btrfs-progs: crypto: add openssl as crypto provider

https://www.openssl.org/ Is a well known cryptography library and since
freshly released version 3.2 it also supports variable digest size of
blake2b, so we can now add it among the crypto providers.

Configure with --with-crypto=openssl.

Signed-off-by: David Sterba <dsterba@suse.com>
This commit is contained in:
David Sterba 2023-11-16 14:54:03 +01:00
parent 5221aedc00
commit 32880fa518
11 changed files with 98 additions and 5 deletions

View File

@ -87,3 +87,10 @@ jobs:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: CI Tumbleweed (Botan) - name: CI Tumbleweed (Botan)
run: ci/ci-build-tumbleweed HEAD --with-crypto=botan run: ci/ci-build-tumbleweed HEAD --with-crypto=botan
check-tumbleweed-openssl:
name: CI Tumbleweed (OpenSSL)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: CI Tumbleweed (OpenSSL)
run: ci/ci-build-tumbleweed HEAD --with-crypto=openssl

View File

@ -22,6 +22,7 @@ dependencies are not desired.
- libsodium >= 1.0.4 - libsodium >= 1.0.4
- libkcapi >= 1.0.0 - libkcapi >= 1.0.0
- Botan >= 2.19.0 - Botan >= 2.19.0
- OpenSSL >= 3.2.0
Optionally, multipath device detection requires libudev and running udev Optionally, multipath device detection requires libudev and running udev
daemon, as it's the only source of the path information. Static build has a daemon, as it's the only source of the path information. Static build has a

View File

@ -22,7 +22,7 @@ PYTHON_BINDINGS = @PYTHON_BINDINGS@
PYTHON = @PYTHON@ PYTHON = @PYTHON@
PYTHON_CFLAGS = @PYTHON_CFLAGS@ PYTHON_CFLAGS = @PYTHON_CFLAGS@
CRYPTOPROVIDER_BUILTIN = @CRYPTOPROVIDER_BUILTIN@ CRYPTOPROVIDER_BUILTIN = @CRYPTOPROVIDER_BUILTIN@
CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@ CRYPTO_CFLAGS = @GCRYPT_CFLAGS@ @SODIUM_CFLAGS@ @KCAPI_CFLAGS@ @BOTAN_CFLAGS@ @OPENSSL_CFLAGS@
HAVE_CFLAG_msse2 = @HAVE_CFLAG_msse2@ HAVE_CFLAG_msse2 = @HAVE_CFLAG_msse2@
HAVE_CFLAG_msse41 = @HAVE_CFLAG_msse41@ HAVE_CFLAG_msse41 = @HAVE_CFLAG_msse41@
@ -37,7 +37,7 @@ SUBST_LDFLAGS = @LDFLAGS@
LIBS_BASE = @UUID_LIBS@ @BLKID_LIBS@ @LIBUDEV_LIBS@ -L. -pthread LIBS_BASE = @UUID_LIBS@ @BLKID_LIBS@ @LIBUDEV_LIBS@ -L. -pthread
LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@ LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@
LIBS_PYTHON = @PYTHON_LIBS@ LIBS_PYTHON = @PYTHON_LIBS@
LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@ LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@ @BOTAN_LIBS@ @OPENSSL_LIBS@
STATIC_LIBS_BASE = @UUID_LIBS_STATIC@ @BLKID_LIBS_STATIC@ -L. -pthread STATIC_LIBS_BASE = @UUID_LIBS_STATIC@ @BLKID_LIBS_STATIC@ -L. -pthread
STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@ STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@

View File

@ -124,7 +124,7 @@ functions is provided by copies of the respective sources to avoid adding
dependencies that would make deployments in rescue or limited environments dependencies that would make deployments in rescue or limited environments
harder. The implementations are portable and there are optimized versions for harder. The implementations are portable and there are optimized versions for
some architectures. Optionally it's possible to use libgcrypt, libsodium, some architectures. Optionally it's possible to use libgcrypt, libsodium,
libkcapi or Botan implementations. libkcapi, Botan or OpenSSL implementations.
* CRC32C: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ * CRC32C: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
* XXHASH: https://github.com/Cyan4973/xxHash * XXHASH: https://github.com/Cyan4973/xxHash

View File

@ -27,7 +27,7 @@ RUN zypper install -y --no-recommends glibc-devel-static libblkid-devel-static \
RUN zypper install -y --no-recommends gcc13 RUN zypper install -y --no-recommends gcc13
RUN zypper install -y --no-recommends libgcrypt-devel libsodium-devel libkcapi-devel \ RUN zypper install -y --no-recommends libgcrypt-devel libsodium-devel libkcapi-devel \
libbotan-devel libbotan-devel libopenssl-3-devel
COPY ./test-build . COPY ./test-build .
COPY ./run-tests . COPY ./run-tests .

View File

@ -236,7 +236,7 @@ if test "$DISABLE_BTRFSCONVERT" = 0 && test "x$convertfs" = "x"; then
fi fi
AC_ARG_WITH([crypto], AC_ARG_WITH([crypto],
AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan]), AS_HELP_STRING([[[]--with-crypto[[=builtin]]]], [provider of cryptographic primitives: builtin, libgcrypt, libsodium, libkcapi, botan, openssl]),
[], [with_crypto=builtin] [], [with_crypto=builtin]
) )
@ -247,6 +247,7 @@ CRYPTOPROVIDER_LIBGCRYPT=0
CRYPTOPROVIDER_LIBSODIUM=0 CRYPTOPROVIDER_LIBSODIUM=0
CRYPTOPROVIDER_LIBKCAPI=0 CRYPTOPROVIDER_LIBKCAPI=0
CRYPTOPROVIDER_BOTAN=0 CRYPTOPROVIDER_BOTAN=0
CRYPTOPROVIDER_OPENSSL=0
if test "$with_crypto" = "builtin"; then if test "$with_crypto" = "builtin"; then
cryptoprovider="builtin" cryptoprovider="builtin"
CRYPTOPROVIDER_BUILTIN=1 CRYPTOPROVIDER_BUILTIN=1
@ -270,6 +271,11 @@ elif test "$with_crypto" = "botan"; then
PKG_CHECK_MODULES(BOTAN, [botan-2 >= 2.19.0]) PKG_CHECK_MODULES(BOTAN, [botan-2 >= 2.19.0])
CRYPTOPROVIDER_BOTAN=1 CRYPTOPROVIDER_BOTAN=1
cryptoproviderversion=`${PKG_CONFIG} botan-2 --modversion` cryptoproviderversion=`${PKG_CONFIG} botan-2 --modversion`
elif test "$with_crypto" = "openssl"; then
cryptoprovider="openssl"
PKG_CHECK_MODULES(OPENSSL, [libcrypto >= 3.2.0])
CRYPTOPROVIDER_OPENSSL=1
cryptoproviderversion=`${PKG_CONFIG} libcrypto --modversion`
else else
AC_MSG_ERROR([unrecognized crypto provider: $with_crypto]) AC_MSG_ERROR([unrecognized crypto provider: $with_crypto])
fi fi
@ -283,6 +289,8 @@ AC_SUBST([CRYPTOPROVIDER_LIBKCAPI])
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_LIBKCAPI],[$CRYPTOPROVIDER_LIBKCAPI],[Use libkcapi]) AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_LIBKCAPI],[$CRYPTOPROVIDER_LIBKCAPI],[Use libkcapi])
AC_SUBST([CRYPTOPROVIDER_BOTAN]) AC_SUBST([CRYPTOPROVIDER_BOTAN])
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_BOTAN],[$CRYPTOPROVIDER_BOTAN],[Use Botan]) AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_BOTAN],[$CRYPTOPROVIDER_BOTAN],[Use Botan])
AC_SUBST([CRYPTOPROVIDER_OPENSSL])
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER_OPENSSL],[$CRYPTOPROVIDER_OPENSSL],[Use OpenSSL])
AC_DEFINE_UNQUOTED([CRYPTOPROVIDER],["$cryptoprovider"],[Crypto implementation source name]) AC_DEFINE_UNQUOTED([CRYPTOPROVIDER],["$cryptoprovider"],[Crypto implementation source name])
AX_CHECK_DEFINE([linux/fiemap.h], [FIEMAP_EXTENT_SHARED], [], AX_CHECK_DEFINE([linux/fiemap.h], [FIEMAP_EXTENT_SHARED], [],

View File

@ -202,6 +202,8 @@ int main(int argc, char **argv) {
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 }, .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 },
{ .name = "SHA256-botan", .digest = hash_sha256, .digest_size = 32, { .name = "SHA256-botan", .digest = hash_sha256, .digest_size = 32,
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 }, .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 },
{ .name = "SHA256-openssl", .digest = hash_sha256, .digest_size = 32,
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 },
{ .name = "SHA256-NI", .digest = hash_sha256, .digest_size = 32, { .name = "SHA256-NI", .digest = hash_sha256, .digest_size = 32,
.cpu_flag = CPU_FLAG_SHA, .backend = CRYPTOPROVIDER_BUILTIN + 1 }, .cpu_flag = CPU_FLAG_SHA, .backend = CRYPTOPROVIDER_BUILTIN + 1 },
{ .name = "BLAKE2-ref", .digest = hash_blake2b, .digest_size = 32, { .name = "BLAKE2-ref", .digest = hash_blake2b, .digest_size = 32,
@ -214,6 +216,8 @@ int main(int argc, char **argv) {
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 }, .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_LIBKCAPI + 1 },
{ .name = "BLAKE2-botan", .digest = hash_blake2b, .digest_size = 32, { .name = "BLAKE2-botan", .digest = hash_blake2b, .digest_size = 32,
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 }, .cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_BOTAN + 1 },
{ .name = "BLAKE2-openssl", .digest = hash_blake2b, .digest_size = 32,
.cpu_flag = CPU_FLAG_NONE, .backend = CRYPTOPROVIDER_OPENSSL + 1 },
{ .name = "BLAKE2-SSE2", .digest = hash_blake2b, .digest_size = 32, { .name = "BLAKE2-SSE2", .digest = hash_blake2b, .digest_size = 32,
.cpu_flag = CPU_FLAG_SSE2, .backend = CRYPTOPROVIDER_BUILTIN + 1 }, .cpu_flag = CPU_FLAG_SSE2, .backend = CRYPTOPROVIDER_BUILTIN + 1 },
{ .name = "BLAKE2-SSE41", .digest = hash_blake2b, .digest_size = 32, { .name = "BLAKE2-SSE41", .digest = hash_blake2b, .digest_size = 32,

View File

@ -490,6 +490,14 @@ static const struct hash_testspec test_spec[] = {
.cpu_flag = CPU_FLAG_NONE, .cpu_flag = CPU_FLAG_NONE,
.hash = hash_sha256, .hash = hash_sha256,
.backend = CRYPTOPROVIDER_BOTAN + 1 .backend = CRYPTOPROVIDER_BOTAN + 1
}, {
.name = "SHA256-openssl",
.digest_size = 32,
.testvec = sha256_tv,
.count = ARRAY_SIZE(sha256_tv),
.cpu_flag = CPU_FLAG_NONE,
.hash = hash_sha256,
.backend = CRYPTOPROVIDER_OPENSSL + 1
}, { }, {
.name = "SHA256-NI", .name = "SHA256-NI",
.digest_size = 32, .digest_size = 32,
@ -538,6 +546,14 @@ static const struct hash_testspec test_spec[] = {
.cpu_flag = CPU_FLAG_NONE, .cpu_flag = CPU_FLAG_NONE,
.hash = hash_blake2b, .hash = hash_blake2b,
.backend = CRYPTOPROVIDER_BOTAN + 1 .backend = CRYPTOPROVIDER_BOTAN + 1
}, {
.name = "BLAKE2-openssl",
.digest_size = 32,
.testvec = blake2b_256_tv,
.count = ARRAY_SIZE(blake2b_256_tv),
.cpu_flag = CPU_FLAG_NONE,
.hash = hash_blake2b,
.backend = CRYPTOPROVIDER_OPENSSL + 1
}, { }, {
.name = "BLAKE2-SSE2", .name = "BLAKE2-SSE2",
.digest_size = 32, .digest_size = 32,

View File

@ -235,3 +235,56 @@ int hash_blake2b(const u8 *buf, size_t len, u8 *out)
} }
#endif #endif
#if CRYPTOPROVIDER_OPENSSL == 1
#include <openssl/params.h>
#include <openssl/evp.h>
void hash_init_accel(void)
{
crc32c_init_accel();
}
int hash_sha256(const u8 *buf, size_t len, u8 *out)
{
EVP_MD_CTX *ctx = NULL;
if (!ctx) {
ctx = EVP_MD_CTX_new();
if (!ctx) {
fprintf(stderr, "HASH: cannot instantiate sha256\n");
exit(1);
}
}
EVP_DigestInit(ctx, EVP_sha256());
EVP_DigestUpdate(ctx, buf, len);
EVP_DigestFinal(ctx, out, NULL);
/* EVP_MD_CTX_free(ctx); */
return 0;
}
int hash_blake2b(const u8 *buf, size_t len, u8 *out)
{
EVP_MD_CTX *ctx = NULL;
size_t digest_size = 256 / 8;
const OSSL_PARAM params[] = {
OSSL_PARAM_size_t("size", &digest_size),
OSSL_PARAM_END
};
if (!ctx) {
ctx = EVP_MD_CTX_new();
if (!ctx) {
fprintf(stderr, "HASH: cannot instantiate sha256\n");
exit(1);
}
}
EVP_DigestInit_ex2(ctx, EVP_blake2b512(), params);
EVP_DigestUpdate(ctx, buf, len);
EVP_DigestFinal(ctx, out, NULL);
/* EVP_MD_CTX_free(ctx); */
return 0;
}
#endif

View File

@ -133,6 +133,9 @@ build_make_targets
conf='--with-crypto=botan' conf='--with-crypto=botan'
build_make_targets build_make_targets
conf='--with-crypto=openssl'
build_make_targets
# Old architectures # Old architectures
conf='--with-crypto=builtin' conf='--with-crypto=builtin'
buildme_cflags '-march=core2' buildme_cflags '-march=core2'

View File

@ -37,6 +37,7 @@ buildme libgcrypt
buildme libsodium buildme libsodium
buildme libkcapi buildme libkcapi
buildme botan buildme botan
buildme openssl
echo "VERDICT:" echo "VERDICT:"
echo "$verdict" echo "$verdict"