From 32880fa518b01b66bc61ed575231c04e1850ac39 Mon Sep 17 00:00:00 2001 From: David Sterba Date: Thu, 16 Nov 2023 14:54:03 +0100 Subject: [PATCH] btrfs-progs: crypto: add openssl as crypto provider https://www.openssl.org/ Is a well known cryptography library and since freshly released version 3.2 it also supports variable digest size of blake2b, so we can now add it among the crypto providers. Configure with --with-crypto=openssl. Signed-off-by: David Sterba --- .github/workflows/ci-build-test.yml | 7 +++ INSTALL | 1 + Makefile.inc.in | 4 +- README.md | 2 +- .../ci-openSUSE-tumbleweed-x86_64/Dockerfile | 2 +- configure.ac | 10 +++- crypto/hash-speedtest.c | 4 ++ crypto/hash-vectest.c | 16 ++++++ crypto/hash.c | 53 +++++++++++++++++++ tests/build-tests.sh | 3 ++ tests/hash-tests.sh | 1 + 11 files changed, 98 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-build-test.yml b/.github/workflows/ci-build-test.yml index 5c558d04..cbd4135f 100644 --- a/.github/workflows/ci-build-test.yml +++ b/.github/workflows/ci-build-test.yml @@ -87,3 +87,10 @@ jobs: - uses: actions/checkout@v3 - name: CI Tumbleweed (Botan) run: ci/ci-build-tumbleweed HEAD --with-crypto=botan + check-tumbleweed-openssl: + name: CI Tumbleweed (OpenSSL) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: CI Tumbleweed (OpenSSL) + run: ci/ci-build-tumbleweed HEAD --with-crypto=openssl diff --git a/INSTALL b/INSTALL index d7698abc..4cb814dc 100644 --- a/INSTALL +++ b/INSTALL @@ -22,6 +22,7 @@ dependencies are not desired. - libsodium >= 1.0.4 - libkcapi >= 1.0.0 - Botan >= 2.19.0 +- OpenSSL >= 3.2.0 Optionally, multipath device detection requires libudev and running udev daemon, as it's the only source of the path information. Static build has a diff --git a/Makefile.inc.in b/Makefile.inc.in index b0988065..bc14485c 100644 --- a/Makefile.inc.in +++ b/Makefile.inc.in @@ -22,7 +22,7 @@ PYTHON_BINDINGS = @PYTHON_BINDINGS@ PYTHON = @PYTHON@ PYTHON_CFLAGS = @PYTHON_CFLAGS@ CRYPTOPROVIDER_BUILTIN = @CRYPTOPROVIDER_BUILTIN@ -CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@ +CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@ @OPENSSL_CFLAGS@ HAVE_CFLAG_msse2 = @HAVE_CFLAG_msse2@ HAVE_CFLAG_msse41 = @HAVE_CFLAG_msse41@ @@ -37,7 +37,7 @@ SUBST_LDFLAGS = @LDFLAGS@ LIBS_BASE = @UUID_LIBS@ @BLKID_LIBS@ @LIBUDEV_LIBS@ -L. -pthread LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@ LIBS_PYTHON = @PYTHON_LIBS@ -LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@ +LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@ @OPENSSL_LIBS@ STATIC_LIBS_BASE = @UUID_LIBS_STATIC@ @BLKID_LIBS_STATIC@ -L. -pthread STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@ diff --git a/README.md b/README.md index 8e2a0ef8..f3dab95e 100644 --- a/README.md +++ b/README.md @@ -124,7 +124,7 @@ functions is provided by copies of the respective sources to avoid adding dependencies that would make deployments in rescue or limited environments harder. The implementations are portable and there are optimized versions for some architectures. Optionally it's possible to use libgcrypt, libsodium, -libkcapi or Botan implementations. +libkcapi, Botan or OpenSSL implementations. * CRC32C: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ * XXHASH: https://github.com/Cyan4973/xxHash diff --git a/ci/images/ci-openSUSE-tumbleweed-x86_64/Dockerfile b/ci/images/ci-openSUSE-tumbleweed-x86_64/Dockerfile index dffd6cd2..47c968fa 100644 --- a/ci/images/ci-openSUSE-tumbleweed-x86_64/Dockerfile +++ b/ci/images/ci-openSUSE-tumbleweed-x86_64/Dockerfile @@ -27,7 +27,7 @@ RUN zypper install -y --no-recommends glibc-devel-static libblkid-devel-static \ RUN zypper install -y --no-recommends gcc13 RUN zypper install -y --no-recommends libgcrypt-devel libsodium-devel libkcapi-devel \ - libbotan-devel + libbotan-devel libopenssl-3-devel COPY ./test-build . COPY ./run-tests . diff --git a/configure.ac b/configure.ac index 819f2226..bed3c8dd 100644 --- a/configure.ac +++ b/configure.ac @@ -236,7 +236,7 @@ if test "$DISABLE_BTRFSCONVERT" = 0 && test "x$convertfs" = "x"; then fi AC_ARG_WITH([crypto], - AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan]), + AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan, openssl]), [], [with_crypto=builtin] ) @@ -247,6 +247,7 @@ CRYPTOPROVIDER_LIBGCRYPT=0 CRYPTOPROVIDER_LIBSODIUM=0 CRYPTOPROVIDER_LIBKCAPI=0 CRYPTOPROVIDER_BOTAN=0 +CRYPTOPROVIDER_OPENSSL=0 if test "$with_crypto" = "builtin"; then cryptoprovider="builtin" CRYPTOPROVIDER_BUILTIN=1 @@ -270,6 +271,11 @@ elif test "$with_crypto" = "botan"; then PKG_CHECK_MODULES(BOTAN, [botan-2 >= 2.19.0]) CRYPTOPROVIDER_BOTAN=1 cryptoproviderversion=`${PKG_CONFIG} botan-2 --modversion` +elif test "$with_crypto" = "openssl"; then + cryptoprovider="openssl" + PKG_CHECK_MODULES(OPENSSL, [libcrypto >= 3.2.0]) + CRYPTOPROVIDER_OPENSSL=1 + cryptoproviderversion=`${PKG_CONFIG} libcrypto --modversion` else AC_MSG_ERROR([unrecognized crypto provider: $with_crypto]) fi @@ -283,6 +289,8 @@ AC_SUBST([CRYPTOPROVIDER_LIBKCAPI]) AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_LIBKCAPI],[$CRYPTOPROVIDER_LIBKCAPI],[Use libkcapi]) AC_SUBST([CRYPTOPROVIDER_BOTAN]) AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_BOTAN],[$CRYPTOPROVIDER_BOTAN],[Use Botan]) +AC_SUBST([CRYPTOPROVIDER_OPENSSL]) +AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_OPENSSL],[$CRYPTOPROVIDER_OPENSSL],[Use OpenSSL]) AC_DEFINE_UNQUOTED([CRYPTOPROVIDER],["$cryptoprovider"],[Crypto implementation source name]) AX_CHECK_DEFINE([linux/fiemap.h], [FIEMAP_EXTENT_SHARED], [], diff --git a/crypto/hash-speedtest.c b/crypto/hash-speedtest.c index 24418e3e..40618270 100644 --- a/crypto/hash-speedtest.c +++ b/crypto/hash-speedtest.c @@ -202,6 +202,8 @@ int main(int argc, char **argv) { .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 }, { .name = "SHA256-botan", .digest = hash_sha256, .digest_size = 32, .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 }, + { .name = "SHA256-openssl", .digest = hash_sha256, .digest_size = 32, + .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 }, { .name = "SHA256-NI", .digest = hash_sha256, .digest_size = 32, .cpu_flag = CPU_FLAG_SHA, .backend = CRYPTOPROVIDER_BUILTIN + 1 }, { .name = "BLAKE2-ref", .digest = hash_blake2b, .digest_size = 32, @@ -214,6 +216,8 @@ int main(int argc, char **argv) { .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 }, { .name = "BLAKE2-botan", .digest = hash_blake2b, .digest_size = 32, .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 }, + { .name = "BLAKE2-openssl", .digest = hash_blake2b, .digest_size = 32, + .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 }, { .name = "BLAKE2-SSE2", .digest = hash_blake2b, .digest_size = 32, .cpu_flag = CPU_FLAG_SSE2, .backend = CRYPTOPROVIDER_BUILTIN + 1 }, { .name = "BLAKE2-SSE41", .digest = hash_blake2b, .digest_size = 32, diff --git a/crypto/hash-vectest.c b/crypto/hash-vectest.c index e0561e47..e819b511 100644 --- a/crypto/hash-vectest.c +++ b/crypto/hash-vectest.c @@ -490,6 +490,14 @@ static const struct hash_testspec test_spec[] = { .cpu_flag = CPU_FLAG_NONE, .hash = hash_sha256, .backend = CRYPTOPROVIDER_BOTAN + 1 + }, { + .name = "SHA256-openssl", + .digest_size = 32, + .testvec = sha256_tv, + .count = ARRAY_SIZE(sha256_tv), + .cpu_flag = CPU_FLAG_NONE, + .hash = hash_sha256, + .backend = CRYPTOPROVIDER_OPENSSL + 1 }, { .name = "SHA256-NI", .digest_size = 32, @@ -538,6 +546,14 @@ static const struct hash_testspec test_spec[] = { .cpu_flag = CPU_FLAG_NONE, .hash = hash_blake2b, .backend = CRYPTOPROVIDER_BOTAN + 1 + }, { + .name = "BLAKE2-openssl", + .digest_size = 32, + .testvec = blake2b_256_tv, + .count = ARRAY_SIZE(blake2b_256_tv), + .cpu_flag = CPU_FLAG_NONE, + .hash = hash_blake2b, + .backend = CRYPTOPROVIDER_OPENSSL + 1 }, { .name = "BLAKE2-SSE2", .digest_size = 32, diff --git a/crypto/hash.c b/crypto/hash.c index 61208f78..debe9341 100644 --- a/crypto/hash.c +++ b/crypto/hash.c @@ -235,3 +235,56 @@ int hash_blake2b(const u8 *buf, size_t len, u8 *out) } #endif + +#if CRYPTOPROVIDER_OPENSSL == 1 + +#include +#include + +void hash_init_accel(void) +{ + crc32c_init_accel(); +} + +int hash_sha256(const u8 *buf, size_t len, u8 *out) +{ + EVP_MD_CTX *ctx = NULL; + + if (!ctx) { + ctx = EVP_MD_CTX_new(); + if (!ctx) { + fprintf(stderr, "HASH: cannot instantiate sha256\n"); + exit(1); + } + } + EVP_DigestInit(ctx, EVP_sha256()); + EVP_DigestUpdate(ctx, buf, len); + EVP_DigestFinal(ctx, out, NULL); + /* EVP_MD_CTX_free(ctx); */ + return 0; +} + +int hash_blake2b(const u8 *buf, size_t len, u8 *out) +{ + EVP_MD_CTX *ctx = NULL; + size_t digest_size = 256 / 8; + const OSSL_PARAM params[] = { + OSSL_PARAM_size_t("size", &digest_size), + OSSL_PARAM_END + }; + + if (!ctx) { + ctx = EVP_MD_CTX_new(); + if (!ctx) { + fprintf(stderr, "HASH: cannot instantiate sha256\n"); + exit(1); + } + } + EVP_DigestInit_ex2(ctx, EVP_blake2b512(), params); + EVP_DigestUpdate(ctx, buf, len); + EVP_DigestFinal(ctx, out, NULL); + /* EVP_MD_CTX_free(ctx); */ + return 0; +} + +#endif diff --git a/tests/build-tests.sh b/tests/build-tests.sh index 8544f441..ed2f3f16 100755 --- a/tests/build-tests.sh +++ b/tests/build-tests.sh @@ -133,6 +133,9 @@ build_make_targets conf='--with-crypto=botan' build_make_targets +conf='--with-crypto=openssl' +build_make_targets + # Old architectures conf='--with-crypto=builtin' buildme_cflags '-march=core2' diff --git a/tests/hash-tests.sh b/tests/hash-tests.sh index b77ad181..c53e32a8 100755 --- a/tests/hash-tests.sh +++ b/tests/hash-tests.sh @@ -37,6 +37,7 @@ buildme libgcrypt buildme libsodium buildme libkcapi buildme botan +buildme openssl echo "VERDICT:" echo "$verdict"