Allow using system's crypto library instead of BoringSSL. (#219)

Use: bazel test --define crypto=system //test/...

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

Author: PiotrSikora

.github/workflows/cpp.yml

@@ -69,6 +69,7 @@ jobs:
         - name: 'V8 on Linux'
           runtime: 'v8'
           os: ubuntu-20.04
+          flags: '--define crypto=system'
         - name: 'V8 on macOS'
           runtime: 'v8'
           os: macos-11
@@ -110,11 +111,22 @@ jobs:
 
     - name: Test
       run: |
-        bazel test --test_output=errors --define runtime=${{ matrix.runtime }} //test/...
+        bazel test \
+              --verbose_failures \
+              --test_output=errors \
+              --define runtime=${{ matrix.runtime }} \
+              ${{ matrix.flags }} \
+              //test/...
 
     - name: Test (signed Wasm module)
       run: |
-        bazel test --test_output=errors --define runtime=${{ matrix.runtime }} --per_file_copt=src/signature_util.cc,test/signature_util_test.cc@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" //test:signature_util_test
+        bazel test \
+              --verbose_failures \
+              --test_output=errors \
+              --define runtime=${{ matrix.runtime }} \
+              ${{ matrix.flags }} \
+              --per_file_copt=src/signature_util.cc,test/signature_util_test.cc@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" \
+              //test:signature_util_test
 
     - name: Cleanup Bazel cache
       if: matrix.runtime != 'wasmtime'

BUILD

@@ -56,10 +56,16 @@ cc_library(
         "include/proxy-wasm/bytecode_util.h",
         "include/proxy-wasm/signature_util.h",
     ],
+    linkopts = select({
+        "//bazel:crypto_system": ["-lcrypto"],
+        "//conditions:default": [],
+    }),
     deps = [
         ":headers",
-        "@boringssl//:crypto",
-    ],
+    ] + select({
+        "//bazel:crypto_system": [],
+        "//conditions:default": ["@boringssl//:crypto"],
+    }),
 )
 
 cc_library(

bazel/BUILD

@@ -17,3 +17,8 @@ config_setting(
     name = "runtime_wavm",
     values = {"define": "runtime=wavm"},
 )
+
+config_setting(
+    name = "crypto_system",
+    values = {"define": "crypto=system"},
+)

src/signature_util.cc

@@ -17,8 +17,10 @@
 #include <array>
 #include <cstring>
 
-#include <openssl/curve25519.h>
+#ifdef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
+#include <openssl/evp.h>
 #include <openssl/sha.h>
+#endif
 
 #include "include/proxy-wasm/bytecode_util.h"
 
@@ -103,7 +105,27 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
 
   static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY);
 
-  if (!ED25519_verify(hash, sizeof(hash), signature, ed25519_pubkey.data())) {
+  EVP_PKEY *pubkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, nullptr, ed25519_pubkey.data(),
+                                                 32 /* ED25519_PUBLIC_KEY_LEN */);
+  if (!pubkey) {
+    message = "Failed to load the public key";
+    return false;
+  }
+
+  EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
+  if (!mdctx) {
+    message = "Failed to allocate memory for EVP_MD_CTX";
+    EVP_PKEY_free(pubkey);
+    return false;
+  }
+
+  bool ok = EVP_DigestVerifyInit(mdctx, nullptr, nullptr, nullptr, pubkey) &&
+            EVP_DigestVerify(mdctx, signature, 64 /* ED25519_SIGNATURE_LEN */, hash, sizeof(hash));
+
+  EVP_MD_CTX_free(mdctx);
+  EVP_PKEY_free(pubkey);
+
+  if (!ok) {
     message = "Signature mismatch";
     return false;
   }