btrfs-progs: crypto: add openssl as crypto provider

https://www.openssl.org/ Is a well known cryptography library and since freshly released version 3.2 it also supports variable digest size of blake2b, so we can now add it among the crypto providers. Configure with --with-crypto=openssl. Signed-off-by: David Sterba <dsterba@suse.com>
2023-11-16 14:54:03 +01:00 · 2023-11-16 14:54:03 +01:00 · 32880fa518
parent 5221aedc00
commit 32880fa518
11 changed files with 98 additions and 5 deletions
--- a/.github/workflows/ci-build-test.yml
+++ b/.github/workflows/ci-build-test.yml
@ -87,3 +87,10 @@ jobs:
      - uses: actions/checkout@v3
      - name: CI Tumbleweed (Botan)
        run: ci/ci-build-tumbleweed HEAD --with-crypto=botan
+  check-tumbleweed-openssl:
+    name: CI Tumbleweed (OpenSSL)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: CI Tumbleweed (OpenSSL)
+        run: ci/ci-build-tumbleweed HEAD --with-crypto=openssl
--- a/1
+++ b/1
@ -22,6 +22,7 @@ dependencies are not desired.
 - libsodium >= 1.0.4
 - libkcapi >= 1.0.0
 - Botan >= 2.19.0
+- OpenSSL >= 3.2.0

 Optionally, multipath device detection requires libudev and running udev
 daemon, as it's the only source of the path information. Static build has a
--- a/Makefile.inc.in
+++ b/Makefile.inc.in
@ -22,7 +22,7 @@ PYTHON_BINDINGS = @PYTHON_BINDINGS@
 PYTHON = @PYTHON@
 PYTHON_CFLAGS = @PYTHON_CFLAGS@
 CRYPTOPROVIDER_BUILTIN = @CRYPTOPROVIDER_BUILTIN@
-CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@
+CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@ @OPENSSL_CFLAGS@

 HAVE_CFLAG_msse2 = @HAVE_CFLAG_msse2@
 HAVE_CFLAG_msse41 = @HAVE_CFLAG_msse41@
@ -37,7 +37,7 @@ SUBST_LDFLAGS = @LDFLAGS@
 LIBS_BASE = @UUID_LIBS@ @BLKID_LIBS@ @LIBUDEV_LIBS@ -L. -pthread
 LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@
 LIBS_PYTHON = @PYTHON_LIBS@
-LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@
+LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@ @OPENSSL_LIBS@
 STATIC_LIBS_BASE = @UUID_LIBS_STATIC@ @BLKID_LIBS_STATIC@ -L. -pthread
 STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@

--- a/README.md
+++ b/README.md
@ -124,7 +124,7 @@ functions is provided by copies of the respective sources to avoid adding
 dependencies that would make deployments in rescue or limited environments
 harder. The implementations are portable and there are optimized versions for
 some architectures.  Optionally it's possible to use libgcrypt, libsodium,
-libkcapi or Botan implementations.
+libkcapi, Botan or OpenSSL implementations.

 * CRC32C: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
 * XXHASH: https://github.com/Cyan4973/xxHash
--- a/ci/images/ci-openSUSE-tumbleweed-x86_64/Dockerfile
+++ b/ci/images/ci-openSUSE-tumbleweed-x86_64/Dockerfile
@ -27,7 +27,7 @@ RUN zypper install -y --no-recommends glibc-devel-static libblkid-devel-static \

 RUN zypper install -y --no-recommends gcc13
 RUN zypper install -y --no-recommends libgcrypt-devel libsodium-devel libkcapi-devel \
-	   libbotan-devel
+	   libbotan-devel libopenssl-3-devel

 COPY ./test-build .
 COPY ./run-tests .
--- a/configure.ac
+++ b/configure.ac
@ -236,7 +236,7 @@ if test "$DISABLE_BTRFSCONVERT" = 0 && test "x$convertfs" = "x"; then
 fi

 AC_ARG_WITH([crypto],
-	    AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan]),
+	    AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan, openssl]),
  [], [with_crypto=builtin]
 )

@ -247,6 +247,7 @@ CRYPTOPROVIDER_LIBGCRYPT=0
 CRYPTOPROVIDER_LIBSODIUM=0
 CRYPTOPROVIDER_LIBKCAPI=0
 CRYPTOPROVIDER_BOTAN=0
+CRYPTOPROVIDER_OPENSSL=0
 if test "$with_crypto" = "builtin"; then
 	cryptoprovider="builtin"
 	CRYPTOPROVIDER_BUILTIN=1
@ -270,6 +271,11 @@ elif test "$with_crypto" = "botan"; then
 	PKG_CHECK_MODULES(BOTAN, [botan-2 >= 2.19.0])
 	CRYPTOPROVIDER_BOTAN=1
 	cryptoproviderversion=`${PKG_CONFIG} botan-2 --modversion`
+elif test "$with_crypto" = "openssl"; then
+	cryptoprovider="openssl"
+	PKG_CHECK_MODULES(OPENSSL, [libcrypto >= 3.2.0])
+	CRYPTOPROVIDER_OPENSSL=1
+	cryptoproviderversion=`${PKG_CONFIG} libcrypto --modversion`
 else
 	AC_MSG_ERROR([unrecognized crypto provider: $with_crypto])
 fi
@ -283,6 +289,8 @@ AC_SUBST([CRYPTOPROVIDER_LIBKCAPI])
 AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_LIBKCAPI],[$CRYPTOPROVIDER_LIBKCAPI],[Use libkcapi])
 AC_SUBST([CRYPTOPROVIDER_BOTAN])
 AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_BOTAN],[$CRYPTOPROVIDER_BOTAN],[Use Botan])
+AC_SUBST([CRYPTOPROVIDER_OPENSSL])
+AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_OPENSSL],[$CRYPTOPROVIDER_OPENSSL],[Use OpenSSL])
 AC_DEFINE_UNQUOTED([CRYPTOPROVIDER],["$cryptoprovider"],[Crypto implementation source name])

 AX_CHECK_DEFINE([linux/fiemap.h], [FIEMAP_EXTENT_SHARED], [],
--- a/crypto/hash-speedtest.c
+++ b/crypto/hash-speedtest.c
@ -202,6 +202,8 @@ int main(int argc, char **argv) {
 		  .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 },
 		{ .name = "SHA256-botan", .digest = hash_sha256, .digest_size = 32,
 		  .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 },
+		{ .name = "SHA256-openssl", .digest = hash_sha256, .digest_size = 32,
+		  .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 },
 		{ .name = "SHA256-NI", .digest = hash_sha256, .digest_size = 32,
 		  .cpu_flag = CPU_FLAG_SHA, .backend = CRYPTOPROVIDER_BUILTIN + 1 },
 		{ .name = "BLAKE2-ref", .digest = hash_blake2b, .digest_size = 32,
@ -214,6 +216,8 @@ int main(int argc, char **argv) {
 		  .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 },
 		{ .name = "BLAKE2-botan", .digest = hash_blake2b, .digest_size = 32,
 		  .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 },
+		{ .name = "BLAKE2-openssl", .digest = hash_blake2b, .digest_size = 32,
+		  .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 },
 		{ .name = "BLAKE2-SSE2", .digest = hash_blake2b, .digest_size = 32,
 		  .cpu_flag = CPU_FLAG_SSE2, .backend = CRYPTOPROVIDER_BUILTIN + 1 },
 		{ .name = "BLAKE2-SSE41", .digest = hash_blake2b, .digest_size = 32,
--- a/crypto/hash-vectest.c
+++ b/crypto/hash-vectest.c
@ -490,6 +490,14 @@ static const struct hash_testspec test_spec[] = {
 		.cpu_flag = CPU_FLAG_NONE,
 		.hash = hash_sha256,
 		.backend = CRYPTOPROVIDER_BOTAN + 1
+	}, {
+		.name = "SHA256-openssl",
+		.digest_size = 32,
+		.testvec = sha256_tv,
+		.count = ARRAY_SIZE(sha256_tv),
+		.cpu_flag = CPU_FLAG_NONE,
+		.hash = hash_sha256,
+		.backend = CRYPTOPROVIDER_OPENSSL + 1
 	}, {
 		.name = "SHA256-NI",
 		.digest_size = 32,
@ -538,6 +546,14 @@ static const struct hash_testspec test_spec[] = {
 		.cpu_flag = CPU_FLAG_NONE,
 		.hash = hash_blake2b,
 		.backend = CRYPTOPROVIDER_BOTAN + 1
+	}, {
+		.name = "BLAKE2-openssl",
+		.digest_size = 32,
+		.testvec = blake2b_256_tv,
+		.count = ARRAY_SIZE(blake2b_256_tv),
+		.cpu_flag = CPU_FLAG_NONE,
+		.hash = hash_blake2b,
+		.backend = CRYPTOPROVIDER_OPENSSL + 1
 	}, {
 		.name = "BLAKE2-SSE2",
 		.digest_size = 32,
--- a/crypto/hash.c
+++ b/crypto/hash.c
@ -235,3 +235,56 @@ int hash_blake2b(const u8 *buf, size_t len, u8 *out)
 }

 #endif
+
+#if CRYPTOPROVIDER_OPENSSL == 1
+
+#include <openssl/params.h>
+#include <openssl/evp.h>
+
+void hash_init_accel(void)
+{
+	crc32c_init_accel();
+}
+
+int hash_sha256(const u8 *buf, size_t len, u8 *out)
+{
+	EVP_MD_CTX *ctx = NULL;
+
+	if (!ctx) {
+		ctx = EVP_MD_CTX_new();
+		if (!ctx) {
+			fprintf(stderr, "HASH: cannot instantiate sha256\n");
+			exit(1);
+		}
+	}
+	EVP_DigestInit(ctx, EVP_sha256());
+	EVP_DigestUpdate(ctx, buf, len);
+	EVP_DigestFinal(ctx, out, NULL);
+	/* EVP_MD_CTX_free(ctx); */
+	return 0;
+}
+
+int hash_blake2b(const u8 *buf, size_t len, u8 *out)
+{
+	EVP_MD_CTX *ctx = NULL;
+	size_t digest_size = 256 / 8;
+	const OSSL_PARAM params[] = {
+		OSSL_PARAM_size_t("size", &digest_size),
+		OSSL_PARAM_END
+	};
+
+	if (!ctx) {
+		ctx = EVP_MD_CTX_new();
+		if (!ctx) {
+			fprintf(stderr, "HASH: cannot instantiate sha256\n");
+			exit(1);
+		}
+	}
+	EVP_DigestInit_ex2(ctx, EVP_blake2b512(), params);
+	EVP_DigestUpdate(ctx, buf, len);
+	EVP_DigestFinal(ctx, out, NULL);
+	/* EVP_MD_CTX_free(ctx); */
+	return 0;
+}
+
+#endif
--- a/tests/build-tests.sh
+++ b/tests/build-tests.sh
@ -133,6 +133,9 @@ build_make_targets
 conf='--with-crypto=botan'
 build_make_targets

+conf='--with-crypto=openssl'
+build_make_targets
+
 # Old architectures
 conf='--with-crypto=builtin'
 buildme_cflags '-march=core2'
--- a/tests/hash-tests.sh
+++ b/tests/hash-tests.sh
@ -37,6 +37,7 @@ buildme libgcrypt
 buildme libsodium
 buildme libkcapi
 buildme botan
+buildme openssl

 echo "VERDICT:"
 echo "$verdict"