the 14 | // distribution. 15 | // * Neither the name of Google Inc. nor the names of its 16 | // contributors may be used to endorse or promote products derived from 17 | // this software without specific prior written permission. 18 | // 19 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | syntax = "proto3"; 32 | 33 | package google.protobuf; 34 | 35 | option go_package = "google.golang.org/protobuf/types/known/emptypb"; 36 | option java_package = "com.google.protobuf"; 37 | option java_outer_classname = "EmptyProto"; 38 | option java_multiple_files = true; 39 | option objc_class_prefix = "GPB"; 40 | option csharp_namespace = "Google.Protobuf.WellKnownTypes"; 41 | option cc_enable_arenas = true; 42 | 43 | // A generic empty message that you can re-use to avoid defining duplicated 44 | // empty messages in your APIs. A typical example is to use it as the request 45 | // or the response type of an API method. For instance: 46 | // 47 | // service Foo { 48 | // rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 49 | // } 50 | // 51 | message Empty {} 52 | -------------------------------------------------------------------------------- /src/readiness/server.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::net::SocketAddr; 16 | 17 | use drain::Watch; 18 | use hyper::{Body, Request, Response}; 19 | use itertools::Itertools; 20 | 21 | use crate::hyper_util::{empty_response, plaintext_response, Server}; 22 | use crate::{config, readiness, signal}; 23 | 24 | pub struct Service { 25 | s: Server, 26 | } 27 | 28 | impl Service { 29 | pub fn new( 30 | config: config::Config, 31 | ready: readiness::Ready, 32 | shutdown_trigger: signal::ShutdownTrigger, 33 | drain_rx: Watch, 34 | ) -> hyper::Result { 35 | Server::::bind( 36 | "readiness", 37 | config.readiness_addr, 38 | shutdown_trigger, 39 | drain_rx, 40 | ready, 41 | ) 42 | .map(|s| Service { s }) 43 | } 44 | 45 | pub fn address(&self) -> SocketAddr { 46 | self.s.address() 47 | } 48 | 49 | pub fn spawn(self) { 50 | self.s.spawn(|ready, req| async move { 51 | match req.uri().path() { 52 | "/healthz/ready" => Ok(handle_ready(&ready, req).await), 53 | _ => Ok(empty_response(hyper::StatusCode::NOT_FOUND)), 54 | } 55 | }) 56 | } 57 | } 58 | 59 | async fn handle_ready(ready: &readiness::Ready, req: Request) -> Response { 60 | match *req.method() { 61 | hyper::Method::GET => { 62 | let pending = ready.pending(); 63 | if pending.is_empty() { 64 | return plaintext_response(hyper::StatusCode::OK, "ready\n".into()); 65 | } 66 | plaintext_response( 67 | hyper::StatusCode::INTERNAL_SERVER_ERROR, 68 | format!( 69 | "not ready, pending: {}\n", 70 | pending.into_iter().sorted().join(", ") 71 | ), 72 | ) 73 | } 74 | _ => empty_response(hyper::StatusCode::METHOD_NOT_ALLOWED), 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /scripts/local.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ZTUNNEL_REDIRECT_USER="${ZTUNNEL_REDIRECT_USER:-iptables1}" 18 | 19 | ztunnel-local-bootstrap () { 20 | pod="$(kubectl get pods -lapp=ztunnel -n istio-system -ojson | jq '.items[0]')" 21 | sa="$(<<<"${pod}" jq -r '.spec.serviceAccountName')" 22 | uid="$(<<<"${pod}" jq -r '.metadata.uid')" 23 | name="$(<<<"${pod}" jq -r '.metadata.name')" 24 | mkdir -p ./var/run/secrets/tokens ./var/run/secrets/istio 25 | kubectl create token "$sa" -n istio-system --audience=istio-ca --duration=240h --bound-object-kind Pod --bound-object-name="${name}" --bound-object-uid="${uid}" > ./var/run/secrets/tokens/istio-token 26 | kubectl -n istio-system get secret istio-ca-secret -ojsonpath='{.data.ca-cert\.pem}' | base64 -d > ./var/run/secrets/istio/root-cert.pem 27 | } 28 | 29 | redirect-to () { 30 | redirect-to-clean 31 | uid=$(id -u "${ZTUNNEL_REDIRECT_USER}") 32 | sudo iptables -t nat -I OUTPUT 1 -p tcp -m owner --uid-owner "$uid" -j REDIRECT --to-ports "${1:?port}" -m comment --comment "local-redirect-to" 33 | sudo ip6tables -t nat -I OUTPUT 1 -p tcp -m owner --uid-owner "$uid" -j REDIRECT --to-ports "${1:?port}" -m comment --comment "local-redirect-to" 34 | echo "Redirecting calls from UID $uid to ${1}" 35 | echo "Try: sudo -u ${ZTUNNEL_REDIRECT_USER} curl" 36 | } 37 | 38 | redirect-to-clean () { 39 | sudo iptables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 echo sudo iptables -t nat -D 40 | sudo iptables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 sudo iptables -t nat -D 41 | sudo ip6tables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 echo sudo ip6tables -t nat -D 42 | sudo ip6tables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 sudo ip6tables -t nat -D 43 | } 44 | 45 | redirect-user-setup() { 46 | # shellcheck disable=SC2046,SC2139,SC2006 47 | alias redirect-run="sudo -u \"${ZTUNNEL_REDIRECT_USER}\"" 48 | sudo useradd "${ZTUNNEL_REDIRECT_USER}" 49 | } 50 | 51 | -------------------------------------------------------------------------------- /src/tls/cert.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDXTCCAkWgAwIBAgIUKR+dap3TpKhxmpwtNLchLa7E4JEwDQYJKoZIhvcNAQEL 3 | BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT 4 | CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X 5 | DTIwMDgxNDIyMTA0OVoXDTMwMDgxMjIyMTA0OVowADCCASIwDQYJKoZIhvcNAQEB 6 | BQADggEPADCCAQoCggEBAM3y5xVP1qYDsy4DSEG7eXhQEGL/XUbXOR1kTEXTAhAk 7 | /Wo0YclowxRQuIyeXpLM+nRN2z0xDttkMRpI0m6Qb1vK43XtPkBieVm/tBSUyis+ 8 | iBV6KBOhw7ionoAlyq6tOkwL2V3siMK5LvkpeeC7lJPJamaRN19LJcnWS214bcur 9 | lq6g6+owQGb4BS4STqfiRkIciw7MHTN5vWQcNmWNT3ME19KNQGKLXPkJGJoNlq4P 10 | 98pIuO58k0mow8xESpmrJ1zOtMtUUDicXV67m8BV2xkn7YLDehfAyKsqMJjsdWB3 11 | LUlk/kFia9n/AwFz+3mMSPWe4OnRQGdtwUMuanknfSUCAwEAAaN2MHQwDgYDVR0P 12 | AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB 13 | Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v 14 | bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAO3Rcr/CEnEieuKujrQ/j 15 | ZrM5cjQckt/+NcpkXsTQaqpkARmUL23D/g3Cg3P9rfJVIfSIfN2509meX+ouDzIm 16 | JWoFW3XVFLiev18aBBO6rmLaMMMKiVOZYAYzeM8Zt/3qH8mLxNq2CQYUL8EtAd7V 17 | P1FVx6vauFqlyqPn2BWZO3CgdGyPwPRQkBUTrItcUI8OTgAFYd/Q5vQuLt82QIAl 18 | givsPvGaKEWV02tpf8PfAZDgXrFkJLeFhFd0pgf7RSIdvShNdPyyz4r9/2CqEVmc 19 | BRDyTw09OLceF0Mhi4HqcnzgVeLWvWT+yUo3FYf6kzeavK93CEdSU8c9OvQbyi9D 20 | cQ== 21 | -----END CERTIFICATE----- 22 | -----BEGIN CERTIFICATE----- 23 | MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD 24 | VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl 25 | MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD 26 | QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx 27 | OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT 28 | CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x 29 | ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC 30 | AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 31 | iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z 32 | APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K 33 | M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom 34 | ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 35 | LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T 36 | BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC 37 | AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w 38 | A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 39 | PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y 40 | 05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN 41 | Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn 42 | aFKltOc+RAjzDklcUPeG4Y6eMA== 43 | -----END CERTIFICATE----- 44 | -------------------------------------------------------------------------------- /src/time.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::time::{Instant, SystemTime}; 16 | 17 | #[derive(Clone)] 18 | pub struct Converter { 19 | now: Instant, 20 | sys_now: SystemTime, 21 | } 22 | 23 | impl Converter { 24 | pub fn new() -> Self { 25 | Self::new_at(SystemTime::now()) 26 | } 27 | 28 | pub fn new_at(sys_now: SystemTime) -> Self { 29 | Self { 30 | sys_now, 31 | now: Instant::now(), 32 | } 33 | } 34 | 35 | pub fn system_time_to_instant(&self, t: SystemTime) -> Option { 36 | match t.duration_since(self.sys_now) { 37 | Ok(d) => Some(self.now + d), 38 | Err(_) => match self.sys_now.duration_since(t) { 39 | Ok(d) => self.now.checked_sub(d), 40 | Err(_) => panic!("time both before and after"), 41 | }, 42 | } 43 | } 44 | 45 | pub fn instant_to_system_time(&self, t: Instant) -> Option { 46 | if t > self.now { 47 | self.sys_now 48 | .checked_add(t.saturating_duration_since(self.now)) 49 | } else { 50 | self.sys_now 51 | .checked_sub(self.now.saturating_duration_since(t)) 52 | } 53 | } 54 | 55 | pub fn elapsed_nanos(&self, now: Instant) -> u128 { 56 | now.duration_since(self.now).as_nanos() 57 | } 58 | 59 | pub fn subsec_nanos(&self) -> u32 { 60 | self.sys_now 61 | .duration_since(SystemTime::UNIX_EPOCH) 62 | .unwrap() 63 | .subsec_nanos() 64 | } 65 | } 66 | 67 | impl Default for Converter { 68 | fn default() -> Self { 69 | Self::new() 70 | } 71 | } 72 | 73 | #[cfg(test)] 74 | mod tests { 75 | use std::time::{Duration, Instant}; 76 | 77 | #[test] 78 | fn test_converter() { 79 | const DELAY: Duration = Duration::from_secs(1); 80 | let conv = super::Converter::new(); 81 | let now = Instant::now(); 82 | let sys_now = conv.instant_to_system_time(now).unwrap(); 83 | let later = conv.system_time_to_instant(sys_now + DELAY); 84 | assert_eq!(later, Some(now + DELAY)); 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /common/scripts/gobuild.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors. All Rights Reserved. 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | # This script builds and version stamps the output 25 | 26 | VERBOSE=${VERBOSE:-"0"} 27 | V="" 28 | if [[ "${VERBOSE}" == "1" ]];then 29 | V="-x" 30 | set -x 31 | fi 32 | 33 | SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 34 | 35 | OUT=${1:?"output path"} 36 | shift 37 | 38 | set -e 39 | 40 | export BUILD_GOOS=${GOOS:-linux} 41 | export BUILD_GOARCH=${GOARCH:-amd64} 42 | GOBINARY=${GOBINARY:-go} 43 | GOPKG="$GOPATH/pkg" 44 | BUILDINFO=${BUILDINFO:-""} 45 | STATIC=${STATIC:-1} 46 | LDFLAGS=${LDFLAGS:--extldflags -static} 47 | GOBUILDFLAGS=${GOBUILDFLAGS:-""} 48 | # Split GOBUILDFLAGS by spaces into an array called GOBUILDFLAGS_ARRAY. 49 | IFS=' ' read -r -a GOBUILDFLAGS_ARRAY <<< "$GOBUILDFLAGS" 50 | 51 | GCFLAGS=${GCFLAGS:-} 52 | export CGO_ENABLED=${CGO_ENABLED:-0} 53 | 54 | if [[ "${STATIC}" != "1" ]];then 55 | LDFLAGS="" 56 | fi 57 | 58 | # gather buildinfo if not already provided 59 | # For a release build BUILDINFO should be produced 60 | # at the beginning of the build and used throughout 61 | if [[ -z ${BUILDINFO} ]];then 62 | BUILDINFO=$(mktemp) 63 | "${SCRIPTPATH}/report_build_info.sh" > "${BUILDINFO}" 64 | fi 65 | 66 | # BUILD LD_EXTRAFLAGS 67 | LD_EXTRAFLAGS="" 68 | 69 | while read -r line; do 70 | LD_EXTRAFLAGS="${LD_EXTRAFLAGS} -X ${line}" 71 | done < "${BUILDINFO}" 72 | 73 | OPTIMIZATION_FLAGS=(-trimpath) 74 | if [ "${DEBUG}" == "1" ]; then 75 | OPTIMIZATION_FLAGS=() 76 | fi 77 | 78 | time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \ 79 | ${V} "${GOBUILDFLAGS_ARRAY[@]}" ${GCFLAGS:+-gcflags "${GCFLAGS}"} \ 80 | -o "${OUT}" \ 81 | "${OPTIMIZATION_FLAGS[@]}" \ 82 | -pkgdir="${GOPKG}/${BUILD_GOOS}_${BUILD_GOARCH}" \ 83 | -ldflags "${LDFLAGS} ${LD_EXTRAFLAGS}" "${@}" 84 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/hkdf.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_HKDF_H 16 | #define OPENSSL_HEADER_HKDF_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // HKDF. 26 | 27 | 28 | // HKDF computes HKDF (as specified by RFC 5869) of initial keying material 29 | // |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes 30 | // to |out_key|. It returns one on success and zero on error. 31 | // 32 | // HKDF is an Extract-and-Expand algorithm. It does not do any key stretching, 33 | // and as such, is not suited to be used alone to generate a key from a 34 | // password. 35 | OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, 36 | const uint8_t *secret, size_t secret_len, 37 | const uint8_t *salt, size_t salt_len, 38 | const uint8_t *info, size_t info_len); 39 | 40 | // HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from initial 41 | // keying material |secret| and salt |salt| using |digest|, and outputs 42 | // |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|. 43 | // It returns one on success and zero on error. 44 | OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len, 45 | const EVP_MD *digest, const uint8_t *secret, 46 | size_t secret_len, const uint8_t *salt, 47 | size_t salt_len); 48 | 49 | // HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of length 50 | // |out_len| from the PRK |prk| and info |info| using |digest|, and outputs 51 | // the result to |out_key|. It returns one on success and zero on error. 52 | OPENSSL_EXPORT int HKDF_expand(uint8_t *out_key, size_t out_len, 53 | const EVP_MD *digest, const uint8_t *prk, 54 | size_t prk_len, const uint8_t *info, 55 | size_t info_len); 56 | 57 | 58 | #if defined(__cplusplus) 59 | } // extern C 60 | #endif 61 | 62 | #define HKDF_R_OUTPUT_TOO_LARGE 100 63 | 64 | #endif // OPENSSL_HEADER_HKDF_H 65 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ztunnel" 3 | version = "0.0.0" 4 | edition = "2021" 5 | rust-version = "1.65" 6 | 7 | [features] 8 | default = ["fips"] 9 | gperftools = ["dep:gperftools"] 10 | console = ["dep:console-subscriber"] 11 | fips = ["boring/fips", "hyper-boring/fips", "tokio-boring/fips"] 12 | 13 | [lib] 14 | path = "src/lib.rs" 15 | bench = false 16 | 17 | [[bin]] 18 | name = "ztunnel" 19 | path = "src/main.rs" 20 | bench = false 21 | 22 | [[bench]] 23 | name = "throughput" 24 | harness = false 25 | 26 | [dependencies] 27 | #tikv-jemallocator = { version = "0.5", features = ["profiling", "stats"]} 28 | anyhow = "1.0.65" 29 | async-stream = "0.3.3" 30 | async-trait = "0.1.58" 31 | boring = { version = "2.1.0"} 32 | bytes = { version = "1", features=["serde"]} 33 | console-subscriber = { version = "0.1.6" , optional = true} 34 | drain = "0.1.1" 35 | futures = "0.3.12" 36 | gperftools = { version = "0.2.0", features = ["heap"], optional = true } 37 | hyper = { version = "0.14.18", features = ["full"] } 38 | hyper-boring = { version= "2.1.2" } 39 | libc = "0.2.126" 40 | log = "0.4" 41 | once_cell = "1.16.0" 42 | pprof = { version = "0.11.0", features = ["protobuf", "protobuf-codec", "criterion"] } 43 | prometheus-client = { version = "0.19.0" } 44 | prost = "0.11" 45 | prost-types = "0.11.1" 46 | rand = "0.8.5" 47 | serde = { version = "1.0.144", features = ["derive", "rc"] } 48 | serde_json = "1.0.85" 49 | serde_yaml = "0.9.13" 50 | socket2 = "0.4.7" 51 | byteorder = "1.3.4" 52 | thiserror = "1.0.38" 53 | tls-listener = { version = "0.6.0", features = ["hyper-h2"] } 54 | tokio = {"version"= "1", features=["full", "test-util"]} 55 | tokio-boring = { version = "2.1.5" } 56 | tokio-stream = "0.1.9" 57 | tonic = { version = "0.8", default-features=false, features = ["channel", "transport", "prost", "codegen"]} 58 | tower = { version = "0.4.12", features = ["full"] } 59 | tracing = "0.1.34" 60 | tracing-subscriber = { version = "0.3.16" , features = ["registry", "env-filter"]} 61 | realm_io = "0.4" 62 | go-parse-duration = "0.1.1" 63 | prometheus-parse = "0.2.3" 64 | url = "2.2" 65 | itertools = "0.10.5" 66 | ipnet = { version = "2.7.0", features = ["serde"] } 67 | http-types = { version = "2.12.0", default-features = false } 68 | netns-rs = "0.1.0" 69 | textnonce = { version = "1.0.0" } 70 | priority-queue = "1.3.0" 71 | chrono = "0.4.23" 72 | 73 | [build-dependencies] 74 | tonic-build = { version = "0.8", default-features=false, features = ["prost"] } 75 | prost-build = "0.11" 76 | anyhow = "1.0.65" 77 | rustc_version = "0.4.0" 78 | 79 | [profile.release] 80 | opt-level = 3 81 | codegen-units = 1 82 | lto = true 83 | 84 | # Release optimized but without as many dependencies, suitable for incremental development 85 | [profile.quick-release] 86 | inherits = "release" 87 | codegen-units = 16 88 | lto = false 89 | incremental = true 90 | 91 | [dev-dependencies] 92 | criterion = { version = "0.4.0", features = ["async_tokio", "html_reports"] } 93 | diff = "0.1.13" 94 | matches = "0.1.9" 95 | netns-rs = "0.1.0" 96 | test-case = "3.0.0" 97 | #debug = true 98 | -------------------------------------------------------------------------------- /docker/remote-env/Dockerfile: -------------------------------------------------------------------------------- 1 | # Remote docker environment for ztunnel development. 2 | # 3 | # Build: 4 | # docker build -t ztunnel/remote-env:0.1 -f docker/remote-env/Dockerfile . 5 | # 6 | # Run: 7 | # docker run -d \ 8 | # --privileged \ 9 | # -p 127.0.0.1:2222:22 \ 10 | # --name ztunnel-dev \ 11 | # --mount type=bind,source="$PWD",target="/home/user/ztunnel" \ 12 | # ztunnel/remote-env:0.1 13 | # 14 | # Clear credentials: 15 | # ssh-keygen -f "$HOME/.ssh/known_hosts" -R "[localhost]:2222" 16 | # 17 | # stop: 18 | # docker stop ztunnel-dev 19 | # 20 | # ssh credentials (test user): 21 | # ssh user@localhost -p2222 (enter `password` on the command-line) 22 | 23 | FROM gcr.io/istio-testing/build-tools:master-65b95c3425a26e633081b2d0834cc0df6e81fd8a 24 | 25 | # - git (and git-lfs), for git operations (to e.g. push your work). 26 | # Also required for setting up your configured dotfiles in the workspace. 27 | # - sudo, while not required, is recommended to be installed, since the 28 | # workspace user (`gitpod`) is non-root and won't be able to install 29 | # and use `sudo` to install any other tools in a live workspace. 30 | RUN apt-get update && apt-get install --no-install-recommends -yq \ 31 | net-tools \ 32 | iproute2 \ 33 | iptables \ 34 | cmake \ 35 | ninja-build \ 36 | git \ 37 | sudo \ 38 | ssh \ 39 | && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* 40 | 41 | # Add the rust source code and set up the environment. 42 | RUN rustup component add rust-src 43 | ENV CARGO_HOME="/home/.cargo" 44 | ENV RUSTUP_HOME="/home/.rustup" 45 | ENV PATH=$CARGO_HOME/bin:$PATH 46 | 47 | # Create the configuration file for sshd 48 | RUN ( \ 49 | echo 'LogLevel DEBUG2'; \ 50 | echo 'PermitRootLogin yes'; \ 51 | echo 'PasswordAuthentication yes'; \ 52 | echo 'AllowTcpForwarding yes'; \ 53 | echo 'Subsystem sftp /usr/lib/openssh/sftp-server'; \ 54 | ) > /etc/ssh/sshd_remote_dev \ 55 | && mkdir /run/sshd 56 | 57 | # Add remote user with a plaintext password. 58 | ARG REMOTE_USER=user 59 | ARG REMOTE_USER_PASSWORD=password 60 | ARG REMOTE_USER_HOME=/home/$REMOTE_USER 61 | ARG REMOTE_USER_SHELL=/bin/bash 62 | ARG REMOTE_USER_LOGIN_SCRIPT=$REMOTE_USER_HOME/.bashrc 63 | ARG REMOTE_USER_ID=3333 64 | ARG REMOTE_USER_GROUPS=sudo 65 | # ignoring because the current shell doesn't support pipefail; likely want to have a better fix long term 66 | # hadolint ignore=DL4006 67 | RUN useradd -lm \ 68 | -u $REMOTE_USER_ID \ 69 | -G $REMOTE_USER_GROUPS \ 70 | -d $REMOTE_USER_HOME \ 71 | -s $REMOTE_USER_SHELL \ 72 | $REMOTE_USER \ 73 | && yes $REMOTE_USER_PASSWORD | passwd $REMOTE_USER 74 | 75 | # Set the rust environment in the remote user login script. 76 | RUN echo "export CARGO_HOME=$CARGO_HOME" >> $REMOTE_USER_LOGIN_SCRIPT 77 | RUN echo "export RUSTUP_HOME=$RUSTUP_HOME" >> $REMOTE_USER_LOGIN_SCRIPT 78 | RUN echo "export PATH=$PATH" >> $REMOTE_USER_LOGIN_SCRIPT 79 | 80 | ENV BUILD_WITH_CONTAINER=0 81 | EXPOSE 22 82 | CMD ["/usr/sbin/sshd", "-D", "-e", "-f", "/etc/ssh/sshd_remote_dev"] -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_x86_64/Dockerfile.v1: -------------------------------------------------------------------------------- 1 | # Dockerfile for the image used to pre-compile the FIPS-compliant boringssl library 2 | # We use this because the latest FIPS-certified boringssl build requires an old 3 | # clang version that we don't want to use in our general toolchain. 4 | 5 | # Pull base image. 6 | FROM ubuntu:18.04 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y curl build-essential software-properties-common tar wget xz-utils unzip 10 | 11 | # Install CMake v3.20.1. 12 | RUN wget https://github.com/Kitware/CMake/releases/download/v3.20.1/cmake-3.20.1-linux-x86_64.tar.gz 13 | RUN tar -xvf cmake-3.20.1-linux-x86_64.tar.gz 14 | ENV PATH=$PWD/cmake-3.20.1-linux-x86_64/bin:$PATH 15 | 16 | # Install Go v1.16.5. 17 | RUN wget https://go.dev/dl/go1.16.5.linux-amd64.tar.gz 18 | RUN tar -xvf go1.16.5.linux-amd64.tar.gz 19 | ENV PATH=$PWD/go/bin:$PATH 20 | ENV GOROOT=$PWD/go 21 | 22 | # Install Clang v12.0.0. 23 | RUN wget https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz 24 | RUN tar -xvf clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz 25 | RUN ln -s clang clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/bin/clang++-12 26 | ENV PATH=$PWD/clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/bin:$PATH 27 | ENV LD_LIBRARY_PATH=$PWD/clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/lib:$LD_LIBRARY_PATH 28 | 29 | # Install Ninja v1.10.2. 30 | RUN wget https://github.com/ninja-build/ninja/releases/download/v1.10.2/ninja-linux.zip 31 | RUN mkdir ninja 32 | RUN unzip -o ninja-linux.zip -d ninja 33 | ENV PATH=$PWD/ninja:$PATH 34 | 35 | # Verify required versions of the tools in $PATH. 36 | # https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf 37 | RUN if [ "`clang --version | head -1 | awk '{print $3}'`" != "12.0.0" ]; then echo "Clang version doesn't match."; exit 1; fi 38 | RUN if [ "`go version | awk '{print $3}'`" != "go1.16.5" ]; then echo "Go version doesn't match."; exit 1; fi 39 | RUN if [ "`ninja --version`" != "1.10.2" ]; then echo "Ninja version doesn't match."; exit 1; fi 40 | RUN if [ "`cmake --version | head -1 | awk '{print $3}'`" != "3.20.1" ]; then echo "CMake version doesn't match."; exit 1; fi 41 | 42 | # Force -fPIC to allow linking Rust libraries against BoringCrypto. 43 | ENV CFLAGS="-fPIC" 44 | ENV CXXFLAGS="-fPIC" 45 | 46 | # Build BoringCrypto. 47 | RUN wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 48 | RUN echo "a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2 boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz" | sha256sum --check 49 | RUN tar xf boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 50 | RUN printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain 51 | RUN cd boringssl \ 52 | && mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release .. \ 53 | && ninja \ 54 | && ./crypto/crypto_test \ 55 | && if [ "`./tool/bssl isfips`" = "1" ]; then echo "FIPS check succeeded."; else echo "FIPS check failed."; exit 1; fi 56 | -------------------------------------------------------------------------------- /scripts/tproxy.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Init the base set of tables and routes 4 | init() { 5 | # Anything with the mark 15001 will be sent to loopback 6 | ip -4 rule add fwmark 15001 lookup 15001 7 | ip -4 route add local default dev lo table 15001 8 | 9 | iptables -t mangle -N ZT_CAPTURE_EGRESS 10 | iptables -t mangle -A ZT_CAPTURE_EGRESS -j MARK --set-mark 15001 11 | 12 | # PREROUTING on loopback - anything routed by the route table 15001, based on OUTPUT mark 13 | # Ignore local source or dst - it's not egress 14 | iptables -t mangle -N ZT_TPROXY 15 | iptables -t mangle -A ZT_TPROXY -d 127.0.0.0/8 -j RETURN 16 | iptables -t mangle -A ZT_TPROXY --match mark --mark 15001 -p tcp -j TPROXY --tproxy-mark 15001/0xffffffff --on-port 15001 17 | iptables -t mangle -A PREROUTING -i lo -j ZT_TPROXY 18 | 19 | 20 | # Table that determines who gets redirected 21 | iptables -t mangle -N ZT_EGRESS 22 | iptables -t mangle -A OUTPUT -j ZT_EGRESS 23 | } 24 | 25 | init6() { 26 | # Anything with the mark 15001 will be sent to loopback 27 | ip -6 rule add fwmark 15001 lookup 15001 28 | ip -6 route add local default dev lo table 15001 29 | 30 | ip6tables -t mangle -N ZT_CAPTURE_EGRESS 31 | ip6tables -t mangle -A ZT_CAPTURE_EGRESS -j MARK --set-mark 15001 32 | 33 | # PREROUTING on loopback - anything routed by the route table 15001, based on OUTPUT mark 34 | # Ignore local source or dst - it's not egress 35 | ip6tables -t mangle -N ZT_TPROXY 36 | ip6tables -t mangle -A ZT_TPROXY -d ::1/128 -j RETURN 37 | ip6tables -t mangle -A ZT_TPROXY --match mark --mark 15001 -p tcp -j TPROXY --tproxy-mark 15001/0xffffffff --on-port 15001 38 | ip6tables -t mangle -A PREROUTING -i lo -j ZT_TPROXY 39 | 40 | 41 | # Table that determines who gets redirected 42 | ip6tables -t mangle -N ZT_EGRESS 43 | ip6tables -t mangle -A OUTPUT -j ZT_EGRESS 44 | } 45 | 46 | 47 | # Clean the configurable table for outbound capture 48 | clean() { 49 | iptables -t mangle -F ZT_EGRESS 50 | ip6tables -t mangle -F ZT_EGRESS 51 | } 52 | 53 | # Setup outbound capture 54 | setup() { 55 | iptables -t mangle -A ZT_EGRESS -p tcp --dport 15001 -j RETURN 56 | iptables -t mangle -A ZT_EGRESS -p tcp --dport 15009 -j RETURN 57 | iptables -t mangle -A ZT_EGRESS -p tcp --dport 15008 -j RETURN 58 | 59 | iptables -t mangle -A ZT_EGRESS -m owner --uid-owner 0 -j RETURN 60 | 61 | # For now capture only 10, to avoid breaking internet requests. 62 | # Will need to be expanded 63 | iptables -t mangle -A ZT_EGRESS -d 10.0.0.0/8 -j ZT_CAPTURE_EGRESS 64 | iptables -t mangle -A ZT_EGRESS -d 142.251.46.228/32 -j ZT_CAPTURE_EGRESS 65 | } 66 | 67 | setup6() { 68 | ip6tables -t mangle -A ZT_EGRESS -p tcp --dport 15001 -j RETURN 69 | ip6tables -t mangle -A ZT_EGRESS -p tcp --dport 15009 -j RETURN 70 | ip6tables -t mangle -A ZT_EGRESS -p tcp --dport 15008 -j RETURN 71 | 72 | ip6tables -t mangle -A ZT_EGRESS -m owner --uid-owner 0 -j RETURN 73 | 74 | # For now capture only 10, to avoid breaking internet requests. 75 | # Will need to be expanded 76 | ip6tables -t mangle -A ZT_EGRESS -d fc::/7 -j ZT_CAPTURE_EGRESS 77 | ip6tables -t mangle -A ZT_EGRESS -d fe:c0::/10 -j ZT_CAPTURE_EGRESS 78 | } 79 | 80 | if [[ "$1" != "" ]]; then 81 | $1 82 | fi 83 | -------------------------------------------------------------------------------- /proto/authorization.proto: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | package istio.security; 18 | option go_package="pkg/workloadapi"; 19 | 20 | import "google/protobuf/empty.proto"; 21 | 22 | message Authorization { 23 | string name = 1; 24 | string namespace = 2; 25 | 26 | // Determine the scope of this RBAC policy. 27 | // If set to NAMESPACE, the 'namespace' field value will be used. 28 | Scope scope = 3; 29 | // The action to take if the request is matched with the rules. 30 | // Default is ALLOW if not specified. 31 | Action action = 4; 32 | // Set of RBAC policy groups each containing its rules. 33 | // If at least one of the groups is matched the policy action will 34 | // take place. 35 | // Groups are OR-ed. 36 | repeated Group groups = 5; 37 | } 38 | 39 | message Group { 40 | // Rules are AND-ed 41 | // This is a generic form of the authz policy's to, from and when 42 | repeated Rules rules = 1; 43 | } 44 | 45 | message Rules { 46 | // The logical behavior between the matches (if there are more than one) 47 | // MatchBehavior match_behavior = 1; 48 | repeated Match matches = 2; 49 | } 50 | 51 | message Match { 52 | // Values of specific type are ORed 53 | // If multiple types are set, they are ANDed 54 | 55 | repeated StringMatch namespaces = 1; 56 | repeated StringMatch not_namespaces = 2; 57 | 58 | repeated StringMatch principals = 3; 59 | repeated StringMatch not_principals = 4; 60 | 61 | repeated Address source_ips = 5; 62 | repeated Address not_source_ips = 6; 63 | 64 | repeated Address destination_ips = 7; 65 | repeated Address not_destination_ips = 8; 66 | 67 | repeated uint32 destination_ports = 9; 68 | repeated uint32 not_destination_ports = 10; 69 | } 70 | 71 | message Address { 72 | bytes address = 1; 73 | uint32 length = 2; 74 | } 75 | 76 | message StringMatch { 77 | oneof match_type { 78 | // exact string match 79 | string exact = 1; 80 | // prefix-based match 81 | string prefix = 2; 82 | 83 | // suffix-based match 84 | string suffix = 3; 85 | 86 | google.protobuf.Empty presence = 4; 87 | } 88 | } 89 | 90 | enum Scope { 91 | // ALL means that the authorization policy will be applied to all workloads 92 | // in the mesh (any namespace). 93 | GLOBAL = 0; 94 | // NAMESPACE means that the policy will only be applied to workloads in a 95 | // specific namespace. 96 | NAMESPACE = 1; 97 | // WORKLOAD_SELECTOR means that the policy will only be applied to specific 98 | // workloads that were selected by their labels. 99 | WORKLOAD_SELECTOR = 2; 100 | } 101 | 102 | enum Action { 103 | // Allow the request if it matches with the rules. 104 | ALLOW = 0; 105 | // Deny the request if it matches with the rules. 106 | DENY = 1; 107 | } 108 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/cmac.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_CMAC_H 16 | #define OPENSSL_HEADER_CMAC_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // CMAC. 26 | // 27 | // CMAC is a MAC based on AES-CBC and defined in 28 | // https://tools.ietf.org/html/rfc4493#section-2.3. 29 | 30 | 31 | // One-shot functions. 32 | 33 | // AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of 34 | // |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select 35 | // between AES-128 and AES-256. It returns one on success or zero on error. 36 | OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len, 37 | const uint8_t *in, size_t in_len); 38 | 39 | 40 | // Incremental interface. 41 | 42 | // CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on 43 | // error. 44 | OPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void); 45 | 46 | // CMAC_CTX_free frees a |CMAC_CTX|. 47 | OPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx); 48 | 49 | // CMAC_CTX_copy sets |out| to be a duplicate of the current state |in|. It 50 | // returns one on success and zero on error. 51 | OPENSSL_EXPORT int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in); 52 | 53 | // CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC 54 | // only specifies the use of AES-128 thus |key_len| should be 16 and |cipher| 55 | // should be |EVP_aes_128_cbc()|. However, this implementation also supports 56 | // AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The 57 | // |engine| argument is ignored. 58 | // 59 | // It returns one on success or zero on error. 60 | OPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len, 61 | const EVP_CIPHER *cipher, ENGINE *engine); 62 | 63 | 64 | // CMAC_Reset resets |ctx| so that a fresh message can be authenticated. 65 | OPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx); 66 | 67 | // CMAC_Update processes |in_len| bytes of message from |in|. It returns one on 68 | // success or zero on error. 69 | OPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len); 70 | 71 | // CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes 72 | // of authenticator to it. It returns one on success or zero on error. 73 | OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len); 74 | 75 | 76 | #if defined(__cplusplus) 77 | } // extern C 78 | 79 | extern "C++" { 80 | 81 | BSSL_NAMESPACE_BEGIN 82 | 83 | BORINGSSL_MAKE_DELETER(CMAC_CTX, CMAC_CTX_free) 84 | 85 | BSSL_NAMESPACE_END 86 | 87 | } // extern C++ 88 | 89 | #endif 90 | 91 | #endif // OPENSSL_HEADER_CMAC_H 92 | -------------------------------------------------------------------------------- /src/signal.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | // #[async_trait::async_trait] 16 | // pub trait Shutdown { 17 | // async fn shutdown(); 18 | // } 19 | 20 | use tokio::sync::mpsc; 21 | 22 | pub struct Shutdown { 23 | shutdown_tx: mpsc::Sender<()>, 24 | shutdown_rx: mpsc::Receiver<()>, 25 | } 26 | 27 | impl Shutdown { 28 | pub fn new() -> Self { 29 | let (shutdown_tx, shutdown_rx) = mpsc::channel(1); 30 | Shutdown { 31 | shutdown_tx, 32 | shutdown_rx, 33 | } 34 | } 35 | 36 | /// Trigger returns a ShutdownTrigger which can be used to trigger a shutdown immediately 37 | pub fn trigger(&self) -> ShutdownTrigger { 38 | ShutdownTrigger { 39 | shutdown_tx: self.shutdown_tx.clone(), 40 | } 41 | } 42 | 43 | /// Wait completes when the shutdown as been triggered 44 | pub async fn wait(mut self) { 45 | imp::shutdown(&mut self.shutdown_rx).await 46 | } 47 | } 48 | 49 | impl Default for Shutdown { 50 | fn default() -> Self { 51 | Self::new() 52 | } 53 | } 54 | 55 | #[derive(Clone, Debug)] 56 | pub struct ShutdownTrigger { 57 | shutdown_tx: mpsc::Sender<()>, 58 | } 59 | 60 | impl ShutdownTrigger { 61 | pub async fn shutdown_now(&self) { 62 | self.shutdown_tx.send(()).await.unwrap(); 63 | } 64 | } 65 | 66 | #[cfg(unix)] 67 | mod imp { 68 | use std::process; 69 | use tokio::signal::unix::{signal, SignalKind}; 70 | use tokio::sync::mpsc::Receiver; 71 | use tracing::info; 72 | 73 | pub(super) async fn shutdown(receiver: &mut Receiver<()>) { 74 | tokio::select! { 75 | _ = watch_signal(SignalKind::interrupt(), "SIGINT") => { 76 | tokio::spawn(async move{ 77 | watch_signal(SignalKind::interrupt(), "SIGINT").await; 78 | info!("Double Ctrl+C, exit immediately"); 79 | process::exit(0); 80 | }); 81 | } 82 | _ = watch_signal(SignalKind::terminate(), "SIGTERM") => {} 83 | _ = receiver.recv() => { info!("received explicit shutdown signal")} 84 | }; 85 | } 86 | 87 | async fn watch_signal(kind: SignalKind, name: &'static str) { 88 | signal(kind) 89 | .expect("Failed to register signal handler") 90 | .recv() 91 | .await; 92 | info!("received signal {}, starting shutdown", name,); 93 | } 94 | } 95 | 96 | #[cfg(not(unix))] 97 | mod imp { 98 | use tokio::sync::mpsc::Receiver; 99 | 100 | pub(super) async fn shutdown(receiver: Receiver<()>) { 101 | // This isn't quite right, but close enough for windows... 102 | tokio::signal::windows::ctrl_c() 103 | .expect("Failed to register signal handler") 104 | .recv() 105 | .await; 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_arm64/Dockerfile.v1: -------------------------------------------------------------------------------- 1 | # Dockerfile for the image used to pre-compile the FIPS-compliant boringssl library 2 | # We use this because the latest FIPS-certified boringssl build requires an old 3 | # clang version that we don't want to use in our general toolchain. 4 | 5 | # Pull base image. 6 | FROM ubuntu:18.04 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y curl build-essential software-properties-common tar wget xz-utils unzip gcc-8 g++-8 10 | 11 | RUN add-apt-repository ppa:ubuntu-toolchain-r/test 12 | RUN apt update 13 | RUN apt-get install -y --only-upgrade libstdc++6 14 | 15 | # Install CMake v3.20.1. 16 | RUN wget https://github.com/Kitware/CMake/releases/download/v3.20.1/cmake-3.20.1-linux-aarch64.tar.gz 17 | RUN tar -xvf cmake-3.20.1-linux-aarch64.tar.gz 18 | ENV PATH=$PWD/cmake-3.20.1-linux-aarch64/bin:$PATH 19 | 20 | # Install Go v1.16.5. 21 | RUN wget https://go.dev/dl/go1.16.5.linux-arm64.tar.gz 22 | RUN tar -xvf go1.16.5.linux-arm64.tar.gz 23 | ENV PATH=$PWD/go/bin:$PATH 24 | ENV GOROOT=$PWD/go 25 | 26 | # Install Clang v12.0.0. 27 | RUN wget https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/clang+llvm-12.0.0-aarch64-linux-gnu.tar.xz 28 | RUN tar -xvf clang+llvm-12.0.0-aarch64-linux-gnu.tar.xz 29 | RUN ln -s clang clang+llvm-12.0.0-aarch64-linux-gnu/bin/clang++-12 30 | ENV PATH=$PWD/clang+llvm-12.0.0-aarch64-linux-gnu/bin:$PATH 31 | ENV LD_LIBRARY_PATH=$PWD/clang+llvm-12.0.0-aarch64-linux-gnu/lib:$LD_LIBRARY_PATH 32 | 33 | # Install Ninja v1.10.2. - newest release has/will have arm64 binaries but currently 34 | # does not, and this 2020 release does not, so build it ourselves 35 | RUN wget https://github.com/ninja-build/ninja/archive/refs/tags/v1.10.2.tar.gz 36 | RUN mkdir ninja 37 | RUN tar -xvf v1.10.2.tar.gz -C ninja --strip-components=1 38 | RUN cd ninja && \ 39 | cmake -Bbuild-cmake && \ 40 | cmake --build build-cmake 41 | ENV PATH=$PWD/ninja/build-cmake:$PATH 42 | 43 | RUN echo "$(ldd --version)" 44 | RUN clang --version 45 | # Verify required versions of the tools in $PATH. 46 | # https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf 47 | RUN if [ "`clang --version | head -1 | awk '{print $3}'`" != "12.0.0" ]; then echo "Clang version doesn't match."; exit 1; fi 48 | RUN if [ "`go version | awk '{print $3}'`" != "go1.16.5" ]; then echo "Go version doesn't match."; exit 1; fi 49 | RUN if [ "`ninja --version`" != "1.10.2" ]; then echo "Ninja version doesn't match."; exit 1; fi 50 | RUN if [ "`cmake --version | head -1 | awk '{print $3}'`" != "3.20.1" ]; then echo "CMake version doesn't match."; exit 1; fi 51 | 52 | # Force -fPIC to allow linking Rust libraries against BoringCrypto. 53 | ENV CFLAGS="-fPIC" 54 | ENV CXXFLAGS="-fPIC" 55 | 56 | # Build BoringCrypto. 57 | RUN wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 58 | RUN echo "a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2 boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz" | sha256sum --check 59 | RUN tar xf boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 60 | RUN printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain 61 | RUN cd boringssl \ 62 | && mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release .. \ 63 | && ninja \ 64 | && ./crypto/crypto_test \ 65 | && if [ "`./tool/bssl isfips`" = "1" ]; then echo "FIPS check succeeded."; else echo "FIPS check failed."; exit 1; fi 66 | -------------------------------------------------------------------------------- /LOCAL.md: -------------------------------------------------------------------------------- 1 | # Local Testing 2 | 3 | Along with running in a Kubernetes, ztunnel can be run locally for development purposes. 4 | 5 | This doc covers ztunnel specifically, for general Istio local development see 6 | [Local Istio Development](https://github.com/howardjohn/local-istio-development). 7 | 8 | ## Local overrides 9 | 10 | There are a variety of config options that can be used to replace components with mocked ones: 11 | 12 | * `FAKE_CA="true"` - this will use self-signed fake certificates, eliminating a dependency on a CA 13 | * `XDS_ADDRESS=""` - disables XDS client completely 14 | * `LOCAL_XDS_PATH=./examples/localhost.yaml` - read XDS config from a file. 15 | This example adds a workload for `127.0.0.1`, allowing us to send requests to/from localhost. 16 | * `NODE_NAME=local` - configures which node the ztunnel is running as. 17 | This impacts the networking path of requests. In the `localhost.yaml` example, `NODE_NAME=local` would make localhost use the in-memory fast path; without it HBONE would be used. 18 | 19 | Together, `FAKE_CA="true" XDS_ADDRESS="" LOCAL_XDS_PATH=./examples/localhost.yaml cargo run` (with `--no-default-features` if you have FIPS disabled) can be used to run entirely locally, without a Kubernetes or Istiod dependency. 20 | 21 | ## Real Istiod 22 | 23 | `ztunnel` can also be run locally but connected to a real Istiod instance. 24 | 25 | ### Authentication 26 | 27 | Ztunnel authentication for CA requires a pod-bound Service Account token. 28 | This makes local running a bit more complex than normally. 29 | 30 | First, you must have at least 1 ztunnel pod running. 31 | See the [instructions](https://github.com/istio/istio/blob/experimental-ambient/CONTRIBUTING.md) 32 | for deploying a ztunnel. 33 | 34 | Then the below command will fetch a token: 35 | 36 | ```shell 37 | source ./scripts/local.sh 38 | ztunnel-local-bootstrap 39 | ``` 40 | 41 | ### XDS and CA 42 | 43 | While XDS is not a hard requirement due to the static config file, the CA is. 44 | When running locally, ztunnel will automatically connect to an Istiod running on localhost. 45 | 46 | Istiod can be run locally as simply as `go run ./pilot/cmd/pilot-discovery discovery`. 47 | 48 | ## Sending requests 49 | 50 | Ztunnel expects requests to be redirected with iptables. The following functions can help do this: 51 | 52 | * `redirect-user-setup` sets up a new user specified by `$ZTUNNEL_REDIRECT_USER` 53 | * `redirect-to ` redirects all traffic from `$ZTUNNEL_REDIRECT_USER` to the given port. 54 | * `redirect-to-clean` removes any iptables rules setup by `redirect-to` 55 | * `redirect-run ` runs the command as `$ZTUNNEL_REDIRECT_USER`. 56 | 57 | To setup redirection logic for all requests from the `iptables1` user to 15001: 58 | 59 | ```shell 60 | source ./scripts/local.sh 61 | export ZTUNNEL_REDIRECT_USER="iptables1" 62 | redirect-user-setup 63 | redirect-to 15001 64 | ``` 65 | 66 | Finally, requests can be sent through the ztunnel: 67 | 68 | ```shell 69 | redirect-run curl localhost:8080 70 | ``` 71 | 72 | In the example request above, the request will go from `curl -> ztunnel (15001) --HBONE--> ztunnel (15008) -> localhost:8080`. 73 | 74 | If you wanted the same request to not go over HBONE, you could connect to/from another unknown IP like `127.0.0.2`. 75 | 76 | ## Configuration 77 | 78 | Ztunnel behaves differently for requests to workloads on the same node vs other nodes. 79 | This can be utilized to test different things. For example: 80 | 81 | * `LOCAL_XDS_PATH=./examples/localhost.yaml cargo run` - request to localhost will use HBONE 82 | * `LOCAL_XDS_PATH=./examples/localhost.yaml NODE_NAME=local cargo run` - request to localhost will use in-memory fast path 83 | -------------------------------------------------------------------------------- /src/test_helpers/ca.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::convert::Infallible; 16 | use std::path::PathBuf; 17 | use std::time::Duration; 18 | 19 | use async_trait::async_trait; 20 | use futures::future; 21 | use hyper::service::make_service_fn; 22 | use tokio::sync::watch; 23 | use tonic::codegen::Service; 24 | 25 | use crate::config::RootCert; 26 | use crate::identity::{AuthSource, CaClient}; 27 | use crate::xds::istio::ca::istio_certificate_service_server::{ 28 | IstioCertificateService, IstioCertificateServiceServer, 29 | }; 30 | use crate::{ 31 | tls, 32 | xds::istio::ca::{IstioCertificateRequest, IstioCertificateResponse}, 33 | }; 34 | 35 | /// CaServer provides a fake CA server implementation. Mocked responses can be assigned to it. 36 | #[derive(Clone)] 37 | pub struct CaServer { 38 | response: watch::Receiver>, 39 | } 40 | 41 | impl CaServer { 42 | pub async fn spawn() -> ( 43 | watch::Sender>, 44 | CaClient, 45 | ) { 46 | let default = Err(tonic::Status::not_found("mock not set")); 47 | let (tx, rx) = watch::channel(default); 48 | 49 | let server = CaServer { response: rx }; 50 | let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap(); 51 | let server_addr = listener.local_addr().unwrap(); 52 | let certs = tls::generate_test_certs( 53 | &server_addr.ip().into(), 54 | Duration::from_secs(0), 55 | Duration::from_secs(100), 56 | ); 57 | let root_cert = RootCert::Static(certs.chain().unwrap()); 58 | let acceptor = tls::ControlPlaneCertProvider(certs); 59 | let tls_stream = crate::hyper_util::tls_server(acceptor, listener); 60 | let incoming = hyper::server::accept::from_stream(tls_stream); 61 | 62 | let srv = IstioCertificateServiceServer::new(server); 63 | tokio::spawn(async move { 64 | hyper::Server::builder(incoming) 65 | .serve(make_service_fn(move |_| { 66 | let mut srv = srv.clone(); 67 | future::ok::<_, Infallible>(tower::service_fn( 68 | move |req: hyper::Request| srv.call(req), 69 | )) 70 | })) 71 | .await 72 | .unwrap() 73 | }); 74 | let client = CaClient::new( 75 | "https://".to_string() + &server_addr.to_string(), 76 | root_cert, 77 | AuthSource::Token(PathBuf::from(r"src/test_helpers/fake-jwt")), 78 | true, 79 | ) 80 | .unwrap(); 81 | (tx, client) 82 | } 83 | } 84 | #[async_trait] 85 | impl IstioCertificateService for CaServer { 86 | async fn create_certificate( 87 | &self, 88 | _request: tonic::Request, 89 | ) -> Result, tonic::Status> { 90 | let b = self.response.borrow(); 91 | match &*b { 92 | Ok(res) => Ok(tonic::Response::new(res.clone())), 93 | Err(e) => Err(e.clone()), 94 | } 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /src/metrics.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::mem; 16 | 17 | use prometheus_client::registry::Registry; 18 | use tracing::error; 19 | 20 | mod meta; 21 | #[allow(non_camel_case_types)] 22 | pub mod traffic; 23 | pub mod xds; 24 | 25 | /// Set of Swarm and protocol metrics derived from emitted events. 26 | pub struct Metrics { 27 | xds: xds::Metrics, 28 | #[allow(dead_code)] 29 | meta: meta::Metrics, 30 | traffic: traffic::Metrics, 31 | } 32 | 33 | impl Metrics { 34 | fn new(registry: &mut Registry) -> Self { 35 | Self { 36 | xds: xds::Metrics::new(registry), 37 | meta: meta::Metrics::new(registry), 38 | traffic: traffic::Metrics::new(registry), 39 | } 40 | } 41 | } 42 | 43 | impl From<&mut Registry> for Metrics { 44 | fn from(registry: &mut Registry) -> Self { 45 | Metrics::new(registry.sub_registry_with_prefix("istio")) 46 | } 47 | } 48 | 49 | impl Default for Metrics { 50 | fn default() -> Self { 51 | let mut registry = Registry::default(); 52 | Metrics::new(registry.sub_registry_with_prefix("istio")) 53 | } 54 | } 55 | 56 | impl Metrics { 57 | #[must_use = "metric will be dropped (and thus recorded) immediately if not assign"] 58 | /// increment_defer is used to increment a metric now and another metric later once the MetricGuard is dropped 59 | /// 60 | /// # Examples 61 | /// 62 | /// ```ignore 63 | /// let connection_open = ConnectionOpen {}; 64 | /// // Record connection opened now 65 | /// let connection_close = self.metrics.increment_defer::<_, ConnectionClosed>(&connection_open); 66 | /// // Eventually, report connection closed 67 | /// drop(connection_close); 68 | /// ``` 69 | pub fn increment_defer<'a, M1, M2>(&'a self, event: &'a M1) -> MetricGuard<'a, M2> 70 | where 71 | M1: Clone + 'a, 72 | M2: From<&'a M1>, 73 | Metrics: IncrementRecorder + IncrementRecorder, 74 | { 75 | self.increment(event); 76 | let m2: M2 = event.into(); 77 | MetricGuard { 78 | metrics: self, 79 | event: Some(m2), 80 | } 81 | } 82 | } 83 | 84 | pub struct MetricGuard<'a, E> 85 | where 86 | Metrics: IncrementRecorder, 87 | { 88 | metrics: &'a Metrics, 89 | event: Option, 90 | } 91 | 92 | impl Drop for MetricGuard<'_, E> 93 | where 94 | Metrics: IncrementRecorder, 95 | { 96 | fn drop(&mut self) { 97 | if let Some(m) = mem::take(&mut self.event) { 98 | self.metrics.increment(&m) 99 | } else { 100 | error!("defer record failed, event is gone"); 101 | } 102 | } 103 | } 104 | 105 | pub trait Recorder { 106 | /// Record the given event 107 | fn record(&self, event: &E, meta: T); 108 | } 109 | 110 | pub trait IncrementRecorder: Recorder { 111 | /// Record the given event by incrementing the counter by count 112 | fn increment(&self, event: &E); 113 | } 114 | 115 | impl IncrementRecorder for R 116 | where 117 | R: Recorder, 118 | { 119 | fn increment(&self, event: &E) { 120 | self.record(event, 1); 121 | } 122 | } 123 | -------------------------------------------------------------------------------- /common/config/license-lint.yml: -------------------------------------------------------------------------------- 1 | unrestricted_licenses: 2 | - Apache-2.0 3 | - CC-BY-3.0 4 | - ISC 5 | - AFL-2.1 6 | - AFL-3.0 7 | - Artistic-1.0 8 | - Artistic-2.0 9 | - Apache-1.1 10 | - BSD-1-Clause 11 | - BSD-2-Clause 12 | - BSD-3-Clause 13 | - 0BSD 14 | - FTL 15 | - LPL-1.02 16 | - MS-PL 17 | - MIT 18 | - NCSA 19 | - OpenSSL 20 | - PHP-3.0 21 | - TCP-wrappers 22 | - W3C 23 | - Xnet 24 | - Zlib 25 | 26 | reciprocal_licenses: 27 | - CC0-1.0 28 | - APSL-2.0 29 | - CDDL-1.0 30 | - CDDL-1.1 31 | - CPL-1.0 32 | - EPL-1.0 33 | - IPL-1.0 34 | - MPL-1.0 35 | - MPL-1.1 36 | - MPL-2.0 37 | - MPL-2.0-no-copyleft-exception 38 | - Ruby 39 | 40 | restricted_licenses: 41 | - GPL-1.0-only 42 | - GPL-1.0-or-later 43 | - GPL-2.0-only 44 | - GPL-2.0-or-later 45 | - GPL-3.0-only 46 | - GPL-3.0-or-later 47 | - LGPL-2.0-only 48 | - LGPL-2.0-or-later 49 | - LGPL-2.1-only 50 | - LGPL-2.1-or-later 51 | - LGPL-3.0-only 52 | - LGPL-3.0-or-later 53 | - NPL-1.0 54 | - NPL-1.1 55 | - OSL-1.0 56 | - OSL-1.1 57 | - OSL-2.0 58 | - OSL-2.1 59 | - OSL-3.0 60 | - QPL-1.0 61 | - Sleepycat 62 | 63 | allowlisted_modules: 64 | # MIT: https://github.com/ghodss/yaml/blob/master/LICENSE 65 | - github.com/ghodss/yaml 66 | 67 | # BSD: https://github.com/gogo/protobuf/blob/master/LICENSE 68 | - github.com/gogo/protobuf 69 | 70 | # BSD: https://github.com/magiconair/properties/blob/master/LICENSE.md 71 | - github.com/magiconair/properties 72 | 73 | # Apache 2.0 74 | - github.com/spf13/cobra 75 | - github.com/spf13/afero 76 | 77 | # Public domain: https://github.com/xi2/xz/blob/master/LICENSE 78 | - github.com/xi2/xz 79 | 80 | # Helm is Apache 2.0: https://github.com/helm/helm/blob/master/LICENSE 81 | # However, it has a bunch of LICENSE test files that our linter fails to understand 82 | - helm.sh/helm/v3 83 | 84 | # https://github.com/pelletier/go-toml/blob/master/LICENSE 85 | # Uses MIT for everything, except a few files copied from 86 | # google's civil library that uses Apache 2 87 | - github.com/pelletier/go-toml 88 | 89 | # https://github.com/xeipuuv/gojsonpointer/blob/master/LICENSE-APACHE-2.0.txt 90 | - github.com/xeipuuv/gojsonpointer 91 | # https://github.com/xeipuuv/gojsonreference/blob/master/LICENSE-APACHE-2.0.txt 92 | - github.com/xeipuuv/gojsonreference 93 | # Apache 2.0: https://github.com/xeipuuv/gojsonschema/blob/master/LICENSE-APACHE-2.0.txt 94 | - github.com/xeipuuv/gojsonschema 95 | 96 | # Apache 2.0 (but missing appendix): https://github.com/garyburd/redigo/blob/master/LICENSE 97 | - github.com/garyburd/redigo 98 | - github.com/gomodule/redigo 99 | 100 | # Apache 2.0 101 | # github.com/ghodss/yaml: MIT / BSD-3 102 | # github.com/gogo/protobuf: BSD-3 103 | # github.com/jmespath/go-jmespath: Apache 2.0 104 | # sigs.k8s.io/yaml: MIT / BSD-3 105 | - github.com/tektoncd/pipeline 106 | 107 | # MIT: https://github.com/kubernetes-sigs/yaml/blob/master/LICENSE 108 | - sigs.k8s.io/yaml 109 | 110 | # https://github.com/go-errors/errors/blob/master/LICENSE.MIT 111 | - github.com/go-errors/errors 112 | 113 | # runc is Apache 2.0: https://github.com/opencontainers/runc/blob/master/LICENSE 114 | # but it contains BSD dep which our linter fails to understand: https://github.com/opencontainers/runc/blob/v0.1.1/Godeps/_workspace/src/github.com/golang/protobuf/LICENSE 115 | - github.com/opencontainers/runc 116 | 117 | # MIT: https://github.com/felixge/fgprof/blob/master/LICENSE.txt 118 | - github.com/felixge/fgprof 119 | 120 | # Apache 2.0 121 | - github.com/google/pprof 122 | 123 | # MIT: https://github.com/invopop/yaml/blob/v0.1.0/LICENSE 124 | - github.com/invopop/yaml 125 | 126 | # Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt 127 | - github.com/russross/blackfriday 128 | - github.com/russross/blackfriday/v2 -------------------------------------------------------------------------------- /proto/google/protobuf/struct.proto: -------------------------------------------------------------------------------- 1 | // Protocol Buffers - Google's data interchange format 2 | // Copyright 2008 Google Inc. All rights reserved. 3 | // https://developers.google.com/protocol-buffers/ 4 | // 5 | // Redistribution and use in source and binary forms, with or without 6 | // modification, are permitted provided that the following conditions are 7 | // met: 8 | // 9 | // * Redistributions of source code must retain the above copyright 10 | // notice, this list of conditions and the following disclaimer. 11 | // * Redistributions in binary form must reproduce the above 12 | // copyright notice, this list of conditions and the following disclaimer 13 | // in the documentation and/or other materials provided with the 14 | // distribution. 15 | // * Neither the name of Google Inc. nor the names of its 16 | // contributors may be used to endorse or promote products derived from 17 | // this software without specific prior written permission. 18 | // 19 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | syntax = "proto3"; 32 | 33 | package google.protobuf; 34 | 35 | option csharp_namespace = "Google.Protobuf.WellKnownTypes"; 36 | option cc_enable_arenas = true; 37 | option go_package = "google.golang.org/protobuf/types/known/structpb"; 38 | option java_package = "com.google.protobuf"; 39 | option java_outer_classname = "StructProto"; 40 | option java_multiple_files = true; 41 | option objc_class_prefix = "GPB"; 42 | 43 | // `Struct` represents a structured data value, consisting of fields 44 | // which map to dynamically typed values. In some languages, `Struct` 45 | // might be supported by a native representation. For example, in 46 | // scripting languages like JS a struct is represented as an 47 | // object. The details of that representation are described together 48 | // with the proto support for the language. 49 | // 50 | // The JSON representation for `Struct` is JSON object. 51 | message Struct { 52 | // Unordered map of dynamically typed values. 53 | map fields = 1; 54 | } 55 | 56 | // `Value` represents a dynamically typed value which can be either 57 | // null, a number, a string, a boolean, a recursive struct value, or a 58 | // list of values. A producer of value is expected to set one of these 59 | // variants. Absence of any variant indicates an error. 60 | // 61 | // The JSON representation for `Value` is JSON value. 62 | message Value { 63 | // The kind of value. 64 | oneof kind { 65 | // Represents a null value. 66 | NullValue null_value = 1; 67 | // Represents a double value. 68 | double number_value = 2; 69 | // Represents a string value. 70 | string string_value = 3; 71 | // Represents a boolean value. 72 | bool bool_value = 4; 73 | // Represents a structured value. 74 | Struct struct_value = 5; 75 | // Represents a repeated `Value`. 76 | ListValue list_value = 6; 77 | } 78 | } 79 | 80 | // `NullValue` is a singleton enumeration to represent the null value for the 81 | // `Value` type union. 82 | // 83 | // The JSON representation for `NullValue` is JSON `null`. 84 | enum NullValue { 85 | // Null value. 86 | NULL_VALUE = 0; 87 | } 88 | 89 | // `ListValue` is a wrapper around a repeated field of values. 90 | // 91 | // The JSON representation for `ListValue` is JSON array. 92 | message ListValue { 93 | // Repeated field of dynamically typed values. 94 | repeated Value values = 1; 95 | } 96 | -------------------------------------------------------------------------------- /src/telemetry.rs: -------------------------------------------------------------------------------- 1 | use std::time::Instant; 2 | 3 | // Copyright Istio Authors 4 | // 5 | // Licensed under the Apache License, Version 2.0 (the "License"); 6 | // you may not use this file except in compliance with the License. 7 | // You may obtain a copy of the License at 8 | // 9 | // http://www.apache.org/licenses/LICENSE-2.0 10 | // 11 | // Unless required by applicable law or agreed to in writing, software 12 | // distributed under the License is distributed on an "AS IS" BASIS, 13 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | // See the License for the specific language governing permissions and 15 | // limitations under the License. 16 | use once_cell::sync::Lazy; 17 | use once_cell::sync::OnceCell; 18 | use thiserror::Error; 19 | use tracing::{error, info, warn}; 20 | use tracing_subscriber::{filter, filter::EnvFilter, fmt, prelude::*, reload, Layer, Registry}; 21 | 22 | pub static APPLICATION_START_TIME: Lazy = Lazy::new(Instant::now); 23 | static LOG_HANDLE: OnceCell = OnceCell::new(); 24 | 25 | #[cfg(feature = "console")] 26 | pub fn setup_logging() { 27 | Lazy::force(&APPLICATION_START_TIME); 28 | tracing_subscriber::registry() 29 | .with(fmt_layer()) 30 | .with(console_subscriber::spawn()) 31 | .init(); 32 | } 33 | 34 | #[cfg(not(feature = "console"))] 35 | pub fn setup_logging() { 36 | Lazy::force(&APPLICATION_START_TIME); 37 | tracing_subscriber::registry().with(fmt_layer()).init(); 38 | } 39 | 40 | fn fmt_layer() -> impl Layer + Sized { 41 | let format = fmt::format(); 42 | let (filter_layer, reload_handle) = reload::Layer::new( 43 | tracing_subscriber::fmt::layer() 44 | .event_format(format) 45 | .with_filter(default_env_filter()), 46 | ); 47 | LOG_HANDLE 48 | .set(reload_handle) 49 | .map_or_else(|_| warn!("setup log handler failed"), |_| {}); 50 | filter_layer 51 | } 52 | 53 | fn default_env_filter() -> EnvFilter { 54 | EnvFilter::try_from_default_env() 55 | .or_else(|_| EnvFilter::try_new("info")) 56 | .unwrap() 57 | } 58 | 59 | // a handle to get and set the log level 60 | type BoxLayer = fmt::Layer; 61 | type FilteredLayer = filter::Filtered; 62 | type LogHandle = reload::Handle; 63 | 64 | /// set_level dynamically updates the logging level to *include* level. If `reset` is true, it will 65 | /// reset the entire logging configuration first. 66 | pub fn set_level(reset: bool, level: &str) -> Result<(), Error> { 67 | if let Some(handle) = LOG_HANDLE.get() { 68 | // new_directive will be current_directive + level 69 | //it can be duplicate, but the envfilter's parse() will properly handle it 70 | let new_directive = if let Ok(current) = handle.with_current(|f| f.filter().to_string()) { 71 | if reset { 72 | format!("{},{}", default_env_filter(), level) 73 | } else { 74 | format!("{current},{level}") 75 | } 76 | } else { 77 | level.to_string() 78 | }; 79 | 80 | //create the new EnvFilter based on the new directives 81 | let new_filter = EnvFilter::builder().parse(new_directive)?; 82 | info!("new log filter is {new_filter}"); 83 | 84 | //set the new filter 85 | Ok(handle.modify(|layer| { 86 | *layer.filter_mut() = new_filter; 87 | })?) 88 | } else { 89 | warn!("failed to get log handle"); 90 | Err(Error::Uninitialized) 91 | } 92 | } 93 | 94 | pub fn get_current_loglevel() -> Result { 95 | if let Some(handle) = LOG_HANDLE.get() { 96 | Ok(handle.with_current(|f| f.filter().to_string())?) 97 | } else { 98 | Err(Error::Uninitialized) 99 | } 100 | } 101 | 102 | #[derive(Error, Debug)] 103 | pub enum Error { 104 | #[error("parse failure: {0}")] 105 | InvalidFilter(#[from] filter::ParseError), 106 | #[error("reload failure: {0}")] 107 | Reload(#[from] reload::Error), 108 | #[error("logging is not initialized")] 109 | Uninitialized, 110 | } 111 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/engine.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_ENGINE_H 16 | #define OPENSSL_HEADER_ENGINE_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // Engines are collections of methods. Methods are tables of function pointers, 26 | // defined for certain algorithms, that allow operations on those algorithms to 27 | // be overridden via a callback. This can be used, for example, to implement an 28 | // RSA* that forwards operations to a hardware module. 29 | // 30 | // Methods are reference counted but |ENGINE|s are not. When creating a method, 31 | // you should zero the whole structure and fill in the function pointers that 32 | // you wish before setting it on an |ENGINE|. Any functions pointers that 33 | // are NULL indicate that the default behaviour should be used. 34 | 35 | 36 | // Allocation and destruction. 37 | 38 | // ENGINE_new returns an empty ENGINE that uses the default method for all 39 | // algorithms. 40 | OPENSSL_EXPORT ENGINE *ENGINE_new(void); 41 | 42 | // ENGINE_free decrements the reference counts for all methods linked from 43 | // |engine| and frees |engine| itself. It returns one. 44 | OPENSSL_EXPORT int ENGINE_free(ENGINE *engine); 45 | 46 | 47 | // Method accessors. 48 | // 49 | // Method accessors take a method pointer and the size of the structure. The 50 | // size allows for ABI compatibility in the case that the method structure is 51 | // extended with extra elements at the end. Methods are always copied by the 52 | // set functions. 53 | // 54 | // Set functions return one on success and zero on allocation failure. 55 | 56 | OPENSSL_EXPORT int ENGINE_set_RSA_method(ENGINE *engine, 57 | const RSA_METHOD *method, 58 | size_t method_size); 59 | OPENSSL_EXPORT RSA_METHOD *ENGINE_get_RSA_method(const ENGINE *engine); 60 | 61 | OPENSSL_EXPORT int ENGINE_set_ECDSA_method(ENGINE *engine, 62 | const ECDSA_METHOD *method, 63 | size_t method_size); 64 | OPENSSL_EXPORT ECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine); 65 | 66 | 67 | // Generic method functions. 68 | // 69 | // These functions take a void* type but actually operate on all method 70 | // structures. 71 | 72 | // METHOD_ref increments the reference count of |method|. This is a no-op for 73 | // now because all methods are currently static. 74 | void METHOD_ref(void *method); 75 | 76 | // METHOD_unref decrements the reference count of |method| and frees it if the 77 | // reference count drops to zero. This is a no-op for now because all methods 78 | // are currently static. 79 | void METHOD_unref(void *method); 80 | 81 | 82 | // Private functions. 83 | 84 | // openssl_method_common_st contains the common part of all method structures. 85 | // This must be the first member of all method structures. 86 | struct openssl_method_common_st { 87 | int references; // dummy – not used. 88 | char is_static; 89 | }; 90 | 91 | 92 | #if defined(__cplusplus) 93 | } // extern C 94 | 95 | extern "C++" { 96 | 97 | BSSL_NAMESPACE_BEGIN 98 | 99 | BORINGSSL_MAKE_DELETER(ENGINE, ENGINE_free) 100 | 101 | BSSL_NAMESPACE_END 102 | 103 | } // extern C++ 104 | 105 | #endif 106 | 107 | #define ENGINE_R_OPERATION_NOT_SUPPORTED 100 108 | 109 | #endif // OPENSSL_HEADER_ENGINE_H 110 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ztunnel 2 | 3 | Ztunnel provides an experimental implementation of the ztunnel component of 4 | [ambient mesh](https://istio.io/latest/blog/2022/introducing-ambient-mesh/). 5 | 6 | Note: `istio/ztunnel` is currently intended for experimental usage only. 7 | 8 | ## Feature Scope 9 | 10 | Ztunnel is intended to be a purpose built implementation of the node proxy in [ambient mesh](https://istio.io/latest/blog/2022/introducing-ambient-mesh/). 11 | Part of the goals of this included keeping a narrow feature set, implementing only the bare minimum requirements for ambient. 12 | This ensures the project remains simple and high performance. 13 | 14 | Explicitly out of scope for ztunnel include: 15 | * Terminating user HTTP traffic 16 | * Terminating user HTTP traffic (its worth repeating) 17 | * Generic extensibility such as `ext_authz`, WASM, linked-in extensions, Lua, etc. 18 | 19 | In general, ztunnel does not aim to be a generic extensible proxy; Envoy is better suited for that task. 20 | If a feature is not directly used to implement the node proxy component in ambient mesh, it is unlikely to be accepted. 21 | 22 | ## Building 23 | 24 | ### FIPS 25 | 26 | Ztunnel builds currently enable the `fips` Cargo feature by default, which in turn enables the `fips` feature 27 | on [BoringSSL](https://github.com/cloudflare/boring). 28 | 29 | FIPS has 30 | [strict requirements](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf) 31 | to ensure that compliance is granted only to the exact binary tested. 32 | FIPS compliance was [granted](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407) 33 | to an old version of BoringSSL that was tested with `Clang 12.0.0`. 34 | 35 | Given that FIPS support will always have special environmental build requirements, we currently we work around this by vendoring OS/arch specific FIPS-compliant binary builds of `boringssl` in [](vendor/boringssl-fips/) 36 | 37 | We vendor FIPS boringssl binaries for 38 | 39 | - `linux/x86_64` 40 | - `linux/arm64` 41 | 42 | To use these vendored libraries and build ztunnel for either of these OS/arch combos, for the moment you must manually edit 43 | [.cargo/config.toml](.cargo/config.toml) and change the values of BORING_BSSL_PATH and BORING_BSSL_INCLUDE_PATH under the `[env]` key to match the path to the vendored libraries for your platform, e.g: 44 | 45 | #### For linux/x86_64 46 | 47 | ``` toml 48 | BORING_BSSL_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } 49 | BORING_BSSL_INCLUDE_PATH = { value = "vendor/boringssl-fips/include/", force = true, relative = true } 50 | ``` 51 | 52 | #### For linux/arm64 53 | 54 | ``` toml 55 | BORING_BSSL_PATH = { value = "vendor/boringssl-fips/linux_arm64", force = true, relative = true } 56 | BORING_BSSL_INCLUDE_PATH = { value = "vendor/boringssl-fips/include/", force = true, relative = true } 57 | ``` 58 | 59 | Once that's done, you should be able to build: 60 | 61 | ``` shell 62 | cargo build 63 | ``` 64 | 65 | This manual twiddling of environment vars is not ideal but given that the alternative is prefixing `cargo build` with these envs on every `cargo build/run`, for now we have chosen to hardcode these in `config.toml` - that may be revisited in the future depending on local pain and/or evolving `boring` upstream build flows. 66 | 67 | Note that the Dockerfiles used to build these vendored `boringssl` builds may be found in the respective vendor directories, and can serve as a reference for the build environment needed to generate FIPS-compliant ztunnel builds. 68 | 69 | ### Non-FIPS 70 | 71 | If you are building for a platform we don't include vendored FIPS `boringssl` binaries for, or you don't want or need FIPS compliance, note that currently non-FIPS builds are **not supported** by us. However you may build `ztunnel` with a FIPS-less `boringssl` by doing the following: 72 | 73 | 1. Comment out all of the `BORING_BSSL_*` environment variables in `.cargo/config.toml` entirely. 74 | 1. Run `cargo build --no-default-features` 75 | 76 | Some IDEs (such as the [Intellij-series](https://github.com/intellij-rust/intellij-rust/issues/9757)) do not support 77 | globally applying arguments to cargo. In this case, it is probably easier to remove `fips` as a default feature in 78 | `Cargo.toml`. 79 | 80 | ```toml 81 | # ... 82 | [features] 83 | default = [] 84 | # ... 85 | ``` 86 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/rc4.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 | * All rights reserved. 3 | * 4 | * This package is an SSL implementation written 5 | * by Eric Young (eay@cryptsoft.com). 6 | * The implementation was written so as to conform with Netscapes SSL. 7 | * 8 | * This library is free for commercial and non-commercial use as long as 9 | * the following conditions are aheared to. The following conditions 10 | * apply to all code found in this distribution, be it the RC4, RSA, 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 | * included with this distribution is covered by the same copyright terms 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 | * 15 | * Copyright remains Eric Young's, and as such any Copyright notices in 16 | * the code are not to be removed. 17 | * If this package is used in a product, Eric Young should be given attribution 18 | * as the author of the parts of the library used. 19 | * This can be in the form of a textual message at program startup or 20 | * in documentation (online or textual) provided with the package. 21 | * 22 | * Redistribution and use in source and binary forms, with or without 23 | * modification, are permitted provided that the following conditions 24 | * are met: 25 | * 1. Redistributions of source code must retain the copyright 26 | * notice, this list of conditions and the following disclaimer. 27 | * 2. Redistributions in binary form must reproduce the above copyright 28 | * notice, this list of conditions and the following disclaimer in the 29 | * documentation and/or other materials provided with the distribution. 30 | * 3. All advertising materials mentioning features or use of this software 31 | * must display the following acknowledgement: 32 | * "This product includes cryptographic software written by 33 | * Eric Young (eay@cryptsoft.com)" 34 | * The word 'cryptographic' can be left out if the rouines from the library 35 | * being used are not cryptographic related :-). 36 | * 4. If you include any Windows specific code (or a derivative thereof) from 37 | * the apps directory (application code) you must include an acknowledgement: 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 | * 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 | * SUCH DAMAGE. 51 | * 52 | * The licence and distribution terms for any publically available version or 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be 54 | * copied and put under another distribution licence 55 | * [including the GNU Public Licence.] */ 56 | 57 | #ifndef OPENSSL_HEADER_RC4_H 58 | #define OPENSSL_HEADER_RC4_H 59 | 60 | #include 61 | 62 | #if defined(__cplusplus) 63 | extern "C" { 64 | #endif 65 | 66 | 67 | // RC4. 68 | 69 | 70 | struct rc4_key_st { 71 | uint32_t x, y; 72 | uint32_t data[256]; 73 | } /* RC4_KEY */; 74 | 75 | // RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len| 76 | // bytes of key material from |key|. 77 | OPENSSL_EXPORT void RC4_set_key(RC4_KEY *rc4key, unsigned len, 78 | const uint8_t *key); 79 | 80 | // RC4 encrypts (or decrypts, it's the same with RC4) |len| bytes from |in| to 81 | // |out|. 82 | OPENSSL_EXPORT void RC4(RC4_KEY *key, size_t len, const uint8_t *in, 83 | uint8_t *out); 84 | 85 | 86 | // Deprecated functions. 87 | 88 | // RC4_options returns the string "rc4(ptr,int)". 89 | OPENSSL_EXPORT const char *RC4_options(void); 90 | 91 | 92 | #if defined(__cplusplus) 93 | } // extern C 94 | #endif 95 | 96 | #endif // OPENSSL_HEADER_RC4_H 97 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/pool.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2016, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_POOL_H 16 | #define OPENSSL_HEADER_POOL_H 17 | 18 | #include 19 | 20 | #include 21 | 22 | #if defined(__cplusplus) 23 | extern "C" { 24 | #endif 25 | 26 | 27 | // Buffers and buffer pools. 28 | // 29 | // |CRYPTO_BUFFER|s are simply reference-counted blobs. A |CRYPTO_BUFFER_POOL| 30 | // is an intern table for |CRYPTO_BUFFER|s. This allows for a single copy of a 31 | // given blob to be kept in memory and referenced from multiple places. 32 | 33 | 34 | DEFINE_STACK_OF(CRYPTO_BUFFER) 35 | 36 | // CRYPTO_BUFFER_POOL_new returns a freshly allocated |CRYPTO_BUFFER_POOL| or 37 | // NULL on error. 38 | OPENSSL_EXPORT CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void); 39 | 40 | // CRYPTO_BUFFER_POOL_free frees |pool|, which must be empty. 41 | OPENSSL_EXPORT void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool); 42 | 43 | // CRYPTO_BUFFER_new returns a |CRYPTO_BUFFER| containing a copy of |data|, or 44 | // else NULL on error. If |pool| is not NULL then the returned value may be a 45 | // reference to a previously existing |CRYPTO_BUFFER| that contained the same 46 | // data. Otherwise, the returned, fresh |CRYPTO_BUFFER| will be added to the 47 | // pool. 48 | OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, 49 | CRYPTO_BUFFER_POOL *pool); 50 | 51 | // CRYPTO_BUFFER_alloc creates an unpooled |CRYPTO_BUFFER| of the given size and 52 | // writes the underlying data pointer to |*out_data|. It returns NULL on error. 53 | // 54 | // After calling this function, |len| bytes of contents must be written to 55 | // |out_data| before passing the returned pointer to any other BoringSSL 56 | // functions. Once initialized, the |CRYPTO_BUFFER| should be treated as 57 | // immutable. 58 | OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, 59 | size_t len); 60 | 61 | // CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|. 62 | OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS( 63 | CBS *cbs, CRYPTO_BUFFER_POOL *pool); 64 | 65 | // CRYPTO_BUFFER_free decrements the reference count of |buf|. If there are no 66 | // other references, or if the only remaining reference is from a pool, then 67 | // |buf| will be freed. 68 | OPENSSL_EXPORT void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf); 69 | 70 | // CRYPTO_BUFFER_up_ref increments the reference count of |buf| and returns 71 | // one. 72 | OPENSSL_EXPORT int CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf); 73 | 74 | // CRYPTO_BUFFER_data returns a pointer to the data contained in |buf|. 75 | OPENSSL_EXPORT const uint8_t *CRYPTO_BUFFER_data(const CRYPTO_BUFFER *buf); 76 | 77 | // CRYPTO_BUFFER_len returns the length, in bytes, of the data contained in 78 | // |buf|. 79 | OPENSSL_EXPORT size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf); 80 | 81 | // CRYPTO_BUFFER_init_CBS initialises |out| to point at the data from |buf|. 82 | OPENSSL_EXPORT void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out); 83 | 84 | 85 | #if defined(__cplusplus) 86 | } // extern C 87 | 88 | extern "C++" { 89 | 90 | BSSL_NAMESPACE_BEGIN 91 | 92 | BORINGSSL_MAKE_DELETER(CRYPTO_BUFFER_POOL, CRYPTO_BUFFER_POOL_free) 93 | BORINGSSL_MAKE_DELETER(CRYPTO_BUFFER, CRYPTO_BUFFER_free) 94 | BORINGSSL_MAKE_UP_REF(CRYPTO_BUFFER, CRYPTO_BUFFER_up_ref) 95 | 96 | BSSL_NAMESPACE_END 97 | 98 | } // extern C++ 99 | 100 | #endif 101 | 102 | #endif // OPENSSL_HEADER_POOL_H 103 | -------------------------------------------------------------------------------- /scripts/ztunnel-redirect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC2086 3 | # This script sets up redirection in the ztunnel network namespace for namespaced tests (tests/README.md) 4 | set -ex 5 | 6 | INSTANCE_IP="${1:?INSTANCE_IP}" 7 | shift 8 | 9 | 10 | # tproxy mark, it's only used here. 11 | MARK=0x400/0xfff 12 | ORG_SRC_RET_MARK=0x4d3/0xfff 13 | 14 | # Below is from config.sh but used in redirect-worker.sh as well 15 | POD_OUTBOUND=15001 16 | POD_INBOUND=15008 17 | POD_INBOUND_PLAINTEXT=15006 18 | 19 | INBOUND_TUN=istioin 20 | OUTBOUND_TUN=istioout 21 | 22 | # TODO: look into why link local (169.254.x.x) address didn't work 23 | # they don't respond to ARP. 24 | INBOUND_TUN_IP=192.168.126.1 25 | ZTUNNEL_INBOUND_TUN_IP=192.168.126.2 26 | OUTBOUND_TUN_IP=192.168.127.1 27 | ZTUNNEL_OUTBOUND_TUN_IP=192.168.127.2 28 | TUN_PREFIX=30 29 | 30 | HOST_IP=$(ip route | grep default | awk '{print $3}') 31 | 32 | ip link add name p$INBOUND_TUN type geneve id 1000 remote $HOST_IP 33 | ip addr add $ZTUNNEL_INBOUND_TUN_IP/$TUN_PREFIX dev p$INBOUND_TUN 34 | 35 | ip link add name p$OUTBOUND_TUN type geneve id 1001 remote $HOST_IP 36 | ip addr add $ZTUNNEL_OUTBOUND_TUN_IP/$TUN_PREFIX dev p$OUTBOUND_TUN 37 | 38 | ip link set p$INBOUND_TUN up 39 | ip link set p$OUTBOUND_TUN up 40 | 41 | echo 0 > /proc/sys/net/ipv4/conf/p$INBOUND_TUN/rp_filter 42 | echo 0 > /proc/sys/net/ipv4/conf/p$OUTBOUND_TUN/rp_filter 43 | 44 | ip rule add priority 20000 fwmark $MARK lookup 100 45 | ip rule add priority 20003 fwmark $ORG_SRC_RET_MARK lookup 100 46 | ip route add local 0.0.0.0/0 dev lo table 100 47 | 48 | ip route add table 101 $HOST_IP dev eth0 scope link 49 | ip route add table 101 0.0.0.0/0 via $OUTBOUND_TUN_IP dev p$OUTBOUND_TUN 50 | 51 | ip route add table 102 $HOST_IP dev eth0 scope link 52 | ip route add table 102 0.0.0.0/0 via $INBOUND_TUN_IP dev p$INBOUND_TUN 53 | 54 | set +e 55 | num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -c '^-') 56 | if [ "${num_legacy_lines}" -ge 10 ]; then 57 | mode=legacy 58 | else 59 | num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep -c '^-') 60 | if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then 61 | mode=legacy 62 | else 63 | mode=nft 64 | fi 65 | fi 66 | IPTABLES=iptables-legacy 67 | if [ "${mode}" = "nft" ]; then 68 | IPTABLES=iptables-nft 69 | fi 70 | set -e 71 | 72 | $IPTABLES -w -t mangle -F PREROUTING 73 | $IPTABLES -w -t nat -F OUTPUT 74 | 75 | $IPTABLES -w -t mangle -A PREROUTING -p tcp -i p$INBOUND_TUN -m tcp --dport=$POD_INBOUND -j TPROXY --tproxy-mark $MARK --on-port $POD_INBOUND --on-ip 127.0.0.1 76 | $IPTABLES -w -t mangle -A PREROUTING -p tcp -i p$OUTBOUND_TUN -j TPROXY --tproxy-mark $MARK --on-port $POD_OUTBOUND --on-ip 127.0.0.1 77 | $IPTABLES -w -t mangle -A PREROUTING -p tcp -i p$INBOUND_TUN -j TPROXY --tproxy-mark $MARK --on-port $POD_INBOUND_PLAINTEXT --on-ip 127.0.0.1 78 | 79 | $IPTABLES -w -t mangle -A PREROUTING -p tcp -i eth0 ! --dst $INSTANCE_IP -j MARK --set-mark $ORG_SRC_RET_MARK 80 | 81 | # With normal linux routing we need to disable the rp_filter 82 | # as we get packets from a tunnel that doesn't have default routes. 83 | echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 84 | echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter 85 | echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter 86 | 87 | #$IPTABLES -t mangle -I PREROUTING -j LOG --log-prefix "mangle pre [zt] " 88 | #$IPTABLES -t mangle -I POSTROUTING -j LOG --log-prefix "mangle post [zt] " 89 | #$IPTABLES -t mangle -I INPUT -j LOG --log-prefix "mangle inp [zt] " 90 | #$IPTABLES -t mangle -I OUTPUT -j LOG --log-prefix "mangle out [zt] " 91 | #$IPTABLES -t mangle -I FORWARD -j LOG --log-prefix "mangle fw [zt] " 92 | #$IPTABLES -t nat -I POSTROUTING -j LOG --log-prefix "nat post [zt] " 93 | #$IPTABLES -t nat -I INPUT -j LOG --log-prefix "nat inp [zt] " 94 | #$IPTABLES -t nat -I OUTPUT -j LOG --log-prefix "nat out [zt] " 95 | #$IPTABLES -t nat -I PREROUTING -j LOG --log-prefix "nat pre [zt] " 96 | #$IPTABLES -t raw -I PREROUTING -j LOG --log-prefix "raw pre [zt] " 97 | #$IPTABLES -t raw -I OUTPUT -j LOG --log-prefix "raw out [zt] " 98 | #$IPTABLES -t filter -I FORWARD -j LOG --log-prefix "filt fw [zt] " 99 | #$IPTABLES -t filter -I OUTPUT -j LOG --log-prefix "filt out [zt] " 100 | #$IPTABLES -t filter -I INPUT -j LOG --log-prefix "filt inp [zt] " 101 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/rand.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_RAND_H 16 | #define OPENSSL_HEADER_RAND_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // Random number generation. 26 | 27 | 28 | // RAND_bytes writes |len| bytes of random data to |buf| and returns one. 29 | OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); 30 | 31 | // RAND_cleanup frees any resources used by the RNG. This is not safe if other 32 | // threads might still be calling |RAND_bytes|. 33 | OPENSSL_EXPORT void RAND_cleanup(void); 34 | 35 | 36 | // Obscure functions. 37 | 38 | #if !defined(OPENSSL_WINDOWS) 39 | // RAND_enable_fork_unsafe_buffering enables efficient buffered reading of 40 | // /dev/urandom. It adds an overhead of a few KB of memory per thread. It must 41 | // be called before the first call to |RAND_bytes|. 42 | // 43 | // |fd| must be -1. We no longer support setting the file descriptor with this 44 | // function. 45 | // 46 | // It has an unusual name because the buffer is unsafe across calls to |fork|. 47 | // Hence, this function should never be called by libraries. 48 | OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd); 49 | #endif 50 | 51 | #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 52 | // RAND_reset_for_fuzzing resets the fuzzer-only deterministic RNG. This 53 | // function is only defined in the fuzzer-only build configuration. 54 | OPENSSL_EXPORT void RAND_reset_for_fuzzing(void); 55 | #endif 56 | 57 | 58 | // Deprecated functions 59 | 60 | // RAND_pseudo_bytes is a wrapper around |RAND_bytes|. 61 | OPENSSL_EXPORT int RAND_pseudo_bytes(uint8_t *buf, size_t len); 62 | 63 | // RAND_seed reads a single byte of random data to ensure that any file 64 | // descriptors etc are opened. 65 | OPENSSL_EXPORT void RAND_seed(const void *buf, int num); 66 | 67 | // RAND_load_file returns a nonnegative number. 68 | OPENSSL_EXPORT int RAND_load_file(const char *path, long num); 69 | 70 | // RAND_file_name returns NULL. 71 | OPENSSL_EXPORT const char *RAND_file_name(char *buf, size_t num); 72 | 73 | // RAND_add does nothing. 74 | OPENSSL_EXPORT void RAND_add(const void *buf, int num, double entropy); 75 | 76 | // RAND_egd returns 255. 77 | OPENSSL_EXPORT int RAND_egd(const char *); 78 | 79 | // RAND_poll returns one. 80 | OPENSSL_EXPORT int RAND_poll(void); 81 | 82 | // RAND_status returns one. 83 | OPENSSL_EXPORT int RAND_status(void); 84 | 85 | // rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it 86 | // exists only to be the return type of |RAND_SSLeay|. It's 87 | // external so that variables of this type can be initialized. 88 | struct rand_meth_st { 89 | void (*seed) (const void *buf, int num); 90 | int (*bytes) (uint8_t *buf, size_t num); 91 | void (*cleanup) (void); 92 | void (*add) (const void *buf, int num, double entropy); 93 | int (*pseudorand) (uint8_t *buf, size_t num); 94 | int (*status) (void); 95 | }; 96 | 97 | // RAND_SSLeay returns a pointer to a dummy |RAND_METHOD|. 98 | OPENSSL_EXPORT RAND_METHOD *RAND_SSLeay(void); 99 | 100 | // RAND_OpenSSL returns a pointer to a dummy |RAND_METHOD|. 101 | OPENSSL_EXPORT RAND_METHOD *RAND_OpenSSL(void); 102 | 103 | // RAND_get_rand_method returns |RAND_SSLeay()|. 104 | OPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void); 105 | 106 | // RAND_set_rand_method returns one. 107 | OPENSSL_EXPORT int RAND_set_rand_method(const RAND_METHOD *); 108 | 109 | 110 | #if defined(__cplusplus) 111 | } // extern C 112 | #endif 113 | 114 | #endif // OPENSSL_HEADER_RAND_H 115 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/blowfish.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 | * All rights reserved. 3 | * 4 | * This package is an SSL implementation written 5 | * by Eric Young (eay@cryptsoft.com). 6 | * The implementation was written so as to conform with Netscapes SSL. 7 | * 8 | * This library is free for commercial and non-commercial use as long as 9 | * the following conditions are aheared to. The following conditions 10 | * apply to all code found in this distribution, be it the RC4, RSA, 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 | * included with this distribution is covered by the same copyright terms 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 | * 15 | * Copyright remains Eric Young's, and as such any Copyright notices in 16 | * the code are not to be removed. 17 | * If this package is used in a product, Eric Young should be given attribution 18 | * as the author of the parts of the library used. 19 | * This can be in the form of a textual message at program startup or 20 | * in documentation (online or textual) provided with the package. 21 | * 22 | * Redistribution and use in source and binary forms, with or without 23 | * modification, are permitted provided that the following conditions 24 | * are met: 25 | * 1. Redistributions of source code must retain the copyright 26 | * notice, this list of conditions and the following disclaimer. 27 | * 2. Redistributions in binary form must reproduce the above copyright 28 | * notice, this list of conditions and the following disclaimer in the 29 | * documentation and/or other materials provided with the distribution. 30 | * 3. All advertising materials mentioning features or use of this software 31 | * must display the following acknowledgement: 32 | * "This product includes cryptographic software written by 33 | * Eric Young (eay@cryptsoft.com)" 34 | * The word 'cryptographic' can be left out if the rouines from the library 35 | * being used are not cryptographic related :-). 36 | * 4. If you include any Windows specific code (or a derivative thereof) from 37 | * the apps directory (application code) you must include an acknowledgement: 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 | * 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 | * SUCH DAMAGE. 51 | * 52 | * The licence and distribution terms for any publically available version or 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be 54 | * copied and put under another distribution licence 55 | * [including the GNU Public Licence.] */ 56 | 57 | #ifndef OPENSSL_HEADER_BLOWFISH_H 58 | #define OPENSSL_HEADER_BLOWFISH_H 59 | 60 | #include 61 | 62 | #ifdef __cplusplus 63 | extern "C" { 64 | #endif 65 | 66 | 67 | #define BF_ENCRYPT 1 68 | #define BF_DECRYPT 0 69 | 70 | #define BF_ROUNDS 16 71 | #define BF_BLOCK 8 72 | 73 | typedef struct bf_key_st { 74 | uint32_t P[BF_ROUNDS + 2]; 75 | uint32_t S[4 * 256]; 76 | } BF_KEY; 77 | 78 | OPENSSL_EXPORT void BF_set_key(BF_KEY *key, size_t len, const uint8_t *data); 79 | OPENSSL_EXPORT void BF_encrypt(uint32_t *data, const BF_KEY *key); 80 | OPENSSL_EXPORT void BF_decrypt(uint32_t *data, const BF_KEY *key); 81 | 82 | OPENSSL_EXPORT void BF_ecb_encrypt(const uint8_t *in, uint8_t *out, 83 | const BF_KEY *key, int enc); 84 | OPENSSL_EXPORT void BF_cbc_encrypt(const uint8_t *in, uint8_t *out, 85 | size_t length, const BF_KEY *schedule, 86 | uint8_t *ivec, int enc); 87 | 88 | 89 | #ifdef __cplusplus 90 | } 91 | #endif 92 | 93 | #endif // OPENSSL_HEADER_BLOWFISH_H 94 | -------------------------------------------------------------------------------- /proto/workload.proto: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | package istio.workload; 18 | option go_package="pkg/workloadapi"; 19 | 20 | message Workload { 21 | // Name represents the name for the workload. 22 | // For Kubernetes, this is the pod name. 23 | // This is just for debugging and may be elided as an optimization. 24 | string name = 1; 25 | // Namespace represents the namespace for the workload. 26 | // This is just for debugging and may be elided as an optimization. 27 | string namespace = 2; 28 | 29 | // Address represents the IPv4/IPv6 address for the workload. 30 | // This should be globally unique. 31 | // This should not have a port number. 32 | // TODO: Add network as discriminator 33 | bytes address = 3; 34 | // Network represents the network this workload is on. This may be elided for the default network. 35 | // A (network,address) pair makeup a unique key for a workload *at a point in time*. 36 | string network = 4; 37 | 38 | // Protocol that should be used to connect to this workload. 39 | Protocol protocol = 5; 40 | 41 | // The SPIFFE identity of the workload. The identity is joined to form spiffe:///ns//sa/. 42 | // TrustDomain of the workload. May be elided if this is the mesh wide default (typically cluster.local) 43 | string trust_domain = 6; 44 | // ServiceAccount of the workload. May be elided if this is "default" 45 | string service_account = 7; 46 | 47 | // If present, the waypoint proxy for this workload. 48 | repeated bytes waypoint_addresses = 8; 49 | 50 | // Name of the node the workload runs on 51 | string node = 9; 52 | 53 | // CanonicalName for the workload. Used for telemetry. 54 | string canonical_name = 10; 55 | // CanonicalRevision for the workload. Used for telemetry. 56 | string canonical_revision = 11; 57 | // WorkloadType represents the type of the workload. Used for telemetry. 58 | WorkloadType workload_type = 12; 59 | // WorkloadName represents the name for the workload (of type WorkloadType). Used for telemetry. 60 | string workload_name = 13; 61 | 62 | // If set, indicates this workload directly speaks HBONE, and we should forward HBONE requests as-is. 63 | bool native_hbone = 14; 64 | 65 | // Virtual IPs defines a set of virtual IP addresses the workload can be reached at. 66 | // Typically these represent Service ClusterIPs. 67 | // The key is an IP address. 68 | map virtual_ips = 15; 69 | 70 | // A list of authorization policies applicable to this workload. 71 | // NOTE: this *only* includes Selector based policies. Namespace and global polices 72 | // are returned out of band. 73 | repeated string authorization_policies = 16; 74 | 75 | WorkloadStatus status = 17; 76 | 77 | // The cluster ID that the workload instance belongs to 78 | string cluster_id = 18; 79 | } 80 | 81 | enum WorkloadStatus { 82 | // Workload is healthy and ready to serve traffic. 83 | HEALTHY = 0; 84 | // Workload is unhealthy and NOT ready to serve traffic. 85 | UNHEALTHY = 1; 86 | } 87 | 88 | enum WorkloadType { 89 | DEPLOYMENT = 0; 90 | CRONJOB = 1; 91 | POD = 2; 92 | JOB = 3; 93 | } 94 | 95 | // PorList represents the ports for a service 96 | message PortList { 97 | repeated Port ports = 1; 98 | } 99 | 100 | message Port { 101 | // Port the service is reached at (frontend). 102 | uint32 service_port = 1; 103 | // Port the service forwards to (backend). 104 | uint32 target_port = 2; 105 | } 106 | 107 | enum Protocol { 108 | // DIRECT means requests should be forwarded as-is. 109 | DIRECT = 0; 110 | // HTTP means requests should be tunneled over HTTP. 111 | // This does not dictate HTTP/1.1 vs HTTP/2; ALPN should be used for that purpose. 112 | HTTP = 1; 113 | } 114 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/type_check.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 | * All rights reserved. 3 | * 4 | * This package is an SSL implementation written 5 | * by Eric Young (eay@cryptsoft.com). 6 | * The implementation was written so as to conform with Netscapes SSL. 7 | * 8 | * This library is free for commercial and non-commercial use as long as 9 | * the following conditions are aheared to. The following conditions 10 | * apply to all code found in this distribution, be it the RC4, RSA, 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 | * included with this distribution is covered by the same copyright terms 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 | * 15 | * Copyright remains Eric Young's, and as such any Copyright notices in 16 | * the code are not to be removed. 17 | * If this package is used in a product, Eric Young should be given attribution 18 | * as the author of the parts of the library used. 19 | * This can be in the form of a textual message at program startup or 20 | * in documentation (online or textual) provided with the package. 21 | * 22 | * Redistribution and use in source and binary forms, with or without 23 | * modification, are permitted provided that the following conditions 24 | * are met: 25 | * 1. Redistributions of source code must retain the copyright 26 | * notice, this list of conditions and the following disclaimer. 27 | * 2. Redistributions in binary form must reproduce the above copyright 28 | * notice, this list of conditions and the following disclaimer in the 29 | * documentation and/or other materials provided with the distribution. 30 | * 3. All advertising materials mentioning features or use of this software 31 | * must display the following acknowledgement: 32 | * "This product includes cryptographic software written by 33 | * Eric Young (eay@cryptsoft.com)" 34 | * The word 'cryptographic' can be left out if the rouines from the library 35 | * being used are not cryptographic related :-). 36 | * 4. If you include any Windows specific code (or a derivative thereof) from 37 | * the apps directory (application code) you must include an acknowledgement: 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 | * 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 | * SUCH DAMAGE. 51 | * 52 | * The licence and distribution terms for any publically available version or 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be 54 | * copied and put under another distribution licence 55 | * [including the GNU Public Licence.] */ 56 | 57 | #ifndef OPENSSL_HEADER_TYPE_CHECK_H 58 | #define OPENSSL_HEADER_TYPE_CHECK_H 59 | 60 | #include 61 | 62 | #if defined(__cplusplus) 63 | extern "C" { 64 | #endif 65 | 66 | 67 | #if defined(__cplusplus) || (defined(_MSC_VER) && !defined(__clang__)) 68 | // In C++ and non-clang MSVC, |static_assert| is a keyword. 69 | #define OPENSSL_STATIC_ASSERT(cond, msg) static_assert(cond, msg) 70 | #else 71 | // C11 defines the |_Static_assert| keyword and the |static_assert| macro in 72 | // assert.h. While the former is available at all versions in Clang and GCC, the 73 | // later depends on libc and, in glibc, depends on being built in C11 mode. We 74 | // do not require this, for now, so use |_Static_assert| directly. 75 | #define OPENSSL_STATIC_ASSERT(cond, msg) _Static_assert(cond, msg) 76 | #endif 77 | 78 | // CHECKED_CAST casts |p| from type |from| to type |to|. 79 | // 80 | // TODO(davidben): Although this macro is not public API and is unused in 81 | // BoringSSL, wpa_supplicant uses it to define its own stacks. Remove this once 82 | // wpa_supplicant has been fixed. 83 | #define CHECKED_CAST(to, from, p) ((to) (1 ? (p) : (from)0)) 84 | 85 | 86 | #if defined(__cplusplus) 87 | } // extern C 88 | #endif 89 | 90 | #endif // OPENSSL_HEADER_TYPE_CHECK_H 91 | -------------------------------------------------------------------------------- /proto/google/protobuf/wrappers.proto: -------------------------------------------------------------------------------- 1 | // Protocol Buffers - Google's data interchange format 2 | // Copyright 2008 Google Inc. All rights reserved. 3 | // https://developers.google.com/protocol-buffers/ 4 | // 5 | // Redistribution and use in source and binary forms, with or without 6 | // modification, are permitted provided that the following conditions are 7 | // met: 8 | // 9 | // * Redistributions of source code must retain the above copyright 10 | // notice, this list of conditions and the following disclaimer. 11 | // * Redistributions in binary form must reproduce the above 12 | // copyright notice, this list of conditions and the following disclaimer 13 | // in the documentation and/or other materials provided with the 14 | // distribution. 15 | // * Neither the name of Google Inc. nor the names of its 16 | // contributors may be used to endorse or promote products derived from 17 | // this software without specific prior written permission. 18 | // 19 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | // Wrappers for primitive (non-message) types. These types are useful 32 | // for embedding primitives in the `google.protobuf.Any` type and for places 33 | // where we need to distinguish between the absence of a primitive 34 | // typed field and its default value. 35 | // 36 | // These wrappers have no meaningful use within repeated fields as they lack 37 | // the ability to detect presence on individual elements. 38 | // These wrappers have no meaningful use within a map or a oneof since 39 | // individual entries of a map or fields of a oneof can already detect presence. 40 | 41 | syntax = "proto3"; 42 | 43 | package google.protobuf; 44 | 45 | option csharp_namespace = "Google.Protobuf.WellKnownTypes"; 46 | option cc_enable_arenas = true; 47 | option go_package = "github.com/golang/protobuf/ptypes/wrappers"; 48 | option java_package = "com.google.protobuf"; 49 | option java_outer_classname = "WrappersProto"; 50 | option java_multiple_files = true; 51 | option objc_class_prefix = "GPB"; 52 | 53 | // Wrapper message for `double`. 54 | // 55 | // The JSON representation for `DoubleValue` is JSON number. 56 | message DoubleValue { 57 | // The double value. 58 | double value = 1; 59 | } 60 | 61 | // Wrapper message for `float`. 62 | // 63 | // The JSON representation for `FloatValue` is JSON number. 64 | message FloatValue { 65 | // The float value. 66 | float value = 1; 67 | } 68 | 69 | // Wrapper message for `int64`. 70 | // 71 | // The JSON representation for `Int64Value` is JSON string. 72 | message Int64Value { 73 | // The int64 value. 74 | int64 value = 1; 75 | } 76 | 77 | // Wrapper message for `uint64`. 78 | // 79 | // The JSON representation for `UInt64Value` is JSON string. 80 | message UInt64Value { 81 | // The uint64 value. 82 | uint64 value = 1; 83 | } 84 | 85 | // Wrapper message for `int32`. 86 | // 87 | // The JSON representation for `Int32Value` is JSON number. 88 | message Int32Value { 89 | // The int32 value. 90 | int32 value = 1; 91 | } 92 | 93 | // Wrapper message for `uint32`. 94 | // 95 | // The JSON representation for `UInt32Value` is JSON number. 96 | message UInt32Value { 97 | // The uint32 value. 98 | uint32 value = 1; 99 | } 100 | 101 | // Wrapper message for `bool`. 102 | // 103 | // The JSON representation for `BoolValue` is JSON `true` and `false`. 104 | message BoolValue { 105 | // The bool value. 106 | bool value = 1; 107 | } 108 | 109 | // Wrapper message for `string`. 110 | // 111 | // The JSON representation for `StringValue` is JSON string. 112 | message StringValue { 113 | // The string value. 114 | string value = 1; 115 | } 116 | 117 | // Wrapper message for `bytes`. 118 | // 119 | // The JSON representation for `BytesValue` is JSON string. 120 | message BytesValue { 121 | // The bytes value. 122 | bytes value = 1; 123 | } 124 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/cast.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 | * All rights reserved. 3 | * 4 | * This package is an SSL implementation written 5 | * by Eric Young (eay@cryptsoft.com). 6 | * The implementation was written so as to conform with Netscapes SSL. 7 | * 8 | * This library is free for commercial and non-commercial use as long as 9 | * the following conditions are aheared to. The following conditions 10 | * apply to all code found in this distribution, be it the RC4, RSA, 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 | * included with this distribution is covered by the same copyright terms 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 | * 15 | * Copyright remains Eric Young's, and as such any Copyright notices in 16 | * the code are not to be removed. 17 | * If this package is used in a product, Eric Young should be given attribution 18 | * as the author of the parts of the library used. 19 | * This can be in the form of a textual message at program startup or 20 | * in documentation (online or textual) provided with the package. 21 | * 22 | * Redistribution and use in source and binary forms, with or without 23 | * modification, are permitted provided that the following conditions 24 | * are met: 25 | * 1. Redistributions of source code must retain the copyright 26 | * notice, this list of conditions and the following disclaimer. 27 | * 2. Redistributions in binary form must reproduce the above copyright 28 | * notice, this list of conditions and the following disclaimer in the 29 | * documentation and/or other materials provided with the distribution. 30 | * 3. All advertising materials mentioning features or use of this software 31 | * must display the following acknowledgement: 32 | * "This product includes cryptographic software written by 33 | * Eric Young (eay@cryptsoft.com)" 34 | * The word 'cryptographic' can be left out if the rouines from the library 35 | * being used are not cryptographic related :-). 36 | * 4. If you include any Windows specific code (or a derivative thereof) from 37 | * the apps directory (application code) you must include an acknowledgement: 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 | * 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 | * SUCH DAMAGE. 51 | * 52 | * The licence and distribution terms for any publically available version or 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be 54 | * copied and put under another distribution licence 55 | * [including the GNU Public Licence.] */ 56 | 57 | #ifndef OPENSSL_HEADER_CAST_H 58 | #define OPENSSL_HEADER_CAST_H 59 | 60 | #include 61 | 62 | #ifdef __cplusplus 63 | extern "C" { 64 | #endif 65 | 66 | 67 | #define CAST_ENCRYPT 1 68 | #define CAST_DECRYPT 0 69 | 70 | #define CAST_BLOCK 8 71 | #define CAST_KEY_LENGTH 16 72 | 73 | typedef struct cast_key_st { 74 | uint32_t data[32]; 75 | int short_key; // Use reduced rounds for short key 76 | } CAST_KEY; 77 | 78 | OPENSSL_EXPORT void CAST_set_key(CAST_KEY *key, size_t len, 79 | const uint8_t *data); 80 | OPENSSL_EXPORT void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out, 81 | const CAST_KEY *key, int enc); 82 | OPENSSL_EXPORT void CAST_encrypt(uint32_t *data, const CAST_KEY *key); 83 | OPENSSL_EXPORT void CAST_decrypt(uint32_t *data, const CAST_KEY *key); 84 | OPENSSL_EXPORT void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out, 85 | size_t length, const CAST_KEY *ks, 86 | uint8_t *iv, int enc); 87 | 88 | OPENSSL_EXPORT void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out, 89 | size_t length, const CAST_KEY *schedule, 90 | uint8_t *ivec, int *num, int enc); 91 | 92 | #ifdef __cplusplus 93 | } 94 | #endif 95 | 96 | #endif // OPENSSL_HEADER_CAST_H 97 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/hrss.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2018, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_HRSS_H 16 | #define OPENSSL_HEADER_HRSS_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | // HRSS 25 | // 26 | // HRSS is a structured-lattice-based post-quantum key encapsulation mechanism. 27 | // The best exposition is https://eprint.iacr.org/2017/667.pdf although this 28 | // implementation uses a different KEM construction based on 29 | // https://eprint.iacr.org/2017/1005.pdf. 30 | 31 | struct HRSS_private_key { 32 | uint8_t opaque[1808]; 33 | }; 34 | 35 | struct HRSS_public_key { 36 | uint8_t opaque[1424]; 37 | }; 38 | 39 | // HRSS_SAMPLE_BYTES is the number of bytes of entropy needed to generate a 40 | // short vector. There are 701 coefficients, but the final one is always set to 41 | // zero when sampling. Otherwise, we need one byte of input per coefficient. 42 | #define HRSS_SAMPLE_BYTES (701 - 1) 43 | // HRSS_GENERATE_KEY_BYTES is the number of bytes of entropy needed to generate 44 | // an HRSS key pair. 45 | #define HRSS_GENERATE_KEY_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES + 32) 46 | // HRSS_ENCAP_BYTES is the number of bytes of entropy needed to encapsulate a 47 | // session key. 48 | #define HRSS_ENCAP_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES) 49 | // HRSS_PUBLIC_KEY_BYTES is the number of bytes in a public key. 50 | #define HRSS_PUBLIC_KEY_BYTES 1138 51 | // HRSS_CIPHERTEXT_BYTES is the number of bytes in a ciphertext. 52 | #define HRSS_CIPHERTEXT_BYTES 1138 53 | // HRSS_KEY_BYTES is the number of bytes in a shared key. 54 | #define HRSS_KEY_BYTES 32 55 | // HRSS_POLY3_BYTES is the number of bytes needed to serialise a mod 3 56 | // polynomial. 57 | #define HRSS_POLY3_BYTES 140 58 | #define HRSS_PRIVATE_KEY_BYTES \ 59 | (HRSS_POLY3_BYTES * 2 + HRSS_PUBLIC_KEY_BYTES + 2 + 32) 60 | 61 | // HRSS_generate_key is a deterministic function that outputs a public and 62 | // private key based on the given entropy. 63 | OPENSSL_EXPORT void HRSS_generate_key( 64 | struct HRSS_public_key *out_pub, struct HRSS_private_key *out_priv, 65 | const uint8_t input[HRSS_GENERATE_KEY_BYTES]); 66 | 67 | // HRSS_encap is a deterministic function the generates and encrypts a random 68 | // session key from the given entropy, writing those values to |out_shared_key| 69 | // and |out_ciphertext|, respectively. 70 | OPENSSL_EXPORT void HRSS_encap(uint8_t out_ciphertext[HRSS_CIPHERTEXT_BYTES], 71 | uint8_t out_shared_key[HRSS_KEY_BYTES], 72 | const struct HRSS_public_key *in_pub, 73 | const uint8_t in[HRSS_ENCAP_BYTES]); 74 | 75 | // HRSS_decap decrypts a session key from |ciphertext_len| bytes of 76 | // |ciphertext|. If the ciphertext is valid, the decrypted key is written to 77 | // |out_shared_key|. Otherwise the HMAC of |ciphertext| under a secret key (kept 78 | // in |in_priv|) is written. If the ciphertext is the wrong length then it will 79 | // leak which was done via side-channels. Otherwise it should perform either 80 | // action in constant-time. 81 | OPENSSL_EXPORT void HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], 82 | const struct HRSS_private_key *in_priv, 83 | const uint8_t *ciphertext, 84 | size_t ciphertext_len); 85 | 86 | // HRSS_marshal_public_key serialises |in_pub| to |out|. 87 | OPENSSL_EXPORT void HRSS_marshal_public_key( 88 | uint8_t out[HRSS_PUBLIC_KEY_BYTES], const struct HRSS_public_key *in_pub); 89 | 90 | // HRSS_parse_public_key sets |*out| to the public-key encoded in |in|. It 91 | // returns true on success and zero on error. 92 | OPENSSL_EXPORT int HRSS_parse_public_key( 93 | struct HRSS_public_key *out, const uint8_t in[HRSS_PUBLIC_KEY_BYTES]); 94 | 95 | 96 | #if defined(__cplusplus) 97 | } // extern C 98 | #endif 99 | 100 | #endif // OPENSSL_HEADER_HRSS_H 101 | --------------------------------------------------------------------------------