Support powering the Crypto logic by a system OpenSSL (#2248)

jviotti · web-flow · commit a82a1db87c7b · 2026-02-16T12:40:21.000-04:00
Signed-off-by: Juan Cruz Viotti &lt;jv@jviotti.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,6 +36,12 @@ jobs:
             type: static
             shell: sh
             benchmark: linux/llvm
+          - os: ubuntu-latest
+            cc: clang
+            cxx: clang++
+            type: static
+            shell: sh
+            options: -DSOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL:BOOL=ON
           - os: ubuntu-latest
             cc: gcc
             cxx: g++
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -11,6 +11,7 @@ option(SOURCEMETA_CORE_UNICODE "Build the Sourcemeta Core Unicode library" ON)
 option(SOURCEMETA_CORE_PUNYCODE "Build the Sourcemeta Core Punycode library" ON)
 option(SOURCEMETA_CORE_TIME "Build the Sourcemeta Core time library" ON)
 option(SOURCEMETA_CORE_CRYPTO "Build the Sourcemeta Core Crypto library" ON)
+option(SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL "Use system OpenSSL for the Sourcemeta Core Crypto library" OFF)
 option(SOURCEMETA_CORE_REGEX "Build the Sourcemeta Core Regex library" ON)
 option(SOURCEMETA_CORE_URI "Build the Sourcemeta Core URI library" ON)
 option(SOURCEMETA_CORE_URITEMPLATE "Build the Sourcemeta Core URI Template library" ON)
@@ -89,6 +90,9 @@ if(SOURCEMETA_CORE_TIME)
 endif()
 
 if(SOURCEMETA_CORE_CRYPTO)
+  if(SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL)
+    find_package(OpenSSL REQUIRED)
+  endif()
   add_subdirectory(src/core/crypto)
 endif()
 
diff --git a/config.cmake.in b/config.cmake.in
@@ -48,6 +48,9 @@ foreach(component ${SOURCEMETA_CORE_COMPONENTS})
   elseif(component STREQUAL "time")
     include("${CMAKE_CURRENT_LIST_DIR}/sourcemeta_core_time.cmake")
   elseif(component STREQUAL "crypto")
+    if(@SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL@)
+      find_dependency(OpenSSL)
+    endif()
     include("${CMAKE_CURRENT_LIST_DIR}/sourcemeta_core_crypto.cmake")
   elseif(component STREQUAL "regex")
     find_dependency(PCRE2 CONFIG)
diff --git a/src/core/crypto/CMakeLists.txt b/src/core/crypto/CMakeLists.txt
@@ -2,6 +2,12 @@ sourcemeta_library(NAMESPACE sourcemeta PROJECT core NAME crypto
   PRIVATE_HEADERS sha256.h uuid.h
   SOURCES crypto_sha256.cc crypto_uuid.cc)
 
+if(SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL)
+  target_compile_definitions(sourcemeta_core_crypto
+    PRIVATE SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL)
+  target_link_libraries(sourcemeta_core_crypto PRIVATE OpenSSL::Crypto)
+endif()
+
 if(SOURCEMETA_CORE_INSTALL)
   sourcemeta_library_install(NAMESPACE sourcemeta PROJECT core NAME crypto)
 endif()
diff --git a/src/core/crypto/crypto_sha256.cc b/src/core/crypto/crypto_sha256.cc
@@ -2,7 +2,54 @@
 
 #include <array>   // std::array
 #include <cstdint> // std::uint32_t, std::uint64_t
+
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+#include <openssl/evp.h> // EVP_MD_CTX_new, EVP_DigestInit_ex, EVP_sha256, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_free
+#include <stdexcept>     // std::runtime_error
+#else
 #include <cstring> // std::memcpy
+#endif
+
+namespace {
+constexpr std::array<char, 17> HEX_DIGITS{{'0', '1', '2', '3', '4', '5', '6',
+                                           '7', '8', '9', 'a', 'b', 'c', 'd',
+                                           'e', 'f', '\0'}};
+} // namespace
+
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+
+namespace sourcemeta::core {
+
+auto sha256(const std::string_view input, std::ostream &output) -> void {
+  auto *context = EVP_MD_CTX_new();
+  if (context == nullptr) {
+    throw std::runtime_error("Could not allocate OpenSSL digest context");
+  }
+
+  if (EVP_DigestInit_ex(context, EVP_sha256(), nullptr) != 1 ||
+      EVP_DigestUpdate(context, input.data(), input.size()) != 1) {
+    EVP_MD_CTX_free(context);
+    throw std::runtime_error("Could not compute SHA-256 digest");
+  }
+
+  std::array<unsigned char, 32> digest{};
+  unsigned int length = 0;
+  if (EVP_DigestFinal_ex(context, digest.data(), &length) != 1) {
+    EVP_MD_CTX_free(context);
+    throw std::runtime_error("Could not finalize SHA-256 digest");
+  }
+
+  EVP_MD_CTX_free(context);
+
+  for (std::uint64_t index = 0; index < 32u; ++index) {
+    output.put(HEX_DIGITS[(digest[index] >> 4u) & 0x0fu]);
+    output.put(HEX_DIGITS[digest[index] & 0x0fu]);
+  }
+}
+
+} // namespace sourcemeta::core
+
+#else
 
 namespace {
 
@@ -169,17 +216,15 @@ auto sha256(const std::string_view input, std::ostream &output) -> void {
     sha256_process_block(final_block.data() + 64u, state);
   }
 
-  // Produce the final hex digest directly from state words (big-endian)
-  static constexpr std::array<char, 17> hex_digits{
-      {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',
-       'e', 'f', '\0'}};
   for (std::uint64_t state_index = 0u; state_index < 8u; ++state_index) {
     const auto value = state[state_index];
     for (std::uint64_t nibble = 0u; nibble < 8u; ++nibble) {
       const auto shift = 28u - nibble * 4u;
-      output.put(hex_digits[(value >> shift) & 0x0fu]);
+      output.put(HEX_DIGITS[(value >> shift) & 0x0fu]);
     }
   }
 }
 
 } // namespace sourcemeta::core
+
+#endif
diff --git a/src/core/crypto/crypto_uuid.cc b/src/core/crypto/crypto_uuid.cc
@@ -1,45 +1,78 @@
 #include <sourcemeta/core/crypto_uuid.h>
 
-#include <array>   // std::array
-#include <cstddef> // std::size_t
-#include <random> // std::random_device, std::mt19937, std::uniform_int_distribution
+#include <array>       // std::array
+#include <cstddef>     // std::size_t
 #include <string_view> // std::string_view
 
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+#include <openssl/rand.h> // RAND_bytes
+#include <stdexcept>      // std::runtime_error
+#else
+#include <random> // std::random_device, std::mt19937, std::uniform_int_distribution
+#endif
+
 namespace sourcemeta::core {
 
 // See RFC 9562 Section 5.4
 // Format: xxxxxxxx-xxxx-4xxx-Nxxx-xxxxxxxxxxxx
 // where 4 is the version and N is the variant (8, 9, a, or b)
 auto uuidv4() -> std::string {
-  static std::random_device device;
-  static std::mt19937 generator{device()};
   static constexpr std::string_view digits = "0123456789abcdef";
   static constexpr std::string_view variant_digits = "89ab";
   static constexpr std::array<bool, 16> dash = {
       {false, false, false, false, true, false, true, false, true, false, true,
        false, false, false, false, false}};
+
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+  std::array<unsigned char, 16> random_bytes{};
+  if (RAND_bytes(random_bytes.data(), static_cast<int>(random_bytes.size())) !=
+      1) {
+    throw std::runtime_error("Could not generate random bytes with OpenSSL");
+  }
+#else
+  static std::random_device device;
+  static std::mt19937 generator{device()};
   std::uniform_int_distribution<decltype(digits)::size_type> distribution(0,
                                                                           15);
   std::uniform_int_distribution<decltype(variant_digits)::size_type>
       variant_distribution(0, 3);
+#endif
+
   std::string result;
   result.reserve(36);
   for (std::size_t index = 0; index < dash.size(); ++index) {
     if (dash[index]) {
       result += '-';
     }
 
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+    const auto high_nibble = (random_bytes[index] >> 4u) & 0x0fu;
+    const auto low_nibble = random_bytes[index] & 0x0fu;
+#endif
+
     // RFC 9562 Section 5.4: version bits (48-51) must be 0b0100
     if (index == 6) {
       result += '4';
       // RFC 9562 Section 5.4: variant bits (64-65) must be 0b10
     } else if (index == 8) {
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+      result += variant_digits[high_nibble & 0x03u];
+#else
       result += variant_digits[variant_distribution(generator)];
+#endif
     } else {
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+      result += digits[high_nibble];
+#else
       result += digits[distribution(generator)];
+#endif
     }
 
+#ifdef SOURCEMETA_CORE_CRYPTO_USE_SYSTEM_OPENSSL
+    result += digits[low_nibble];
+#else
     result += digits[distribution(generator)];
+#endif
   }
 
   return result;
