add verifier

Signed-off-by: He Jie Xu <[email protected]>
soulxu · Mar 27, 2024 · 88c2537 · 88c2537
1 parent a05a06f
commit 88c2537
Show file tree

Hide file tree

Showing 6 changed files with 160 additions and 1 deletion.
diff --git a/source/common/tls/cert_validator/BUILD b/source/common/tls/cert_validator/BUILD
@@ -2,26 +2,74 @@ load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
     "envoy_package",
+    "envoy_cmake",
 )
 
 licenses(["notice"])  # Apache 2
 
 envoy_package()
 
+envoy_cmake(
+    name = "ipp-crypto",
+    cache_entries = {
+        "BORINGSSL": "on",
+        "DYNAMIC_LIB": "off",
+        "MB_STANDALONE": "off",
+    },
+    defines = [
+        "OPENSSL_USE_STATIC_LIBS=TRUE",
+    ],
+    lib_source = "@com_github_intel_ipp_crypto_crypto_mb//:all",
+    out_lib_dir = "lib/intel64",
+    out_static_libs = ["libcrypto_mb.a"],
+    tags = ["skip_on_windows"],
+    visibility = ["//visibility:private"],
+    working_directory = "sources/ippcp/crypto_mb",
+    # Use boringssl alias to select fips vs non-fips version.
+    deps = ["//bazel:boringssl"],
+)
+
+envoy_cc_library(
+    name = "ipp_crypto_wrapper_lib",
+    hdrs = ["ipp_crypto.h"] + select({
+        "//bazel:linux_x86_64": [
+            "ipp_crypto_impl.h",
+        ],
+        "//conditions:default": [
+        ],
+    }),
+    defines = select({
+        "//bazel:linux_x86_64": [],
+        "//conditions:default": [
+            "IPP_CRYPTO_DISABLED=1",
+        ],
+    }),
+    external_deps = ["ssl"],
+    repository = "@envoy",
+    deps = select({
+        "//bazel:linux_x86_64": [
+            ":ipp-crypto",
+        ],
+        "//conditions:default": [],
+    }),
+)
+
 envoy_cc_library(
     name = "cert_validator_lib",
     srcs = [
         "default_validator.cc",
         "factory.cc",
         "san_matcher.cc",
         "utility.cc",
+        "verifier.cc",
     ],
     hdrs = [
         "cert_validator.h",
         "default_validator.h",
         "factory.h",
         "san_matcher.h",
         "utility.h",
+        "verifier.h",
     ],
     external_deps = [
         "ssl",
@@ -30,6 +78,7 @@ envoy_cc_library(
     ],
     visibility = ["//visibility:public"],
     deps = [
+        ":ipp_crypto_wrapper_lib",
         "//envoy/config:typed_config_interface",
         "//envoy/ssl:context_config_interface",
         "//envoy/ssl:ssl_socket_extended_info_interface",

diff --git a/source/common/tls/cert_validator/default_validator.cc b/source/common/tls/cert_validator/default_validator.cc
@@ -30,6 +30,7 @@
 #include "source/common/tls/cert_validator/cert_validator.h"
 #include "source/common/tls/cert_validator/factory.h"
 #include "source/common/tls/cert_validator/utility.h"
+#include "source/common/tls/cert_validator/verifier.h"
 #include "source/common/tls/stats.h"
 #include "source/common/tls/utility.h"
 
@@ -316,7 +317,9 @@ ValidationResults DefaultCertValidator::doVerifyCertChain(
       return {ValidationResults::ValidationStatus::Failed,
               Envoy::Ssl::ClientValidationStatus::Failed, absl::nullopt, error};
     }
-    const bool verify_succeeded = (X509_verify_cert(ctx.get()) == 1);
+    CryptoMBVerifier verifier;
+    const bool verify_succeeded = (verifier.verify(ctx.get()) == ValidationResults::ValidationStatus::Successful);
+    // const bool verify_succeeded = (X509_verify_cert(ctx.get()) == 1);
 
     if (!verify_succeeded) {
       const std::string error =

diff --git a/source/common/tls/cert_validator/ipp_crypto.h b/source/common/tls/cert_validator/ipp_crypto.h
@@ -0,0 +1,31 @@
+#pragma once
+
+#include "envoy/common/pure.h"
+
+#include "openssl/ssl.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class IppCrypto {
+public:
+  virtual ~IppCrypto() = default;
+
+  virtual int mbxIsCryptoMbApplicable(uint64_t features) PURE;
+  virtual uint32_t mbx_nistp256_ecdsa_verify_mb8(const uint8_t* const pa_sign_r[8],
+                                                  const uint8_t* const pa_sign_s[8],
+                                                  const uint8_t* const pa_msg[8],
+                                                 const uint64_t* const pa_pubx[8],
+                                                 const uint64_t* const pa_puby[8],
+                                                 const uint64_t* const pa_pubz[8],
+                                                        uint8_t* pBuffer) PURE;
+};
+
+using IppCryptoSharedPtr = std::shared_ptr<IppCrypto>;
+
+} // Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/common/tls/cert_validator/ipp_crypto_impl.h b/source/common/tls/cert_validator/ipp_crypto_impl.h
@@ -0,0 +1,33 @@
+#pragma once
+
+#include "contrib/cryptomb/private_key_providers/source/ipp_crypto.h"
+#include "crypto_mb/cpu_features.h"
+#include "crypto_mb/ec_nistp256.h"
+#include "crypto_mb/rsa.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class IppCryptoImpl : public virtual IppCrypto {
+public:
+  int mbxIsCryptoMbApplicable(uint64_t features) override {
+    return ::mbx_is_crypto_mb_applicable(features);
+  }
+  uint32_t mbx_nistp256_ecdsa_verify_mb8(const uint8_t* const pa_sign_r[8],
+                                                  const uint8_t* const pa_sign_s[8],
+                                                  const uint8_t* const pa_msg[8],
+                                                 const uint64_t* const pa_pubx[8],
+                                                 const uint64_t* const pa_puby[8],
+                                                 const uint64_t* const pa_pubz[8],
+                                                        uint8_t* pBuffer) override {
+    return ::mbx_nistp256_ecdsa_verify_mb8(pa_sign_r, pa_sign_s, pa_msg, pa_pubx,
+                                           pa_puby, pa_pubz, pBuffer);
+  }
+};
+
+} // Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/common/tls/cert_validator/verifier.cc b/source/common/tls/cert_validator/verifier.cc
@@ -0,0 +1,25 @@
+#include "verifier.h"
+
+#include "openssl/ssl.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+ValidationResults::ValidationStatus CryptoMBVerifier::verify(X509_STORE_CTX *ctx) {
+    // int n = (int)sk_X509_num(ctx->chain);
+    // n--;
+    // X509 *xi = sk_X509_value(ctx->chain, n);
+    // EVP_PKEY *pkey = X509_get_pubkey(xi);
+
+    if (X509_verify_cert(ctx) == 1) {
+        return ValidationResults::ValidationStatus::Successful;
+    }
+    return ValidationResults::ValidationStatus::Failed;
+}
+
+} // Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/common/tls/cert_validator/verifier.h b/source/common/tls/cert_validator/verifier.h
@@ -0,0 +1,18 @@
+#pragma once
+
+#include "source/common/tls/cert_validator/cert_validator.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class CryptoMBVerifier {
+public: 
+    ValidationResults::ValidationStatus verify(X509_STORE_CTX *ctx);
+};
+
+} // Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy