From 65471be9df1ea911b1f9c2b8e30c1e1a6510d0d0 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 12 Jan 2022 02:33:13 -0800 Subject: [PATCH] Allow using system's crypto library instead of BoringSSL. Use: bazel test --define crypto=system //test/... Signed-off-by: Piotr Sikora --- .github/workflows/cpp.yml | 16 ++++++++++++++-- BUILD | 10 ++++++++-- bazel/BUILD | 5 +++++ src/signature_util.cc | 26 ++++++++++++++++++++++++-- 4 files changed, 51 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cpp.yml b/.github/workflows/cpp.yml index cb344058..c0c8bcc8 100644 --- a/.github/workflows/cpp.yml +++ b/.github/workflows/cpp.yml @@ -69,6 +69,7 @@ jobs: - name: 'V8 on Linux' runtime: 'v8' os: ubuntu-20.04 + flags: '--define crypto=system' - name: 'V8 on macOS' runtime: 'v8' os: macos-11 @@ -110,11 +111,22 @@ jobs: - name: Test run: | - bazel test --test_output=errors --define runtime=${{ matrix.runtime }} //test/... + bazel test \ + --verbose_failures \ + --test_output=errors \ + --define runtime=${{ matrix.runtime }} \ + ${{ matrix.flags }} \ + //test/... - name: Test (signed Wasm module) run: | - bazel test --test_output=errors --define runtime=${{ matrix.runtime }} --per_file_copt=src/signature_util.cc,test/signature_util_test.cc@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" //test:signature_util_test + bazel test \ + --verbose_failures \ + --test_output=errors \ + --define runtime=${{ matrix.runtime }} \ + ${{ matrix.flags }} \ + --per_file_copt=src/signature_util.cc,test/signature_util_test.cc@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" \ + //test:signature_util_test - name: Cleanup Bazel cache if: matrix.runtime != 'wasmtime' diff --git a/BUILD b/BUILD index 66d16d6c..aa5845a6 100644 --- a/BUILD +++ b/BUILD @@ -56,10 +56,16 @@ cc_library( "include/proxy-wasm/bytecode_util.h", "include/proxy-wasm/signature_util.h", ], + linkopts = select({ + "//bazel:crypto_system": ["-lcrypto"], + "//conditions:default": [], + }), deps = [ ":headers", - "@boringssl//:crypto", - ], + ] + select({ + "//bazel:crypto_system": [], + "//conditions:default": ["@boringssl//:crypto"], + }), ) cc_library( diff --git a/bazel/BUILD b/bazel/BUILD index b6eb774c..620b8ebd 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -17,3 +17,8 @@ config_setting( name = "runtime_wavm", values = {"define": "runtime=wavm"}, ) + +config_setting( + name = "crypto_system", + values = {"define": "crypto=system"}, +) diff --git a/src/signature_util.cc b/src/signature_util.cc index 71b1341c..7e3e1d97 100644 --- a/src/signature_util.cc +++ b/src/signature_util.cc @@ -17,8 +17,10 @@ #include #include -#include +#ifdef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY +#include #include +#endif #include "include/proxy-wasm/bytecode_util.h" @@ -103,7 +105,27 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY); - if (!ED25519_verify(hash, sizeof(hash), signature, ed25519_pubkey.data())) { + EVP_PKEY *pubkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, ed25519_pubkey.data(), + 32 /* ED25519_PUBLIC_KEY_LEN */); + if (!pubkey) { + message = "Failed to load the public key"; + return false; + } + + EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + if (!mdctx) { + message = "Failed to allocate memory for EVP_MD_CTX"; + EVP_PKEY_free(pubkey); + return false; + } + + bool ok = EVP_DigestVerifyInit(mdctx, nullptr, nullptr, nullptr, pubkey) && + EVP_DigestVerify(mdctx, signature, 64 /* ED25519_SIGNATURE_LEN */, hash, sizeof(hash)); + + EVP_MD_CTX_free(mdctx); + EVP_PKEY_free(pubkey); + + if (!ok) { message = "Signature mismatch"; return false; }