bssl-compat on bazel 1.35

.github/workflows/envoy-openssl.yml

@@ -25,7 +25,7 @@ jobs:
       uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - run: |
-        ./ci/run_envoy_docker.sh './ci/do_ci.sh gcc //test/...'
+        ./ci/run_envoy_docker.sh './ci/do_ci.sh gcc @bssl-compat//test/... //test/...'
       env:
         BAZEL_BUILD_EXTRA_OPTIONS: >-
           --config=remote-envoy-engflow

WORKSPACE

@@ -5,6 +5,12 @@ local_repository(
     path = "bssl-compat",
 )
 
+new_local_repository(
+    name = "llvm",
+    path = "/opt/llvm",
+    build_file = "//bazel/external:llvm.BUILD",
+)
+
 load("//bazel:api_binding.bzl", "envoy_api_binding")
 
 envoy_api_binding()

bazel/BUILD

@@ -572,12 +572,12 @@ config_setting(
 # Alias pointing to the selected version of BoringSSL:
 alias(
     name = "boringssl",
-    actual = "@envoy//bssl-compat:ssl"
+    actual = "@bssl-compat//:ssl"
 )
-
+    
 alias(
     name = "boringcrypto",
-    actual = "@envoy//bssl-compat:crypto"
+    actual = "@bssl-compat//:crypto"
 )
 
 config_setting(

bazel/boringssl-bssl-compat.patch

@@ -0,0 +1,25 @@
+diff --git a/BUILD.bazel b/BUILD.bazel
+index b7dc359..cd87639 100644
+--- a/BUILD.bazel
++++ b/BUILD.bazel
+@@ -66,6 +66,20 @@ license(
+
+ exports_files(["LICENSE"])
+
++# Export additional files for bssl-compat layer
++exports_files(glob(["include/**/*"]))
++exports_files(glob(["crypto/**/*"]))
++exports_files(glob(["ssl/**/*"]))
++
++filegroup(
++    name = "test_data",
++    srcs = glob([
++        "crypto/x509/test/*.pem",
++        "crypto/pkcs8/test/*.p12",
++    ]),
++    visibility = ["//visibility:public"],
++)
++
+ bssl_cc_library(
+     name = "crypto",
+     srcs = bcm_sources + crypto_sources,

bazel/boringssl-s390x-ppc64le.patch

@@ -0,0 +1,15 @@
+diff --git a/include/openssl/target.h b/include/openssl/target.h
+index 8d4763d..79f52ba 100644
+--- a/include/openssl/target.h
++++ b/include/openssl/target.h
+@@ -54,6 +54,10 @@
+ #define OPENSSL_32_BIT
+ #elif defined(__myriad2__)
+ #define OPENSSL_32_BIT
++#elif defined(__s390__) || defined(__s390x__) || defined(__zarch__)
++#define OPENSSL_64_BIT
++#elif defined(__ppc64le__) || defined(__ARCH_PPC64LE__) || defined(_ARCH_PPC64)
++#define OPENSSL_64_BIT
+ #else
+ // The list above enumerates the platforms that BoringSSL supports. For these
+ // platforms we keep a reasonable bar of not breaking them: automated test

bazel/external/llvm.BUILD

@@ -0,0 +1,20 @@
+load("@rules_cc//cc:defs.bzl", "cc_library")
+
+licenses(["notice"])  # Apache 2
+
+# libclang-cpp from llvm, used by the bssl-compat prefixer tool.
+cc_library(
+    name = "libclang-cpp",
+    srcs = glob(["lib/libclang-cpp.*"]),
+    hdrs = glob(["include/**/*"]),
+    includes = ["include"],
+    linkopts = ["-lstdc++"],
+    visibility = ["//visibility:public"],
+)
+
+# The clang compiler built-in headers (stdef.h, limits.h etc)
+filegroup(
+    name = "clang-headers",
+    srcs = glob(["lib/clang/*/include/**/*.h"]),
+    visibility = ["//visibility:public"],
+)

bazel/external/openssl.BUILD

@@ -17,7 +17,18 @@ configure_make(
     targets = ["build_sw", "install_sw"],
     args = ["-j"],
     out_lib_dir = "lib",
-    out_shared_libs = ["libssl.so.3", "libcrypto.so.3"],
+    out_shared_libs = [
+        "libssl.so.3",
+        "libcrypto.so.3",
+        "ossl-modules/legacy.so"
+    ],
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "include",
+    srcs = [":openssl"],
+    output_group = "include",
     visibility = ["//visibility:public"],
 )
 
@@ -35,8 +46,15 @@ filegroup(
     visibility = ["//visibility:private"],
 )
 
+filegroup(
+    name = "legacy",
+    srcs = [":openssl"],
+    output_group = "legacy.so",
+    visibility = ["//visibility:private"],
+)
+
 filegroup(
     name = "libs",
-    srcs = [":libssl", ":libcrypto"],
+    srcs = [":libssl", ":libcrypto", ":legacy"],
     visibility = ["//visibility:public"],
 )

bazel/repositories.bzl

@@ -136,15 +136,16 @@ def envoy_dependencies(skip_targets = []):
     _foreign_cc_dependencies()
 
     _openssl()
+    _boringssl()
 
     # Binding to an alias pointing to the bssl-compat layer
     native.bind(
         name = "ssl",
-        actual = "@envoy//bssl-compat:ssl",
+        actual = "@bssl-compat//:ssl",
     )
     native.bind(
         name = "crypto",
-        actual = "@envoy//bssl-compat:crypto",
+        actual = "@bssl-compat//:crypto",
     )
 
     # The long repo names (`com_github_fmtlib_fmt` instead of `fmtlib`) are
@@ -261,7 +262,14 @@ def envoy_dependencies(skip_targets = []):
     )
 
 def _boringssl():
-    external_http_archive(name = "boringssl")
+    external_http_archive(
+        name = "boringssl",
+        patches = [
+            "@envoy//bazel:boringssl-bssl-compat.patch",
+            "@envoy//bazel:boringssl-s390x-ppc64le.patch",
+        ],
+        patch_args = ["-p1"],
+    )
 
 def _boringssl_fips():
     external_http_archive(