.github/workflows/build_test.sh

@@ -10,7 +10,7 @@ fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; }
 success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
 
 ARGS=(
-    "--optimization=0 -Dopenssl=disabled -Dtpm=true -Dtpm2=enabled"
+    "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled"
     "--optimization=s -Dutmp=false"
     "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
     "--optimization=3 -Db_lto=true -Ddns-over-tls=false"
@@ -67,6 +67,7 @@ PACKAGES=(
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 LINKER="${LINKER:?}"
+CRYPTOLIB="${CRYPTOLIB:?}"
 RELEASE="$(lsb_release -cs)"
 
 # Note: As we use postfixed clang/gcc binaries, we need to override $AR
@@ -149,7 +150,7 @@ for args in "${ARGS[@]}"; do
          CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
          meson setup \
                -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
-               -Dnobody-group=nogroup -Ddebug=false \
+               -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
                $args build; then
 
         cat build/meson-logs/meson-log.txt

.github/workflows/build_test.yml

@@ -25,11 +25,11 @@ jobs:
       fail-fast: false
       matrix:
         env:
-          - { COMPILER: "gcc",   COMPILER_VERSION: "11", LINKER: "bfd"  }
+          - { COMPILER: "gcc",   COMPILER_VERSION: "11", LINKER: "bfd",  CRYPTOLIB: "gcrypt"  }
-          - { COMPILER: "gcc",   COMPILER_VERSION: "13", LINKER: "mold" }
+          - { COMPILER: "gcc",   COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
-          - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold" }
+          - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt"  }
-          - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd"  }
+          - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd",  CRYPTOLIB: "openssl" }
-          - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld"  }
+          - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld",  CRYPTOLIB: "auto"    }
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout

.github/workflows/unit_tests.sh

@@ -41,7 +41,7 @@ function run_meson() {
 
 set -ex
 
-MESON_ARGS=()
+MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
 
 # (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
 # its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the

.github/workflows/unit_tests.yml

@@ -16,15 +16,18 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     concurrency:
-      group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }}
+      group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
       cancel-in-progress: true
     strategy:
       fail-fast: false
       matrix:
         run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS]
+        cryptolib: [auto]
         include:
           - run_phase: GCC
+            cryptolib: openssl
           - run_phase: CLANG
+            cryptolib: gcrypt
     steps:
       - name: Repository checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -35,6 +38,8 @@ jobs:
           sudo sed -i '/^XDG_/d' /etc/environment
           # Pass only specific env variables through sudo, to avoid having
           # the already existing XDG_* stuff on the "other side"
-          sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
+          sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
       - name: Build & test
-        run: sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
+        run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
+        env:
+          CRYPTOLIB: ${{ matrix.cryptolib }}

LICENSES/README.md

@@ -32,23 +32,23 @@ The following exceptions apply:
  * some sources under src/udev/ are licensed under **GPL-2.0-or-later**,
    so all udev programs (`systemd-udevd`, `udevadm`, and the udev builtins
    and test programs) are also distributed under **GPL-2.0-or-later**.
- * the header files contained in src/basic/include/linux are copied
+ * the header files contained in src/basic/linux/ and src/shared/linux/ are copied
    verbatim from the Linux kernel source tree and are licensed under **GPL-2.0 WITH
    Linux-syscall-note** and are used within the scope of the Linux-syscall-note
    exception provisions
  * the following sources are licensed under the **LGPL-2.0-or-later** license:
    - src/basic/utf8.c
    - src/shared/initreq.h
- * the src/basic/include/linux/bpf_insn.h header is copied from the Linux kernel
+ * the src/shared/linux/bpf_insn.h header is copied from the Linux kernel
    source tree and is licensed under either **BSD-2-Clause** or **GPL-2.0-only**,
    and thus is included in the systemd build under the BSD-2-Clause license.
- * The src/basic/include/linux/wireguard.h header is copied from the Linux kernel
+ * The src/basic/linux/wireguard.h header is copied from the Linux kernel
    source tree and is licensed under either **MIT** or **GPL-2.0 WITH Linux-syscall-note**,
    and thus is included in the systemd build under the MIT license.
  * the following sources are licensed under the **MIT** license (in case of our
    scripts, to facilitate copying and reuse of those helpers to other projects):
    - hwdb.d/parse_hwdb.py
-   - src/basic/include/linux/batman_adv.h
+   - src/basic/linux/batman_adv.h
    - src/basic/sparse-endian.h
    - tools/catalog-report.py
  * the following sources are licensed under the **CC0-1.0** license:

NEWS

@@ -67,12 +67,6 @@ CHANGES WITH 258 in spe:
           in v255), 'default-hierarchy' (v256), and 'nscd' (v257) have been
           removed.
 
-        * OpenSSL is the only crypto backend for systemd-resolved and
-          systemd-importd, and support for gnutls and gcrypt has been removed.
-          Hence, support for 'dns-over-tls=gnutls' meson option has been
-          removed. Also, 'cryptolib' meson option has been deprecated, and will
-          be removed in a future release.
-
         Announcements of Future Feature Removals:
 
         * The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() is

README

@@ -240,7 +240,8 @@ REQUIREMENTS:
         libcurl >= 7.32.0 (optional)
         libidn2 or libidn (optional)
         gnutls >= 3.1.4 (optional)
-        openssl >= 1.1.0 (optional, required to support DNS-over-TLS)
+               >= 3.6.0 is required to support DNS-over-TLS with gnutls
+        openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
         p11-kit >= 0.23.3 (optional)
         libfido2 (optional)
         tpm2-tss (optional)

TODO

@@ -1791,6 +1791,7 @@ Features:
   with matches, then activate app through that passing socket over
 
 * unify on openssl:
+  - kill gnutls support in resolved
   - figure out what to do about libmicrohttpd, which has a hard dependency on
     gnutls
   - port fsprg over to a dlopen lib, then switch it to openssl

coccinelle/run-coccinelle.sh

@@ -5,7 +5,8 @@ set -e
 # Exclude following paths from the Coccinelle transformations
 EXCLUDED_PATHS=(
     "src/boot/efi/*"
-    "src/basic/include/linux/*"
+    "src/shared/linux/*"
+    "src/basic/linux/*"
     # Symlinked to test-bus-vtable-cc.cc, which causes issues with the IN_SET macro
     "src/libsystemd/sd-bus/test-bus-vtable.c"
     "src/libsystemd/sd-journal/lookup3.c"

hwdb.d/60-keyboard.hwdb

@@ -383,7 +383,6 @@ evdev:name:gpio-keys:phys:gpio-keys/input0:ev:3:dmi:bvn*:bvr*:bd*:svncube:pni1-T
 ###########################################################
 
 evdev:atkbd:dmi:bvn*:bvr*:bd*:svnDell*:pn*:*
- KEYBOARD_KEY_68=prog2                                  # G-Mode (Dell-specific)
  KEYBOARD_KEY_81=playpause                              # Play/Pause
  KEYBOARD_KEY_82=stopcd                                 # Stop
  KEYBOARD_KEY_83=previoussong                           # Previous song

man/systemd-ssh-proxy.xml

@@ -24,7 +24,7 @@
 
   <refsynopsisdiv>
     <programlisting>
-Host unix/* unix,* vsock/* vsock,* vsock-mux/* vsock-mux,*
+Host unix/* vsock/* vsock-mux/*
     ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
     ProxyUseFdpass yes
 </programlisting>
@@ -46,7 +46,7 @@ Host unix/* unix,* vsock/* vsock,* vsock-mux/* vsock-mux,*
     configuration fragment like the following:</para>
 
     <programlisting>
-Host unix/* unix,* vsock/* vsock,* vsock-mux/* vsock-mux,*
+Host unix/* vsock/* vsock-mux/*
     ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
     ProxyUseFdpass yes
     CheckHostIP no
@@ -69,9 +69,7 @@ Host .host
     direct <constant>AF_VSOCK</constant> communication between the host and guests, and provide their own
     multiplexer over <constant>AF_UNIX</constant> sockets. See
     <ulink url="https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/vsock.md">cloud-hypervisor VSOCK support</ulink>
-    and <ulink url="https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md">Using the Firecracker Virtio-vsock Device</ulink>.
+    and <ulink url="https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md">Using the Firecracker Virtio-vsock Device</ulink>.</para>
-    Note that <literal>,</literal> can be used as a separator instead of <literal>/</literal> to be
-    compatible with tools like <literal>scp</literal> and <literal>rsync</literal>.</para>
 
     <para>Moreover, connecting to <literal>.host</literal> will connect to the local host via SSH, without
     involving networking.</para>
@@ -115,12 +113,6 @@ Host .host
 
       <programlisting>ssh unix/run/ssh-unix-local/socket</programlisting>
     </example>
-
-    <example>
-      <title>Copy local 'foo' file to a local VM with CID 1348</title>
-
-      <programlisting>scp foo vsock,1348:</programlisting>
-    </example>
   </refsect1>
 
   <refsect1>

meson.build

@@ -1482,18 +1482,50 @@ endif
 dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'loongarch64', 'mips', 'riscv64']
 conf.set10('HAVE_DMI', host_machine.cpu_family() in dmi_arches)
 
+# We support one or the other. If gcrypt is available, we assume it's there to
+# be used, and use it in preference.
+opt = get_option('cryptolib')
+if opt == 'openssl' and conf.get('HAVE_OPENSSL') == 0
+        error('openssl requested as the default cryptolib, but not available')
+endif
+conf.set10('PREFER_OPENSSL',
+           opt == 'openssl' or (opt == 'auto' and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_GCRYPT') == 0))
+conf.set10('HAVE_OPENSSL_OR_GCRYPT',
+           conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
+lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error]
+
 dns_over_tls = get_option('dns-over-tls')
-have_openssl = conf.get('HAVE_OPENSSL') == 1
+if dns_over_tls != 'false'
-if dns_over_tls == 'false'
+        if dns_over_tls == 'gnutls' and conf.get('PREFER_OPENSSL') == 1
-        have = false
+                error('Sorry, -Ddns-over-tls=gnutls is not supported when openssl is used as the cryptolib')
-elif dns_over_tls == 'auto'
+        endif
-        have = have_openssl
+
-elif have_openssl
+        if dns_over_tls == 'gnutls'
-        have = true
+                have_openssl = false
+        else
+                have_openssl = conf.get('HAVE_OPENSSL') == 1
+                if dns_over_tls == 'openssl' and not have_openssl
+                        error('DNS-over-TLS support was requested with openssl, but dependencies are not available')
+                endif
+        endif
+        if dns_over_tls == 'openssl' or have_openssl
+                have_gnutls = false
+        else
+                have_gnutls = conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0')
+                if dns_over_tls != 'auto' and not have_gnutls
+                        str = dns_over_tls == 'gnutls' ? ' with gnutls' : ''
+                        error('DNS-over-TLS support was requested@0@, but dependencies are not available'.format(str))
+                endif
+        endif
+        have = have_gnutls or have_openssl
 else
-        error('DNS-over-TLS support was requested, but OpenSSL support is disabled.')
+        have = false
+        have_gnutls = false
+        have_openssl = false
 endif
 conf.set10('ENABLE_DNS_OVER_TLS', have)
+conf.set10('DNS_OVER_TLS_USE_GNUTLS', have_gnutls)
+conf.set10('DNS_OVER_TLS_USE_OPENSSL', have_openssl)
 
 default_dns_over_tls = get_option('default-dns-over-tls')
 if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
@@ -1520,8 +1552,8 @@ have = get_option('repart').require(
 conf.set10('ENABLE_REPART', have)
 
 default_dnssec = get_option('default-dnssec')
-if default_dnssec != 'no' and conf.get('HAVE_OPENSSL') == 0
+if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
-        message('default-dnssec cannot be set to yes or allow-downgrade when openssl is disabled. Setting default-dnssec to no.')
+        message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
         default_dnssec = 'no'
 endif
 conf.set('DEFAULT_DNSSEC_MODE',
@@ -1552,7 +1584,7 @@ conf.set10('ENABLE_STORAGETM', get_option('storagetm'))
 
 have = get_option('importd').require(
         conf.get('HAVE_LIBCURL') == 1 and
-        conf.get('HAVE_OPENSSL') == 1 and
+        conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and
         conf.get('HAVE_ZLIB') == 1 and
         conf.get('HAVE_XZ') == 1,
         error_message : 'curl, openssl/grypt, zlib and xz required').allowed()
@@ -2021,18 +2053,11 @@ boot_stubs = []
 
 build_dir_include = include_directories('.')
 
-basic_includes = [
+basic_includes = include_directories(
-        include_directories(
+        'src/basic',
-                'src/basic',
+        'src/fundamental',
-                'src/fundamental',
+        'src/systemd',
-                'src/systemd',
+        '.')
-                '.',
-        ),
-        include_directories(
-                'src/basic/include',
-                is_system : true,
-        ),
-]
 
 libsystemd_includes = [basic_includes, include_directories(
         'src/libsystemd/sd-bus',
@@ -3065,7 +3090,6 @@ foreach tuple : [
 
         # optional features
         ['dmi'],
-        ['DNS-over-TLS'],
         ['idn'],
         ['polkit'],
         ['legacy-pkla',            install_polkit_pkla],
@@ -3130,6 +3154,22 @@ else
         found += 'static-libudev(@0@)'.format(static_libudev)
 endif
 
+if conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and conf.get('PREFER_OPENSSL') == 1
+        found += 'cryptolib(openssl)'
+elif conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1
+        found += 'cryptolib(gcrypt)'
+else
+        missing += 'cryptolib'
+endif
+
+if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1
+        found += 'DNS-over-TLS(gnutls)'
+elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1
+        found += 'DNS-over-TLS(openssl)'
+else
+        missing += 'DNS-over-TLS'
+endif
+
 summary({
         'enabled' :  ', '.join(found),
         'disabled' : ', '.join(missing)},

meson_options.txt

@@ -358,7 +358,7 @@ option('default-llmnr', type : 'combo',
        choices : ['yes', 'resolve', 'no'],
        description : 'default LLMNR mode',
        value : 'yes')
-option('dns-over-tls', type : 'combo', choices : ['auto', 'openssl', 'true', 'false'],
+option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'],
        description : 'DNS-over-TLS support')
 option('dns-servers', type : 'string',
        description : 'space-separated list of default DNS servers',
@@ -434,8 +434,8 @@ option('gnutls', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
        description : 'gnutls support')
 option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'openssl support')
-option('cryptolib', type : 'combo', choices : ['auto', 'openssl'],
+option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'],
-       description : 'This option is deprecated and will be removed in a future release')
+       description : 'whether to use openssl or gcrypt where both are supported')
 option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'p11kit support')
 option('libfido2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },

src/ac-power/ac-power.c

@@ -5,7 +5,6 @@
 #include "ansi-color.h"
 #include "battery-util.h"
 #include "build.h"
-#include "log.h"
 #include "main-func.h"
 #include "pretty-print.h"
 

src/analyze/analyze-compare-versions.c

@@ -4,7 +4,6 @@
 
 #include "analyze-compare-versions.h"
 #include "compare-operator.h"
-#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 #include "strv.h"

src/analyze/analyze-time-data.h

@@ -3,7 +3,6 @@
 
 #include "sd-bus.h"
 
-#include "memory-util.h"
 #include "time-util.h"
 #include "unit-def.h"
 

src/basic/alloc-util.c

@@ -6,6 +6,7 @@
 
 #include "alloc-util.h"
 #include "macro.h"
+#include "memory-util.h"
 
 void* memdup(const void *p, size_t l) {
         void *ret;

src/basic/alloc-util.h

@@ -7,9 +7,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "assert-util.h"
 #include "macro.h"
-#include "memory-util.h"
 
 #if HAS_FEATURE_MEMORY_SANITIZER
 #  include <sanitizer/msan_interface.h>
@@ -268,3 +266,5 @@ _alloc_(2) static inline void *realloc0(void *p, size_t new_size) {
 
         return q;
 }
+
+#include "memory-util.h"

src/basic/argv-util.c

@@ -8,7 +8,6 @@
 #include "argv-util.h"
 #include "capability-util.h"
 #include "errno-util.h"
-#include "log.h"
 #include "missing_sched.h"
 #include "parse-util.h"
 #include "path-util.h"

src/basic/argv-util.h

@@ -3,7 +3,6 @@
 
 #include <stdbool.h>
 
-#include "assert-util.h"
 #include "macro.h"
 
 extern int saved_argc;

src/basic/assert-util.c

@@ -1,65 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include <stdio.h>
-
-#include "assert-util.h"
-#include "errno-util.h"
-#include "log.h"
-
-static bool assert_return_is_critical = BUILD_MODE_DEVELOPER;
-
-/* Akin to glibc's __abort_msg; which is private and we hence cannot
- * use here. */
-static char *log_abort_msg = NULL;
-
-void log_set_assert_return_is_critical(bool b) {
-        assert_return_is_critical = b;
-}
-
-bool log_get_assert_return_is_critical(void) {
-        return assert_return_is_critical;
-}
-
-static void log_assert(
-        int level,
-        const char *text,
-        const char *file,
-        int line,
-        const char *func,
-        const char *format) {
-
-        static char buffer[LINE_MAX];
-
-        if (_likely_(LOG_PRI(level) > log_get_max_level()))
-                return;
-
-        DISABLE_WARNING_FORMAT_NONLITERAL;
-        (void) snprintf(buffer, sizeof buffer, format, text, file, line, func);
-        REENABLE_WARNING;
-
-        log_abort_msg = buffer;
-
-        log_dispatch_internal(level, 0, file, line, func, NULL, NULL, NULL, NULL, buffer);
-}
-
-_noreturn_ void log_assert_failed(const char *text, const char *file, int line, const char *func) {
-        log_assert(LOG_CRIT, text, file, line, func,
-                   "Assertion '%s' failed at %s:%u, function %s(). Aborting.");
-        abort();
-}
-
-_noreturn_ void log_assert_failed_unreachable(const char *file, int line, const char *func) {
-        log_assert(LOG_CRIT, "Code should not be reached", file, line, func,
-                   "%s at %s:%u, function %s(). Aborting. 💥");
-        abort();
-}
-
-void log_assert_failed_return(const char *text, const char *file, int line, const char *func) {
-
-        if (assert_return_is_critical)
-                log_assert_failed(text, file, line, func);
-
-        PROTECT_ERRNO;
-        log_assert(LOG_DEBUG, text, file, line, func,
-                   "Assertion '%s' failed at %s:%u, function %s(), ignoring.");
-}

src/basic/assert-util.h

@@ -1,84 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
-
-#include "assert-fundamental.h"
-#include "macro.h"
-
-/* Logging for various assertions */
-
-void log_set_assert_return_is_critical(bool b);
-bool log_get_assert_return_is_critical(void) _pure_;
-
-_noreturn_ void log_assert_failed(const char *text, const char *file, int line, const char *func);
-_noreturn_ void log_assert_failed_unreachable(const char *file, int line, const char *func);
-void log_assert_failed_return(const char *text, const char *file, int line, const char *func);
-
-#ifdef __COVERITY__
-
-/* Use special definitions of assertion macros in order to prevent
- * false positives of ASSERT_SIDE_EFFECT on Coverity static analyzer
- * for uses of assert_se() and assert_return().
- *
- * These definitions make expression go through a (trivial) function
- * call to ensure they are not discarded. Also use ! or !! to ensure
- * the boolean expressions are seen as such.
- *
- * This technique has been described and recommended in:
- * https://community.synopsys.com/s/question/0D534000046Yuzb/suppressing-assertsideeffect-for-functions-that-allow-for-sideeffects
- */
-
-extern void __coverity_panic__(void);
-
-static inline void __coverity_check__(int condition) {
-        if (!condition)
-                __coverity_panic__();
-}
-
-static inline int __coverity_check_and_return__(int condition) {
-        return condition;
-}
-
-#define assert_message_se(expr, message) __coverity_check__(!!(expr))
-
-#define assert_log(expr, message) __coverity_check_and_return__(!!(expr))
-
-#else  /* ! __COVERITY__ */
-
-#define assert_message_se(expr, message)                                \
-        do {                                                            \
-                if (_unlikely_(!(expr)))                                \
-                        log_assert_failed(message, PROJECT_FILE, __LINE__, __func__); \
-        } while (false)
-
-#define assert_log(expr, message) ((_likely_(expr))                     \
-        ? (true)                                                        \
-        : (log_assert_failed_return(message, PROJECT_FILE, __LINE__, __func__), false))
-
-#endif  /* __COVERITY__ */
-
-#define assert_se(expr) assert_message_se(expr, #expr)
-
-/* We override the glibc assert() here. */
-#undef assert
-#ifdef NDEBUG
-#define assert(expr) ({ if (!(expr)) __builtin_unreachable(); })
-#else
-#define assert(expr) assert_message_se(expr, #expr)
-#endif
-
-#define assert_not_reached()                                            \
-        log_assert_failed_unreachable(PROJECT_FILE, __LINE__, __func__)
-
-#define assert_return(expr, r)                                          \
-        do {                                                            \
-                if (!assert_log(expr, #expr))                           \
-                        return (r);                                     \
-        } while (false)
-
-#define assert_return_errno(expr, r, err)                               \
-        do {                                                            \
-                if (!assert_log(expr, #expr)) {                         \
-                        errno = err;                                    \
-                        return (r);                                     \
-                }                                                       \
-        } while (false)

src/basic/build.c

@@ -6,7 +6,6 @@
 #include "ansi-color.h"
 #include "build.h"
 #include "extract-word.h"
-#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 #include "terminal-util.h"

src/basic/cap-list.c

@@ -8,7 +8,6 @@
 #include "capability-util.h"
 #include "cap-list.h"
 #include "extract-word.h"
-#include "log.h"
 #include "macro.h"
 #include "parse-util.h"
 #include "stdio-util.h"

src/basic/capability-util.c

@@ -20,7 +20,6 @@
 #include "macro.h"
 #include "parse-util.h"
 #include "pidref.h"
-#include "process-util.h"
 #include "stat-util.h"
 #include "user-util.h"
 

src/basic/chattr-util.c

@@ -10,7 +10,6 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fs-util.h"
-#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 

src/basic/compress.c

@@ -27,7 +27,6 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "io-util.h"
-#include "log.h"
 #include "macro.h"
 #include "sparse-endian.h"
 #include "string-table.h"

src/basic/confidential-virt.c

@@ -14,7 +14,6 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "log.h"
 #include "string-table.h"
 #include "utf8.h"
 

src/basic/dlfcn-util.c

@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "dlfcn-util.h"
-#include "log.h"
 
 static int dlsym_many_or_warnv(void *dl, int log_level, va_list ap) {
         void (**fn)(void);

src/basic/dlfcn-util.h

@@ -3,7 +3,6 @@
 
 #include <dlfcn.h>
 
-#include "assert-util.h"
 #include "macro.h"
 
 static inline void* safe_dlclose(void *dl) {

src/basic/efivars.c

@@ -15,7 +15,6 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "io-util.h"
-#include "log.h"
 #include "macro.h"
 #include "memory-util.h"
 #include "missing_fs.h"

src/basic/env-file.c

@@ -7,7 +7,6 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
-#include "log.h"
 #include "string-util.h"
 #include "strv.h"
 #include "tmpfile-util.h"

src/basic/env-util.c

@@ -11,7 +11,6 @@
 #include "errno-util.h"
 #include "escape.h"
 #include "extract-word.h"
-#include "log.h"
 #include "macro.h"
 #include "parse-util.h"
 #include "path-util.h"

src/basic/errno-util.h

@@ -5,7 +5,6 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "assert-util.h"
 #include "macro.h"
 
 /* strerror(3) says that glibc uses a maximum length of 1024 bytes. */

src/basic/ether-addr-util.c

@@ -8,7 +8,6 @@
 
 #include "ether-addr-util.h"
 #include "hexdecoct.h"
-#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 

src/basic/fd-util.c

@@ -15,7 +15,6 @@
 #include "fileio.h"
 #include "fs-util.h"
 #include "io-util.h"
-#include "log.h"
 #include "macro.h"
 #include "missing_fcntl.h"
 #include "missing_fs.h"

src/basic/fd-util.h

@@ -8,7 +8,6 @@
 #include <sys/socket.h>
 
 #include "macro.h"
-#include "memory-util.h"
 #include "missing_fcntl.h"
 #include "stdio-util.h"
 

src/basic/format-ifname.c

@@ -1,8 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "format-ifname.h"
-#include "log.h"
-#include "stdio-util.h"
 #include "string-util.h"
 
 assert_cc(STRLEN("%") + DECIMAL_STR_MAX(int) <= IF_NAMESIZE);

src/basic/gcrypt-util.c

@@ -4,7 +4,6 @@
 
 #include "gcrypt-util.h"
 #include "hexdecoct.h"
-#include "log.h"
 
 static void *gcrypt_dl = NULL;
 
@@ -106,4 +105,39 @@ int initialize_libgcrypt(bool secmem) {
 
         return 0;
 }
+
+#  if !PREFER_OPENSSL
+int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
+        _cleanup_(sym_gcry_md_closep) gcry_md_hd_t md = NULL;
+        gcry_error_t err;
+        size_t hash_size;
+        void *hash;
+        char *enc;
+        int r;
+
+        r = initialize_libgcrypt(false);
+        if (r < 0)
+                return r;
+
+        hash_size = sym_gcry_md_get_algo_dlen(md_algorithm);
+        assert(hash_size > 0);
+
+        err = sym_gcry_md_open(&md, md_algorithm, 0);
+        if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
+                return -EIO;
+
+        sym_gcry_md_write(md, s, len);
+
+        hash = sym_gcry_md_read(md, 0);
+        if (!hash)
+                return -EIO;
+
+        enc = hexmem(hash, hash_size);
+        if (!enc)
+                return -ENOMEM;
+
+        *out = enc;
+        return 0;
+}
+#  endif
 #endif

src/basic/gcrypt-util.h

@@ -11,7 +11,6 @@
 
 #include "dlfcn-util.h"
 #include "macro.h"
-#include "memory-util.h"
 
 extern DLSYM_PROTOTYPE(gcry_md_close);
 extern DLSYM_PROTOTYPE(gcry_md_copy);
@@ -64,3 +63,25 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL);
                 (h__)->buf[(h__)->bufpos++] = (c) & 0xff;  \
         } while(false)
 #endif
+
+#if !PREFER_OPENSSL
+#  if HAVE_GCRYPT
+int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
+#  endif
+
+static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
+#  if HAVE_GCRYPT
+        return string_hashsum(s, len, GCRY_MD_SHA224, out);
+#  else
+        return -EOPNOTSUPP;
+#  endif
+}
+
+static inline int string_hashsum_sha256(const char *s, size_t len, char **out) {
+#  if HAVE_GCRYPT
+        return string_hashsum(s, len, GCRY_MD_SHA256, out);
+#  else
+        return -EOPNOTSUPP;
+#  endif
+}
+#endif

src/basic/glob-util.c

@@ -8,7 +8,6 @@
 #include "dirent-util.h"
 #include "errno-util.h"
 #include "glob-util.h"
-#include "log.h"
 #include "macro.h"
 #include "path-util.h"
 #include "strv.h"

src/basic/hashmap.c

@@ -12,7 +12,6 @@
 #include "alloc-util.h"
 #include "fileio.h"
 #include "hashmap.h"
-#include "log.h"
 #include "logarithm.h"
 #include "macro.h"
 #include "memory-util.h"
@@ -913,20 +912,24 @@ static void hashmap_free_no_clear(HashmapBase *h) {
                 free(h);
 }
 
-HashmapBase* _hashmap_free(HashmapBase *h) {
+HashmapBase* _hashmap_free(HashmapBase *h, free_func_t default_free_key, free_func_t default_free_value) {
         if (h) {
-                _hashmap_clear(h);
+                _hashmap_clear(h, default_free_key, default_free_value);
                 hashmap_free_no_clear(h);
         }
 
         return NULL;
 }
 
-void _hashmap_clear(HashmapBase *h) {
+void _hashmap_clear(HashmapBase *h, free_func_t default_free_key, free_func_t default_free_value) {
+        free_func_t free_key, free_value;
         if (!h)
                 return;
 
-        if (h->hash_ops->free_key || h->hash_ops->free_value) {
+        free_key = h->hash_ops->free_key ?: default_free_key;
+        free_value = h->hash_ops->free_value ?: default_free_value;
+
+        if (free_key || free_value) {
 
                 /* If destructor calls are defined, let's destroy things defensively: let's take the item out of the
                  * hash table, and only then call the destructor functions. If these destructors then try to unregister
@@ -938,11 +941,11 @@ void _hashmap_clear(HashmapBase *h) {
 
                         v = _hashmap_first_key_and_value(h, true, &k);
 
-                        if (h->hash_ops->free_key)
+                        if (free_key)
-                                h->hash_ops->free_key(k);
+                                free_key(k);
 
-                        if (h->hash_ops->free_value)
+                        if (free_value)
-                                h->hash_ops->free_value(v);
+                                free_value(v);
                 }
         }
 
@@ -1777,7 +1780,7 @@ HashmapBase* _hashmap_copy(HashmapBase *h  HASHMAP_DEBUG_PARAMS) {
         }
 
         if (r < 0)
-                return _hashmap_free(copy);
+                return _hashmap_free(copy, NULL, NULL);
 
         return copy;
 }

src/basic/hashmap.h

@@ -93,12 +93,12 @@ OrderedHashmap* _ordered_hashmap_new(const struct hash_ops *hash_ops  HASHMAP_DE
 #define ordered_hashmap_free_and_replace(a, b)                  \
         free_and_replace_full(a, b, ordered_hashmap_free)
 
-HashmapBase* _hashmap_free(HashmapBase *h);
+HashmapBase* _hashmap_free(HashmapBase *h, free_func_t default_free_key, free_func_t default_free_value);
 static inline Hashmap* hashmap_free(Hashmap *h) {
-        return (void*) _hashmap_free(HASHMAP_BASE(h));
+        return (void*) _hashmap_free(HASHMAP_BASE(h), NULL, NULL);
 }
 static inline OrderedHashmap* ordered_hashmap_free(OrderedHashmap *h) {
-        return (void*) _hashmap_free(HASHMAP_BASE(h));
+        return (void*) _hashmap_free(HASHMAP_BASE(h), NULL, NULL);
 }
 
 IteratedCache* iterated_cache_free(IteratedCache *cache);
@@ -266,12 +266,12 @@ static inline bool ordered_hashmap_iterate(OrderedHashmap *h, Iterator *i, void
         return _hashmap_iterate(HASHMAP_BASE(h), i, value, key);
 }
 
-void _hashmap_clear(HashmapBase *h);
+void _hashmap_clear(HashmapBase *h, free_func_t default_free_key, free_func_t default_free_value);
 static inline void hashmap_clear(Hashmap *h) {
-        _hashmap_clear(HASHMAP_BASE(h));
+        _hashmap_clear(HASHMAP_BASE(h), NULL, NULL);
 }
 static inline void ordered_hashmap_clear(OrderedHashmap *h) {
-        _hashmap_clear(HASHMAP_BASE(h));
+        _hashmap_clear(HASHMAP_BASE(h), NULL, NULL);
 }
 
 /*
@@ -331,6 +331,27 @@ static inline void *ordered_hashmap_first_key(OrderedHashmap *h) {
         return _hashmap_first_key(HASHMAP_BASE(h), false);
 }
 
+#define hashmap_clear_with_destructor(h, f)                     \
+        ({                                                      \
+                Hashmap *_h = (h);                              \
+                void *_item;                                    \
+                while ((_item = hashmap_steal_first(_h)))       \
+                        f(_item);                               \
+                _h;                                             \
+        })
+#define hashmap_free_with_destructor(h, f)                      \
+        hashmap_free(hashmap_clear_with_destructor(h, f))
+#define ordered_hashmap_clear_with_destructor(h, f)                     \
+        ({                                                              \
+                OrderedHashmap *_h = (h);                               \
+                void *_item;                                            \
+                while ((_item = ordered_hashmap_steal_first(_h)))       \
+                        f(_item);                                       \
+                _h;                                                     \
+        })
+#define ordered_hashmap_free_with_destructor(h, f)                      \
+        ordered_hashmap_free(ordered_hashmap_clear_with_destructor(h, f))
+
 /* no hashmap_next */
 void* ordered_hashmap_next(OrderedHashmap *h, const void *key);
 

src/basic/hostname-util.c

@@ -10,7 +10,6 @@
 #include "alloc-util.h"
 #include "env-file.h"
 #include "hostname-util.h"
-#include "log.h"
 #include "os-util.h"
 #include "string-util.h"
 #include "strv.h"

src/basic/initrd-util.c

@@ -5,7 +5,6 @@
 #include "env-util.h"
 #include "errno-util.h"
 #include "initrd-util.h"
-#include "log.h"
 #include "parse-util.h"
 #include "stat-util.h"
 #include "string-util.h"

src/basic/keyring-util.c

@@ -1,8 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "keyring-util.h"
-#include "log.h"
-#include "alloc-util.h"
 #include "memory-util.h"
 #include "missing_syscall.h"
 

src/basic/limits-util.c

@@ -5,7 +5,6 @@
 #include "alloc-util.h"
 #include "cgroup-util.h"
 #include "limits-util.h"
-#include "log.h"
 #include "memory-util.h"
 #include "parse-util.h"
 #include "process-util.h"