feat: add OpenSSL backend for checksum utilities

.github/workflows/CICD.yml

@@ -4,7 +4,7 @@ name: CICD
 # spell-checker:ignore (env/flags) Awarnings Ccodegen Coverflow Cpanic Dwarnings RUSTDOCFLAGS RUSTFLAGS Zpanic CARGOFLAGS CLEVEL nodocs
 # spell-checker:ignore (jargon) SHAs deps dequote softprops subshell toolchain fuzzers dedupe devel profdata
 # spell-checker:ignore (people) Peltoche rivy Anson dawidd
-# spell-checker:ignore (shell/tools) binutils choco clippy dmake esac fakeroot fdesc fdescfs gmake grcov halium lcov libclang libfuse libssl limactl nextest nocross pacman popd printf pushd redoxer rsync rustc rustfmt rustup shopt sccache utmpdump xargs zstd
+# spell-checker:ignore (shell/tools) binutils choco clippy dmake esac fakeroot fdesc fdescfs gmake grcov halium lcov libclang libcrypto libfuse libssl limactl nextest nocross pacman popd printf pushd redoxer rsync rustc rustfmt rustup shopt sccache utmpdump xargs zstd
 # spell-checker:ignore (misc) aarch alnum armhf bindir busytest coreutils defconfig DESTDIR gecos getenforce gnueabihf issuecomment maint manpages msys multisize noconfirm nofeatures nullglob onexitbegin onexitend pell runtest tempfile testsuite toybox uutils libsystemd codspeed wasip libexecinfo
 
 env:
@@ -827,6 +827,76 @@ jobs:
         flags: coverage,${{ matrix.job.os }}
         fail_ci_if_error: false
 
+  test_openssl:
+    name: Build/OpenSSL
+    needs: [ min_version, deps ]
+    runs-on: ${{ matrix.job.os }}
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          # Linux: exercises both vendored (static) and OPENSSL_NO_VENDOR=1
+          # (dynamic against system libcrypto). ubuntu-latest ships libssl-dev.
+          - { os: ubuntu-latest, features: feat_os_unix, dynamic: true }
+          # macOS: vendored only — system libcrypto needs OPENSSL_DIR
+          # pointing at Homebrew, which isn't worth wiring up for a smoke test.
+          - { os: macos-latest, features: feat_os_unix, dynamic: false }
+          # Windows is omitted: the `openssl` dep is `cfg(unix)`, so the
+          # feature is a no-op there and there's nothing to exercise.
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+    - uses: dtolnay/rust-toolchain@stable
+    - uses: taiki-e/install-action@nextest
+    - uses: Swatinem/rust-cache@v2
+    - name: Run sccache-cache
+      id: sccache-setup
+      uses: mozilla-actions/sccache-action@v0.0.10
+      continue-on-error: true
+    - name: Export sccache
+      if: steps.sccache-setup.outcome == 'success'
+      run: |
+        echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+        echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
+    # Default mode: `openssl` crate's `vendored` feature builds libcrypto
+    # from source and statically links it (mirrors how `expr` links
+    # oniguruma). Runs the md5sum/sha*sum/cksum integration tests end-to-end
+    # so we'd catch a wrong-digest regression, not just a type error.
+    - name: Test checksum utilities with OpenSSL (vendored / static)
+      shell: bash
+      env:
+        RUST_BACKTRACE: "1"
+      run: |
+        cargo nextest run --hide-progress-bar --profile ci \
+          --features "${{ matrix.job.features }},openssl" \
+          -E 'test(/^test_(md5sum|sha1sum|sha224sum|sha256sum|sha384sum|sha512sum|cksum)::/)'
+    # Confirm the vendored build is actually statically linked. If this
+    # regresses, the `vendored` feature has stopped doing its job.
+    - name: Verify static linkage (vendored)
+      if: matrix.job.os == 'ubuntu-latest'
+      shell: bash
+      run: |
+        cargo build --release --features "${{ matrix.job.features }},openssl" --bin coreutils
+        if ldd target/release/coreutils 2>&1 | grep -iE 'libssl|libcrypto'; then
+          echo "ERROR: coreutils dynamically links libssl/libcrypto despite vendored feature"
+          exit 1
+        fi
+        echo "OK: no dynamic libssl/libcrypto linkage"
+    # Second linking mode: OPENSSL_NO_VENDOR=1 links dynamically against
+    # the system libcrypto/libssl.
+    - name: Test checksum utilities with OpenSSL (system / dynamic)
+      if: matrix.job.dynamic
+      shell: bash
+      env:
+        OPENSSL_NO_VENDOR: "1"
+        RUST_BACKTRACE: "1"
+      run: |
+        cargo nextest run --hide-progress-bar --profile ci \
+          --features "${{ matrix.job.features }},openssl" \
+          -E 'test(/^test_(md5sum|sha1sum|sha224sum|sha256sum|sha384sum|sha512sum|cksum)::/)'
+
   test_selinux:
     name: Build/SELinux
     needs: [ min_version, deps ]

Cargo.toml

@@ -1,7 +1,7 @@
 # coreutils (uutils)
 # * see the repository LICENSE, README, and CONTRIBUTING files for more information
 
-# spell-checker:ignore (libs) bigdecimal datetime foldhash serde gethostid kqueue libselinux mangen memmap uuhelp startswith constness expl unnested logind cfgs interner getauxval
+# spell-checker:ignore (libs) bigdecimal datetime foldhash serde gethostid kqueue libcrypto libselinux mangen memmap uuhelp startswith constness expl unnested logind cfgs interner getauxval
 
 [package]
 name = "coreutils"
@@ -26,6 +26,31 @@ unix = ["feat_os_unix"]
 windows = ["feat_os_windows"]
 ## project-specific feature shortcodes
 expensive_tests = []
+# Opt-in: use OpenSSL (libcrypto) for md5/sha1/sha2-family digests in the
+# checksum utilities instead of the pure-Rust crates. Provides large speedups
+# on CPUs without SHA-NI.
+#
+# Enable with: `cargo build --release --features unix,openssl`
+#
+# By default OpenSSL is built from source and statically linked (via the
+# `vendored` feature of the `openssl` crate), mirroring how `expr` links
+# oniguruma. To link against the system libcrypto/libssl dynamically instead,
+# set `OPENSSL_NO_VENDOR=1` at build time.
+#
+# The `?/openssl` entries propagate the choice into each standalone checksum
+# crate only when that crate is itself enabled, so disabling this feature
+# genuinely turns OpenSSL off everywhere. On Windows the feature is a no-op
+# and the pure-Rust implementations are used regardless.
+openssl = [
+  "cksum?/openssl",
+  "md5sum?/openssl",
+  "sha1sum?/openssl",
+  "sha224sum?/openssl",
+  "sha256sum?/openssl",
+  "sha384sum?/openssl",
+  "sha512sum?/openssl",
+  "uucore/openssl",
+]
 # "test_risky_names" == enable tests that create problematic file names (would make a network share inaccessible to Windows, breaks SVN on Mac OS, etc.)
 test_risky_names = []
 # * only build `uudoc` when `--feature uudoc` is activated
@@ -483,6 +508,7 @@ blake3 = "1.5.1"
 sm3 = "0.5.0"
 crc-fast = { version = "1.5.0", default-features = false }
 digest = "0.11.0"
+openssl = { version = "0.10", features = ["vendored"] }
 
 # Fluent dependencies
 fluent = "0.17.0"

README.md

@@ -1,6 +1,6 @@
 <!-- markdownlint-disable MD033 MD041 MD002 -->
 <!-- markdownlint-disable commands-show-output no-duplicate-heading -->
-<!-- spell-checker:ignore markdownlint ; (options) DESTDIR UTILNAME manpages reimplementation oranda libclang -->
+<!-- spell-checker:ignore markdownlint ; (options) DESTDIR UTILNAME manpages reimplementation oranda libclang libcrypto FIPS -->
 <div class="oranda-hide">
 <div align="center">
 
@@ -126,6 +126,22 @@ and `libclang` are installed on your system. Then, run the following command:
 cargo build --release --features unix,feat_selinux
 ```
 
+To speed up the checksum utilities (`md5sum`, `sha1sum`, `sha224sum`, `sha256sum`,
+`sha384sum`, `sha512sum`, and `cksum`) by using OpenSSL's `libcrypto` instead of
+the pure-Rust digest crates, enable the `openssl` feature:
+```
+cargo build --release --features unix,openssl
+```
+By default OpenSSL is built from source and statically linked into the
+binary (mirroring how `expr` links `oniguruma`), so no runtime dependency
+on system libcrypto/libssl is added. To link dynamically against the system
+libcrypto instead, set `OPENSSL_NO_VENDOR=1` at build time.
+
+The speedup is largest on CPUs without SHA-NI hardware acceleration. The
+feature is a no-op on Windows (the pure-Rust implementations are always used
+there) and is automatically bypassed at runtime for any algorithm libcrypto
+refuses (for example, MD5 in strict FIPS mode).
+
 If you don't want to build every utility available on your platform into the
 final binary, you can also specify which ones you want to build manually. For
 example:

build.rs

@@ -49,7 +49,7 @@ pub fn main() {
                     continue;
                 }
                 "default" | "macos" | "unix" | "windows" | "selinux" | "zip" | "clap_complete"
-                | "clap_mangen" | "fluent_syntax" => continue, // common/standard feature names
+                | "clap_mangen" | "fluent_syntax" | "openssl" => continue, // common/standard feature names
                 "nightly" | "test_unimplemented" | "expensive_tests" | "test_risky_names" => {
                     continue;
                 } // crate-local custom features

src/uu/cksum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 uu_checksum_common = { workspace = true }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 divan = { workspace = true }
 uucore = { workspace = true, features = ["benchmark"] }

src/uu/md5sum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 ] }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 uucore = { workspace = true, features = ["benchmark"] }
 

src/uu/sha1sum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 ] }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 uucore = { workspace = true, features = ["benchmark"] }
 

src/uu/sha224sum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 ] }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 uucore = { workspace = true, features = ["benchmark"] }
 

src/uu/sha256sum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 ] }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 uucore = { workspace = true, features = ["benchmark"] }
 

src/uu/sha384sum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 ] }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 uucore = { workspace = true, features = ["benchmark"] }
 

src/uu/sha512sum/Cargo.toml

@@ -30,6 +30,9 @@ uucore = { workspace = true, features = [
 ] }
 fluent = { workspace = true }
 
+[features]
+openssl = ["uucore/openssl"]
+
 [dev-dependencies]
 uucore = { workspace = true, features = ["benchmark"] }
 

src/uucore/Cargo.toml

@@ -1,4 +1,4 @@
-# spell-checker:ignore (features) bigdecimal zerocopy extendedbigdecimal tzdb zoneinfo logind
+# spell-checker:ignore (features) bigdecimal zerocopy extendedbigdecimal tzdb zoneinfo logind libcrypto
 
 [package]
 name = "uucore"
@@ -108,6 +108,9 @@ nix = { workspace = true, features = [
   "user",
   "zerocopy",
 ] }
+# OpenSSL is only used on Unix targets. On Windows, enabling the `openssl`
+# feature is a no-op and the pure-Rust digest implementations are used.
+openssl = { workspace = true, optional = true }
 walkdir = { workspace = true, optional = true }
 xattr = { workspace = true, optional = true }
 
@@ -199,6 +202,10 @@ sum = [
   "crc-fast",
   "data-encoding",
 ]
+# Use OpenSSL (libcrypto) for md5/sha1/sha2-family digests instead of the
+# pure-Rust crates. This dramatically speeds up checksum utilities on CPUs
+# without SHA-NI by using OpenSSL's optimized assembly implementations.
+openssl = ["dep:openssl"]
 update-control = ["parser"]
 utf8 = []
 utmpx = ["time", "time/macros", "libc", "dns-lookup"]