mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-05 09:17:44 +03:00
libsystemd/sd-id128: use only internal hmac, remove khash/OpenSSL support
Using OpenSSL brings in an additional dependency for all users of libsystemd.so even though it's just one API that makes use of it. The khash implementation is awkward as it requires context switches and computation inside the kernel, thus leaving the process. Remove both from libsystemd.so, and use exclusively the internal hmac fallback. While this is not optimized, the sd-id128 API is not used in performance-critical contexts where hardware acceleration would make a noticeable difference.
This commit is contained in:
parent
8d39bff4e3
commit
ec4afb4606
@ -58,3 +58,8 @@ The following exceptions apply:
|
|||||||
**BSD-3-Clause** license.
|
**BSD-3-Clause** license.
|
||||||
* any files under test/ without an explicit license we assume non-copyrightable
|
* any files under test/ without an explicit license we assume non-copyrightable
|
||||||
(eg: computer-generated fuzzer data)
|
(eg: computer-generated fuzzer data)
|
||||||
|
|
||||||
|
## OpenSSL Notes
|
||||||
|
|
||||||
|
Note that building the systemd project with OpenSSL does not affect the libsystemd.so
|
||||||
|
shared library, which is not linked with the OpenSSL library.
|
||||||
|
@ -170,8 +170,7 @@ libsystemd_static = static_library(
|
|||||||
include_directories : libsystemd_includes,
|
include_directories : libsystemd_includes,
|
||||||
link_with : libbasic,
|
link_with : libbasic,
|
||||||
dependencies : [threads,
|
dependencies : [threads,
|
||||||
librt,
|
librt],
|
||||||
libopenssl],
|
|
||||||
c_args : libsystemd_c_args)
|
c_args : libsystemd_c_args)
|
||||||
|
|
||||||
libsystemd_sym = files('libsystemd.sym')
|
libsystemd_sym = files('libsystemd.sym')
|
||||||
|
@ -4,21 +4,14 @@
|
|||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#if HAVE_OPENSSL
|
|
||||||
#include <openssl/hmac.h>
|
|
||||||
#include <openssl/sha.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "sd-id128.h"
|
#include "sd-id128.h"
|
||||||
|
|
||||||
#include "alloc-util.h"
|
#include "alloc-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "hexdecoct.h"
|
#include "hexdecoct.h"
|
||||||
|
#include "hmac.h"
|
||||||
#include "id128-util.h"
|
#include "id128-util.h"
|
||||||
#include "io-util.h"
|
#include "io-util.h"
|
||||||
#if !HAVE_OPENSSL
|
|
||||||
#include "khash.h"
|
|
||||||
#endif
|
|
||||||
#include "macro.h"
|
#include "macro.h"
|
||||||
#include "missing_syscall.h"
|
#include "missing_syscall.h"
|
||||||
#include "random-util.h"
|
#include "random-util.h"
|
||||||
@ -278,43 +271,15 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret) {
|
static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret) {
|
||||||
|
uint8_t hmac[SHA256_DIGEST_SIZE];
|
||||||
sd_id128_t result;
|
sd_id128_t result;
|
||||||
|
|
||||||
assert(ret);
|
assert(ret);
|
||||||
|
|
||||||
#if HAVE_OPENSSL
|
hmac_sha256(&base, sizeof(base), &app_id, sizeof(app_id), hmac);
|
||||||
/* We prefer doing this in-process, since we this means we are not dependent on kernel configuration,
|
|
||||||
* and this also works in locked down container environments. But some distros don't like OpenSSL's
|
|
||||||
* license and its (in-) compatibility with GPL2, hence also support khash */
|
|
||||||
uint8_t md[256/8];
|
|
||||||
if (!HMAC(EVP_sha256(),
|
|
||||||
&base, sizeof(base),
|
|
||||||
(const unsigned char*) &app_id, sizeof(app_id),
|
|
||||||
md, NULL))
|
|
||||||
return -ENOTRECOVERABLE;
|
|
||||||
|
|
||||||
/* Take only the first half. */
|
/* Take only the first half. */
|
||||||
memcpy(&result, md, MIN(sizeof(md), sizeof(result)));
|
memcpy(&result, hmac, MIN(sizeof(hmac), sizeof(result)));
|
||||||
#else
|
|
||||||
_cleanup_(khash_unrefp) khash *h = NULL;
|
|
||||||
const void *p;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
r = khash_new_with_key(&h, "hmac(sha256)", &base, sizeof(base));
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
r = khash_put(h, &app_id, sizeof(app_id));
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
r = khash_digest_data(h, &p);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
/* We chop off the trailing 16 bytes */
|
|
||||||
memcpy(&result, p, MIN(khash_get_size(h), sizeof(result)));
|
|
||||||
#endif
|
|
||||||
|
|
||||||
*ret = id128_make_v4_uuid(result);
|
*ret = id128_make_v4_uuid(result);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -146,16 +146,11 @@ int main(int argc, char *argv[]) {
|
|||||||
assert_se(id128_read_fd(fd, ID128_UUID, &id2) >= 0);
|
assert_se(id128_read_fd(fd, ID128_UUID, &id2) >= 0);
|
||||||
assert_se(sd_id128_equal(id, id2));
|
assert_se(sd_id128_equal(id, id2));
|
||||||
|
|
||||||
r = sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id);
|
assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id) >= 0);
|
||||||
if (r == -EOPNOTSUPP)
|
|
||||||
log_info("khash not supported on this kernel, skipping sd_id128_get_machine_app_specific() checks");
|
|
||||||
else {
|
|
||||||
assert_se(r >= 0);
|
|
||||||
assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id2) >= 0);
|
assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(f0,3d,aa,eb,1c,33,4b,43,a7,32,17,29,44,bf,77,2e), &id2) >= 0);
|
||||||
assert_se(sd_id128_equal(id, id2));
|
assert_se(sd_id128_equal(id, id2));
|
||||||
assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(51,df,0b,4b,c3,b0,4c,97,80,e2,99,b9,8c,a3,73,b8), &id2) >= 0);
|
assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(51,df,0b,4b,c3,b0,4c,97,80,e2,99,b9,8c,a3,73,b8), &id2) >= 0);
|
||||||
assert_se(!sd_id128_equal(id, id2));
|
assert_se(!sd_id128_equal(id, id2));
|
||||||
}
|
|
||||||
|
|
||||||
/* Query the invocation ID */
|
/* Query the invocation ID */
|
||||||
r = sd_id128_get_invocation(&id);
|
r = sd_id128_get_invocation(&id);
|
||||||
|
Loading…
Reference in New Issue
Block a user