Add OpenSSL as crypto backend for device hashing

Use EVP_sha256 OpenSSL libcrypto API to implement SHA-256 hashing in the crypto backend for device hashing Pass parameter --with-crypto-library=openssl to configure USBGuard with OpenSSL libcrypto Add OpenSSL pipeline requirements Include libssl-dev package and openssl parameter
USBGuard · Jan 13, 2021 · e4bdd55 · e4bdd55
1 parent 9b881ed
commit e4bdd55
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 2 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -74,6 +74,13 @@ matrix:
           packages: ['libgcrypt-dev']
       env: CONFIGURE_ARGS=--with-crypto-library=gcrypt
 
+    - os: linux
+      compiler: gcc
+      addons:
+        apt:
+          packages: ['libssl-dev']
+      env: CONFIGURE_ARGS=--with-crypto-library=openssl
+
     - os: linux
       compiler: gcc
       env: CONFIGURE_ARGS=--without-ldap

diff --git a/configure.ac b/configure.ac
@@ -192,6 +192,16 @@ libsodium_available=yes,
 []
 )
 
+#
+# libcrypto library (OpenSSL)
+#
+PKG_CHECK_MODULES([libcrypto], [libcrypto >= 1.0.0],
+[AC_DEFINE([HAVE_LIBCRYPTO], [1], [libcrypto API available])
+libcrypto_summary="system-wide; $libcrypto_CFLAGS $libcrypto_LIBS"]
+libcrypto_available=yes,
+[]
+)
+
 #
 # gcrypt library
 #
@@ -211,12 +221,23 @@ libgcrypt_available=yes],
 #
 #  sodium ... libsodium
 #  gcrypt ... libgcrypt
+#  openssl ... libcrypto
 #
 AC_ARG_WITH([crypto-library], AS_HELP_STRING([--with-crypto-library],
-            [Select crypto backend library. Supported values: sodium, gcrypt.]),
+            [Select crypto backend library. Supported values: sodium, gcrypt, openssl.]),
             [with_crypto_library=$withval], [with_crypto_library=sodium])
 
 case "$with_crypto_library" in
+  openssl)
+    if test "x$libcrypto_available" = xyes; then
+      crypto_CFLAGS="$libcrypto_CFLAGS"
+      crypto_LIBS="$libcrypto_LIBS"
+      crypto_summary="$libcrypto_summary"
+      AC_DEFINE([USBGUARD_USE_OPENSSL], [1], [Use openssl as crypto backend])
+     else
+      AC_MSG_ERROR([The selected crypto backend library is not available.])
+    fi
+  ;;
   sodium)
     if test "x$libsodium_available" = xyes; then
       crypto_CFLAGS="$sodium_CFLAGS"
@@ -238,7 +259,7 @@ case "$with_crypto_library" in
     fi
   ;;
   *)
-  AC_MSG_FAILURE([Invalid crypto library selector. Supported selectors: sodium, gcrypt])
+  AC_MSG_FAILURE([Invalid crypto library selector. Supported selectors: sodium, gcrypt, openssl])
 esac
 AC_SUBST([crypto_CFLAGS])
 AC_SUBST([crypto_LIBS])

diff --git a/src/Library/Hash.cpp b/src/Library/Hash.cpp
@@ -38,6 +38,12 @@ namespace usbguard
 #if defined(USBGUARD_USE_LIBSODIUM)
     crypto_hash_sha256_init(&_state);
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    if ((_state = EVP_MD_CTX_new()) == nullptr)
+      throw std::runtime_error("Dynamic memory allocation of message digest context failed.");
+    if (!EVP_DigestInit_ex(_state, EVP_sha256(), nullptr))
+      throw std::runtime_error("Context initialization of message digest context failed.");
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     gcry_md_open(&_state, GCRY_MD_SHA256, 0);
 #endif
@@ -49,6 +55,9 @@ namespace usbguard
 #if defined(USBGUARD_USE_LIBSODIUM)
     _state = rhs._state;
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    _state = rhs._state;
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     gcry_md_copy(&_state, rhs._state);
 #endif
@@ -61,6 +70,10 @@ namespace usbguard
     _state = rhs._state;
     memset(&rhs._state, 0, sizeof _state);
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    _state = rhs._state;
+    memset(&rhs._state, 0, sizeof _state);
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     _state = rhs._state;
     rhs._state = nullptr;
@@ -74,6 +87,10 @@ namespace usbguard
     _state = rhs._state;
     memset(&rhs._state, 0, sizeof _state);
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    _state = rhs._state;
+    memset(&rhs._state, 0, sizeof _state);
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     _state = rhs._state;
     rhs._state = nullptr;
@@ -83,6 +100,9 @@ namespace usbguard
 
   Hash::~Hash()
   {
+#if defined(USBGUARD_USE_OPENSSL)
+    EVP_MD_CTX_free(_state);
+#endif
     release();
   }
 
@@ -91,6 +111,9 @@ namespace usbguard
 #if defined(USBGUARD_USE_LIBSODIUM)
     memset(&_state, 0, sizeof _state);
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    memset(&_state, 0, sizeof _state);
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
 
     if (_state != nullptr) {
@@ -110,6 +133,10 @@ namespace usbguard
 #if defined(USBGUARD_USE_LIBSODIUM)
     crypto_hash_sha256_update(&_state, reinterpret_cast<const uint8_t*>(ptr), size);
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    if (!EVP_DigestUpdate(_state, reinterpret_cast<const uint8_t*>(ptr), size))
+      throw std::runtime_error("Hashing data into message digest context failed.");
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     gcry_md_write(_state, ptr, size);
 #endif
@@ -130,6 +157,10 @@ namespace usbguard
 #if defined(USBGUARD_USE_LIBSODIUM)
         crypto_hash_sha256_update(&_state, buffer, buflen);
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+        if (!EVP_DigestUpdate(_state, buffer, buflen))
+          throw std::runtime_error("Hashing data into message digest context failed.");
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
         gcry_md_write(_state, buffer, buflen);
 #endif
@@ -148,6 +179,14 @@ namespace usbguard
     const uint8_t* const hash_buffer = hash_binary;
     const size_t hash_buflen = sizeof hash_binary;
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    uint8_t hash_binary[EVP_MAX_MD_SIZE];
+    unsigned int hash_len;
+    if (!EVP_DigestFinal_ex(_state, hash_binary, &hash_len))
+      throw std::runtime_error("Digest value retrieval failed.");
+    const uint8_t* const hash_buffer = hash_binary;
+    const size_t hash_buflen = hash_len;
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     gcry_md_final(_state);
     const size_t hash_buflen = gcry_md_get_algo_dlen(GCRY_MD_SHA256);

diff --git a/src/Library/Hash.hpp b/src/Library/Hash.hpp
@@ -30,6 +30,8 @@
 
 #if defined(USBGUARD_USE_LIBSODIUM)
   #include <sodium.h>
+#elif defined(USBGUARD_USE_OPENSSL)
+  #include <openssl/evp.h>
 #elif defined(USBGUARD_USE_LIBGCRYPT)
   #include <gcrypt.h>
 #else
@@ -56,6 +58,9 @@ namespace usbguard
 #if defined(USBGUARD_USE_LIBSODIUM)
     crypto_hash_sha256_state _state;
 #endif
+#if defined(USBGUARD_USE_OPENSSL)
+    EVP_MD_CTX *_state;
+#endif
 #if defined(USBGUARD_USE_LIBGCRYPT)
     gcry_md_hd_t _state {nullptr};
 #endif