From 65471be9df1ea911b1f9c2b8e30c1e1a6510d0d0 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 12 Jan 2022 02:33:13 -0800 Subject: [PATCH 1/2] Allow using system's crypto library instead of BoringSSL. Use: bazel test --define crypto=system //test/... Signed-off-by: Piotr Sikora --- .github/workflows/cpp.yml | 16 ++++++++++++++-- BUILD | 10 ++++++++-- bazel/BUILD | 5 +++++ src/signature_util.cc | 26 ++++++++++++++++++++++++-- 4 files changed, 51 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cpp.yml b/.github/workflows/cpp.yml index cb344058b..c0c8bcc89 100644 --- a/.github/workflows/cpp.yml +++ b/.github/workflows/cpp.yml @@ -69,6 +69,7 @@ jobs: - name: 'V8 on Linux' runtime: 'v8' os: ubuntu-20.04 + flags: '--define crypto=system' - name: 'V8 on macOS' runtime: 'v8' os: macos-11 @@ -110,11 +111,22 @@ jobs: - name: Test run: | - bazel test --test_output=errors --define runtime=${{ matrix.runtime }} //test/... + bazel test \ + --verbose_failures \ + --test_output=errors \ + --define runtime=${{ matrix.runtime }} \ + ${{ matrix.flags }} \ + //test/... - name: Test (signed Wasm module) run: | - bazel test --test_output=errors --define runtime=${{ matrix.runtime }} --per_file_copt=src/signature_util.cc,test/signature_util_test.cc@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" //test:signature_util_test + bazel test \ + --verbose_failures \ + --test_output=errors \ + --define runtime=${{ matrix.runtime }} \ + ${{ matrix.flags }} \ + --per_file_copt=src/signature_util.cc,test/signature_util_test.cc@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" \ + //test:signature_util_test - name: Cleanup Bazel cache if: matrix.runtime != 'wasmtime' diff --git a/BUILD b/BUILD index 66d16d6ce..aa5845a6c 100644 --- a/BUILD +++ b/BUILD @@ -56,10 +56,16 @@ cc_library( "include/proxy-wasm/bytecode_util.h", "include/proxy-wasm/signature_util.h", ], + linkopts = select({ + "//bazel:crypto_system": ["-lcrypto"], + "//conditions:default": [], + }), deps = [ ":headers", - "@boringssl//:crypto", - ], + ] + select({ + "//bazel:crypto_system": [], + "//conditions:default": ["@boringssl//:crypto"], + }), ) cc_library( diff --git a/bazel/BUILD b/bazel/BUILD index b6eb774cd..620b8ebda 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -17,3 +17,8 @@ config_setting( name = "runtime_wavm", values = {"define": "runtime=wavm"}, ) + +config_setting( + name = "crypto_system", + values = {"define": "crypto=system"}, +) diff --git a/src/signature_util.cc b/src/signature_util.cc index 71b1341ce..7e3e1d976 100644 --- a/src/signature_util.cc +++ b/src/signature_util.cc @@ -17,8 +17,10 @@ #include #include -#include +#ifdef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY +#include #include +#endif #include "include/proxy-wasm/bytecode_util.h" @@ -103,7 +105,27 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY); - if (!ED25519_verify(hash, sizeof(hash), signature, ed25519_pubkey.data())) { + EVP_PKEY *pubkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, ed25519_pubkey.data(), + 32 /* ED25519_PUBLIC_KEY_LEN */); + if (!pubkey) { + message = "Failed to load the public key"; + return false; + } + + EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + if (!mdctx) { + message = "Failed to allocate memory for EVP_MD_CTX"; + EVP_PKEY_free(pubkey); + return false; + } + + bool ok = EVP_DigestVerifyInit(mdctx, nullptr, nullptr, nullptr, pubkey) && + EVP_DigestVerify(mdctx, signature, 64 /* ED25519_SIGNATURE_LEN */, hash, sizeof(hash)); + + EVP_MD_CTX_free(mdctx); + EVP_PKEY_free(pubkey); + + if (!ok) { message = "Signature mismatch"; return false; } From 56684bf82270e0d3c5284e39ddc83f93811713ba Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 12 Jan 2022 02:33:53 -0800 Subject: [PATCH 2/2] Automatically use system's crypto library on Linux/s390x. BoringSSL doesn't support Linux/s390x. Signed-off-by: Piotr Sikora --- bazel/BUILD | 17 ++++++++++++++++- bazel/repositories.bzl | 9 +++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/bazel/BUILD b/bazel/BUILD index 620b8ebda..e0214a55f 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -1,3 +1,5 @@ +load("@bazel_skylib//lib:selects.bzl", "selects") + config_setting( name = "runtime_v8", values = {"define": "runtime=v8"}, @@ -19,6 +21,19 @@ config_setting( ) config_setting( - name = "crypto_system", + name = "requested_crypto_system", values = {"define": "crypto=system"}, ) + +config_setting( + name = "linux_s390x", + values = {"cpu": "s390x"}, +) + +selects.config_setting_group( + name = "crypto_system", + match_any = [ + ":requested_crypto_system", + ":linux_s390x", + ], +) diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 8ac679bab..2f0c21eb0 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -174,3 +174,12 @@ def proxy_wasm_cpp_host_repositories(): strip_prefix = "rules_python-0.6.0", url = "https://github.com/bazelbuild/rules_python/archive/0.6.0.tar.gz", ) + + http_archive( + name = "bazel_skylib", + urls = [ + "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.1.1/bazel-skylib-1.1.1.tar.gz", + "https://github.com/bazelbuild/bazel-skylib/releases/download/1.1.1/bazel-skylib-1.1.1.tar.gz", + ], + sha256 = "c6966ec828da198c5d9adbaa94c05e3a1c7f21bd012a0b29ba8ddbccb2c93b0d", + )