From 902e37f2cea05891950001e09303a9b0f7428611 Mon Sep 17 00:00:00 2001 From: He Jie Xu Date: Thu, 28 Mar 2024 07:15:15 +0000 Subject: [PATCH] add verify Signed-off-by: He Jie Xu --- .../tls/cert_validator/default_validator.cc | 1 + .../tls/cert_validator/ipp_crypto_impl.h | 8 ++- source/common/tls/cert_validator/verifier.cc | 58 ++++++++++++++++++- source/common/tls/context_impl.cc | 2 + 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/source/common/tls/cert_validator/default_validator.cc b/source/common/tls/cert_validator/default_validator.cc index 50bcad58c36d..9da5282d505d 100644 --- a/source/common/tls/cert_validator/default_validator.cc +++ b/source/common/tls/cert_validator/default_validator.cc @@ -317,6 +317,7 @@ ValidationResults DefaultCertValidator::doVerifyCertChain( return {ValidationResults::ValidationStatus::Failed, Envoy::Ssl::ClientValidationStatus::Failed, absl::nullopt, error}; } + ENVOY_LOG_MISC(debug, "######### before the x509 verify"); CryptoMBVerifier verifier; const bool verify_succeeded = (verifier.verify(ctx.get()) == ValidationResults::ValidationStatus::Successful); // const bool verify_succeeded = (X509_verify_cert(ctx.get()) == 1); diff --git a/source/common/tls/cert_validator/ipp_crypto_impl.h b/source/common/tls/cert_validator/ipp_crypto_impl.h index 078dfa3c5bee..8717c4694021 100644 --- a/source/common/tls/cert_validator/ipp_crypto_impl.h +++ b/source/common/tls/cert_validator/ipp_crypto_impl.h @@ -1,6 +1,6 @@ #pragma once -#include "contrib/cryptomb/private_key_providers/source/ipp_crypto.h" +#include "source/common/tls/cert_validator/ipp_crypto.h" #include "crypto_mb/cpu_features.h" #include "crypto_mb/ec_nistp256.h" #include "crypto_mb/rsa.h" @@ -22,8 +22,10 @@ class IppCryptoImpl : public virtual IppCrypto { const uint64_t* const pa_puby[8], const uint64_t* const pa_pubz[8], uint8_t* pBuffer) override { - return ::mbx_nistp256_ecdsa_verify_mb8(pa_sign_r, pa_sign_s, pa_msg, pa_pubx, - pa_puby, pa_pubz, pBuffer); + return ::mbx_nistp256_ecdsa_verify_mb8(pa_sign_r, pa_sign_s, pa_msg, + reinterpret_cast(&pa_pubx[0]), + reinterpret_cast(&pa_puby[0]), + reinterpret_cast(&pa_pubz[0]), pBuffer); } }; diff --git a/source/common/tls/cert_validator/verifier.cc b/source/common/tls/cert_validator/verifier.cc index e5dd1c9acbee..b49b3045dbb8 100644 --- a/source/common/tls/cert_validator/verifier.cc +++ b/source/common/tls/cert_validator/verifier.cc @@ -1,5 +1,7 @@ #include "verifier.h" +#include "source/common/tls/cert_validator/ipp_crypto_impl.h" + #include "openssl/ssl.h" namespace Envoy { @@ -7,12 +9,66 @@ namespace Extensions { namespace TransportSockets { namespace Tls { +int custom_verify(EVP_PKEY_CTX *ctx, + const uint8_t *sig, size_t siglen, + const uint8_t *, //tbs, + size_t //tbslen + ) { + ENVOY_LOG_MISC(debug, "custom verify!!!!!!!!!!!!!!!!!!\n"); + + uint8_t pa_sign_r[8][32]; + uint8_t pa_sign_s[8][32]; + EVP_PKEY_fetch_parameters(ctx, sig, siglen, &pa_sign_r[0][0], &pa_sign_s[0][0]); + + uint8_t pa_pubx[8][32]; + uint8_t pa_puby[8][32]; + uint8_t pa_pubz[8][32]; + EVP_PKEY_fetch_points(ctx, &pa_pubx[0][0], &pa_puby[0][0], &pa_pubz[0][0]); + + uint8_t *sign_r[8]; + for (int i = 0; i < 8; i++) { + sign_r[i] = &pa_sign_r[i][0]; + } + uint8_t *sign_s[8]; + for (int i = 0; i < 8; i++) { + sign_s[i] = &pa_sign_s[i][0]; + } + + const uint64_t* pubx[8]; + for (int i = 0; i < 8; i++) { + pubx[i] = reinterpret_cast(&pa_pubx[i][0]); + } + const uint64_t* puby[8]; + for (int i = 0; i < 8; i++) { + puby[i] = reinterpret_cast(&pa_puby[i][0]); + } + const uint64_t* pubz[8]; + for (int i = 0; i < 8; i++) { + pubz[i] = reinterpret_cast(&pa_pubz[i][0]); + } + const uint8_t* msg[8]; + for (int i = 0; i < 8; i++) { + msg[i] = sig; + } + IppCryptoImpl crypto; + return crypto.mbx_nistp256_ecdsa_verify_mb8(sign_r, sign_s, msg, pubx, puby, pubz, nullptr) == 0; + // mbx_status mbx_nistp256_ecdsa_verify_mb8(const int8u* const pa_sign_r[8], + // const int8u* const pa_sign_s[8], + // const int8u* const pa_msg[8], + // const int64u* const pa_pubx[8], + // const int64u* const pa_puby[8], + // const int64u* const pa_pubz[8], + // int8u* pBuffer); + // return 0; +} + ValidationResults::ValidationStatus CryptoMBVerifier::verify(X509_STORE_CTX *ctx) { + ENVOY_LOG_MISC(debug, "####### CryptoMBVerifier::verify"); // int n = (int)sk_X509_num(ctx->chain); // n--; // X509 *xi = sk_X509_value(ctx->chain, n); // EVP_PKEY *pkey = X509_get_pubkey(xi); - + EVP_PKEY_set_ec_verify_method(custom_verify); if (X509_verify_cert(ctx) == 1) { return ValidationResults::ValidationStatus::Successful; } diff --git a/source/common/tls/context_impl.cc b/source/common/tls/context_impl.cc index 2669fd8559f5..093aafb3332c 100644 --- a/source/common/tls/context_impl.cc +++ b/source/common/tls/context_impl.cc @@ -173,8 +173,10 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c auto verify_mode = cert_validator_->initializeSslContexts( ssl_contexts, config.capabilities().provides_certificates); if (!capabilities_.verifies_peer_certificates) { + ENVOY_LOG_MISC(debug, "####### before set the custom verify callback"); for (auto ctx : ssl_contexts) { if (verify_mode != SSL_VERIFY_NONE) { + ENVOY_LOG_MISC(debug, "####### set the custom verify callback"); // TODO(danzh) Envoy's use of SSL_VERIFY_NONE does not quite match the actual semantics as // a client. As a client, SSL_VERIFY_NONE means to verify the certificate (which will fail // without trust anchors), save the result in the session ticket, but otherwise continue