.github/workflows/unit_tests.sh

@@ -29,8 +29,6 @@ function info() {
 
 set -ex
 
-MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
-
 for phase in "${PHASES[@]}"; do
     case $phase in
         SETUP)

.github/workflows/unit_tests.yml

@@ -22,18 +22,10 @@ jobs:
       fail-fast: false
       matrix:
         run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_ASAN_UBSAN]
-        cryptolib: [auto]
-        include:
-          - run_phase: GCC
-            cryptolib: openssl
-          - run_phase: CLANG
-            cryptolib: gcrypt
     steps:
       - name: Repository checkout
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
       - name: Install build dependencies
         run: sudo -E .github/workflows/unit_tests.sh SETUP
-      - name: Build & test (${{ matrix.run_phase }}-${{ matrix.cryptolib }})
+      - name: Build & test (${{ matrix.run_phase }})
         run: sudo -E .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
-        env:
-          CRYPTOLIB: ${{ matrix.cryptolib }}

.packit.yml

@@ -31,9 +31,6 @@ actions:
     # [0] https://github.com/mesonbuild/meson/issues/7360
     # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
     - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
-    # FIXME: temporarily disable the deprecated-declarations check to suppress
-    #        OpenSSL 3.0 warnings in Rawhide
-    - 'sed -i "1 i %global optflags %{optflags} -Wno-deprecated-declarations" .packit_rpm/systemd.spec'
 
 jobs:
 - job: copr_build

TODO

@@ -432,8 +432,11 @@ Features:
 * socket units: allow creating a udev monitor socket with ListenDevices= or so,
   with matches, then activate app through that passing socket over
 
-* unify on openssl:
+* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
+  confusion is gone)
+  - port resolved over from libgcrypt (DNSSEC code)
   - port journald + fsprg over from libgcrypt
+  - port importd over from libgcrypt
   - when that's done: kill gnutls support in resolved
 
 * add growvol and makevol options for /etc/crypttab, similar to

meson.build

@@ -1448,25 +1448,21 @@ else
 endif
 conf.set10('HAVE_DBUS', have)
 
-# We support one or the other. If gcrypt is available, we assume it's there to
-# be used, and use it in preference.
-opt = get_option('cryptolib')
-if opt == 'openssl' and conf.get('HAVE_OPENSSL') == 0
-        error('openssl requested as the default cryptolib, but not available')
+default_dnssec = get_option('default-dnssec')
+if skip_deps
+        default_dnssec = 'no'
 endif
-conf.set10('PREFER_OPENSSL',
-           opt == 'openssl' or (opt == 'auto' and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_GCRYPT') == 0))
-conf.set10('HAVE_OPENSSL_OR_GCRYPT',
-           conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
-lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? libopenssl : libgcrypt
+if default_dnssec != 'no' and conf.get('HAVE_GCRYPT') == 0
+        message('default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.')
+        default_dnssec = 'no'
+endif
+conf.set('DEFAULT_DNSSEC_MODE',
+         'DNSSEC_' + default_dnssec.underscorify().to_upper())
+conf.set_quoted('DEFAULT_DNSSEC_MODE_STR', default_dnssec)
 
 dns_over_tls = get_option('dns-over-tls')
 if dns_over_tls != 'false'
-        if dns_over_tls == 'gnutls' and conf.get('PREFER_OPENSSL') == 1
-                error('Sorry, -Ddns-over-tls=gnutls is not supported when openssl is used as the cryptolib')
-        endif
-
-        if dns_over_tls == 'openssl' or conf.get('PREFER_OPENSSL') == 1
+        if dns_over_tls == 'openssl'
                 have_gnutls = false
         else
                 have_gnutls = (conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0'))
@@ -1527,24 +1523,12 @@ else
 endif
 conf.set10('ENABLE_REPART', have)
 
-default_dnssec = get_option('default-dnssec')
-if skip_deps
-        default_dnssec = 'no'
-endif
-if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
-        message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
-        default_dnssec = 'no'
-endif
-conf.set('DEFAULT_DNSSEC_MODE',
-         'DNSSEC_' + default_dnssec.underscorify().to_upper())
-conf.set_quoted('DEFAULT_DNSSEC_MODE_STR', default_dnssec)
-
 want_importd = get_option('importd')
 if want_importd != 'false'
         have = (conf.get('HAVE_LIBCURL') == 1 and
-                conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and
                 conf.get('HAVE_ZLIB') == 1 and
-                conf.get('HAVE_XZ') == 1)
+                conf.get('HAVE_XZ') == 1 and
+                conf.get('HAVE_GCRYPT') == 1)
         if want_importd == 'true' and not have
                 error('importd support was requested, but dependencies are not available')
         endif
@@ -2155,7 +2139,6 @@ if conf.get('ENABLE_RESOLVE') == 1
                              libbasic_gcrypt,
                              libsystemd_resolve_core],
                 dependencies : [threads,
-                                lib_openssl_or_gcrypt,
                                 libgpg_error,
                                 libm,
                                 libidn],
@@ -2734,10 +2717,10 @@ if conf.get('ENABLE_IMPORTD') == 1
                 link_with : [libshared],
                 dependencies : [versiondep,
                                 libcurl,
-                                lib_openssl_or_gcrypt,
                                 libz,
                                 libbzip2,
-                                libxz],
+                                libxz,
+                                libgcrypt],
                 install_rpath : rootlibexecdir,
                 install : true,
                 install_dir : rootlibexecdir)
@@ -4038,14 +4021,6 @@ else
         found += 'static-libudev(@0@)'.format(static_libudev)
 endif
 
-if conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and conf.get('PREFER_OPENSSL') == 1
-        found += 'cryptolib(openssl)'
-elif conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1
-        found += 'cryptolib(gcrypt)'
-else
-        missing += 'cryptolib'
-endif
-
 if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1
         found += 'DNS-over-TLS(gnutls)'
 elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1

meson_options.txt

@@ -380,8 +380,6 @@ option('gnutls', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'gnutls support')
 option('openssl', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'openssl support')
-option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'],
-       description : 'whether to use openssl or gcrypt where both are supported')
 option('p11kit', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'p11kit support')
 option('libfido2', type : 'combo', choices : ['auto', 'true', 'false'],

src/basic/build.c

@@ -48,7 +48,7 @@ const char* const systemd_features =
         " -SECCOMP"
 #endif
 
-        /* cryptographic libraries */
+        /* crypto libraries */
 
 #if HAVE_GCRYPT
         " +GCRYPT"

src/basic/gcrypt-util.c

@@ -18,7 +18,6 @@ void initialize_libgcrypt(bool secmem) {
         gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 }
 
-#  if !PREFER_OPENSSL
 int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
         _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
         gcry_error_t err;
@@ -49,4 +48,3 @@ int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
         return 0;
 }
 #endif
-#endif

src/basic/gcrypt-util.h

@@ -12,15 +12,11 @@
 #include "macro.h"
 
 void initialize_libgcrypt(bool secmem);
+int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
 
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL);
 #endif
 
-#if !PREFER_OPENSSL
-#  if HAVE_GCRYPT
-int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
-#  endif
-
 static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
 #if HAVE_GCRYPT
         return string_hashsum(s, len, GCRY_MD_SHA224, out);
@@ -36,4 +32,3 @@ static inline int string_hashsum_sha256(const char *s, size_t len, char **out) {
         return -EOPNOTSUPP;
 #endif
 }
-#endif

src/import/pull-job.c

@@ -41,12 +41,8 @@ PullJob* pull_job_unref(PullJob *j) {
 
         import_compress_free(&j->compress);
 
-        if (j->checksum_ctx)
-#if PREFER_OPENSSL
-                EVP_MD_CTX_free(j->checksum_ctx);
-#else
-                gcry_md_close(j->checksum_ctx);
-#endif
+        if (j->checksum_context)
+                gcry_md_close(j->checksum_context);
 
         free(j->url);
         free(j->etag);
@@ -106,13 +102,9 @@ static int pull_job_restart(PullJob *j, const char *new_url) {
 
         import_compress_free(&j->compress);
 
-        if (j->checksum_ctx) {
-#if PREFER_OPENSSL
-                EVP_MD_CTX_free(j->checksum_ctx);
-#else
-                gcry_md_close(j->checksum_ctx);
-#endif
-                j->checksum_ctx = NULL;
+        if (j->checksum_context) {
+                gcry_md_close(j->checksum_context);
+                j->checksum_context = NULL;
         }
 
         r = pull_job_begin(j);
@@ -208,30 +200,16 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
                 goto finish;
         }
 
-        if (j->checksum_ctx) {
-                unsigned checksum_len;
-#if PREFER_OPENSSL
-                uint8_t k[EVP_MAX_MD_SIZE];
+        if (j->checksum_context) {
+                uint8_t *k;
 
-                r = EVP_DigestFinal_ex(j->checksum_ctx, k, &checksum_len);
-                if (r == 0) {
-                        r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get checksum.");
-                        goto finish;
-                }
-                assert(checksum_len <= sizeof k);
-#else
-                const uint8_t *k;
-
-                k = gcry_md_read(j->checksum_ctx, GCRY_MD_SHA256);
+                k = gcry_md_read(j->checksum_context, GCRY_MD_SHA256);
                 if (!k) {
                         r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get checksum.");
                         goto finish;
                 }
 
-                checksum_len = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
-#endif
-
-                j->checksum = hexmem(k, checksum_len);
+                j->checksum = hexmem(k, gcry_md_get_algo_dlen(GCRY_MD_SHA256));
                 if (!j->checksum) {
                         r = log_oom();
                         goto finish;
@@ -380,16 +358,8 @@ static int pull_job_write_compressed(PullJob *j, void *p, size_t sz) {
                 return log_error_errno(SYNTHETIC_ERRNO(EFBIG),
                                        "Content length incorrect.");
 
-        if (j->checksum_ctx) {
-#if PREFER_OPENSSL
-                r = EVP_DigestUpdate(j->checksum_ctx, p, sz);
-                if (r == 0)
-                        return log_error_errno(SYNTHETIC_ERRNO(EIO),
-                                               "Could not hash chunk.");
-#else
-                gcry_md_write(j->checksum_ctx, p, sz);
-#endif
-        }
+        if (j->checksum_context)
+                gcry_md_write(j->checksum_context, p, sz);
 
         r = import_uncompress(&j->compress, p, sz, pull_job_write_uncompressed, j);
         if (r < 0)
@@ -422,22 +392,11 @@ static int pull_job_open_disk(PullJob *j) {
         }
 
         if (j->calc_checksum) {
-#if PREFER_OPENSSL
-                j->checksum_ctx = EVP_MD_CTX_new();
-                if (!j->checksum_ctx)
-                        return log_oom();
-
-                r = EVP_DigestInit_ex(j->checksum_ctx, EVP_sha256(), NULL);
-                if (r == 0)
-                        return log_error_errno(SYNTHETIC_ERRNO(EIO),
-                                               "Failed to initialize hash context.");
-#else
                 initialize_libgcrypt(false);
 
-                if (gcry_md_open(&j->checksum_ctx, GCRY_MD_SHA256, 0) != 0)
+                if (gcry_md_open(&j->checksum_context, GCRY_MD_SHA256, 0) != 0)
                         return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                "Failed to initialize hash context.");
-#endif
         }
 
         return 0;

src/import/pull-job.h

@@ -1,12 +1,12 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#include <gcrypt.h>
 #include <sys/stat.h>
 
 #include "curl-util.h"
 #include "import-compress.h"
 #include "macro.h"
-#include "openssl-util.h"
 #include "pull-common.h"
 
 typedef struct PullJob PullJob;
@@ -74,7 +74,7 @@ struct PullJob {
         usec_t last_status_usec;
 
         bool calc_checksum;
-        hash_context_t checksum_ctx;
+        gcry_md_hd_t checksum_context;
 
         char *checksum;
         bool sync;

src/partition/repart.c

@@ -12,6 +12,9 @@
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 
+#include <openssl/hmac.h>
+#include <openssl/sha.h>
+
 #include "sd-id128.h"
 
 #include "alloc-util.h"
@@ -35,7 +38,6 @@
 #include "glyph-util.h"
 #include "gpt.h"
 #include "hexdecoct.h"
-#include "hmac.h"
 #include "id128-util.h"
 #include "json.h"
 #include "list.h"
@@ -1517,7 +1519,7 @@ static int fdisk_set_disklabel_id_by_uuid(struct fdisk_context *c, sd_id128_t id
 
 static int derive_uuid(sd_id128_t base, const char *token, sd_id128_t *ret) {
         union {
-                uint8_t md[SHA256_DIGEST_SIZE];
+                unsigned char md[SHA256_DIGEST_LENGTH];
                 sd_id128_t id;
         } result;
 
@@ -1529,7 +1531,11 @@ static int derive_uuid(sd_id128_t base, const char *token, sd_id128_t *ret) {
          * machine ID). We use the machine ID as key (and not as cleartext!) of the HMAC operation since it's
          * the machine ID we don't want to leak. */
 
-        hmac_sha256(base.bytes, sizeof(base.bytes), token, strlen(token), result.md);
+        if (!HMAC(EVP_sha256(),
+                  &base, sizeof(base),
+                  (const unsigned char*) token, strlen(token),
+                  result.md, NULL))
+                return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "HMAC-SHA256 calculation failed.");
 
         /* Take the first half, mark it as v4 UUID */
         assert_cc(sizeof(result.md) == sizeof(result.id) * 2);
@@ -3061,7 +3067,7 @@ static int partition_acquire_uuid(Context *context, Partition *p, sd_id128_t *re
                 uint64_t counter;
         } _packed_  plaintext = {};
         union {
-                uint8_t md[SHA256_DIGEST_SIZE];
+                unsigned char md[SHA256_DIGEST_LENGTH];
                 sd_id128_t id;
         } result;
 
@@ -3105,10 +3111,11 @@ static int partition_acquire_uuid(Context *context, Partition *p, sd_id128_t *re
         plaintext.type_uuid = p->type_uuid;
         plaintext.counter = htole64(k);
 
-        hmac_sha256(context->seed.bytes, sizeof(context->seed.bytes),
-                    &plaintext,
-                    k == 0 ? sizeof(sd_id128_t) : sizeof(plaintext),
-                    result.md);
+        if (!HMAC(EVP_sha256(),
+                  &context->seed, sizeof(context->seed),
+                  (const unsigned char*) &plaintext, k == 0 ? sizeof(sd_id128_t) : sizeof(plaintext),
+                  result.md, NULL))
+                return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SHA256 calculation failed.");
 
         /* Take the first half, mark it as v4 UUID */
         assert_cc(sizeof(result.md) == sizeof(result.id) * 2);

src/resolve/meson.build

@@ -176,16 +176,14 @@ tests += [
         [['src/resolve/test-resolve-tables.c'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
           libm]],
 
         [['src/resolve/test-dns-packet.c'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
           libm]],
 
@@ -194,33 +192,28 @@ tests += [
           'src/resolve/resolved-etc-hosts.h'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
           libm]],
 
         [['src/resolve/test-resolved-packet.c'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
           libm]],
 
         [['src/resolve/test-dnssec.c'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
-          libm],
-         [], 'HAVE_OPENSSL_OR_GCRYPT'],
+          libm]],
 
         [['src/resolve/test-dnssec-complex.c'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
           libm],
          [], '', 'manual'],
@@ -230,8 +223,7 @@ fuzzers += [
         [['src/resolve/fuzz-dns-packet.c'],
          [libsystemd_resolve_core,
           libshared],
-         [lib_openssl_or_gcrypt,
-          libgcrypt,
+         [libgcrypt,
           libgpg_error,
           libm]],
 ]

src/resolve/resolvectl.c

@@ -23,7 +23,6 @@
 #include "main-func.h"
 #include "missing_network.h"
 #include "netlink-util.h"
-#include "openssl-util.h"
 #include "pager.h"
 #include "parse-argument.h"
 #include "parse-util.h"

src/resolve/resolved-conf.c

@@ -498,9 +498,9 @@ int manager_parse_config_file(Manager *m) {
                         return r;
         }
 
-#if !HAVE_OPENSSL_OR_GCRYPT
+#if ! HAVE_GCRYPT
         if (m->dnssec_mode != DNSSEC_NO) {
-                log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
+                log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
                 m->dnssec_mode = DNSSEC_NO;
         }
 #endif

src/resolve/resolved-dns-packet.c

@@ -776,7 +776,7 @@ int dns_packet_append_opt(
                 static const uint8_t rfc6975[] = {
 
                         0, 5, /* OPTION_CODE: DAU */
-#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
+#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
                         0, 7, /* LIST_LENGTH */
 #else
                         0, 6, /* LIST_LENGTH */
@@ -787,7 +787,7 @@ int dns_packet_append_opt(
                         DNSSEC_ALGORITHM_RSASHA512,
                         DNSSEC_ALGORITHM_ECDSAP256SHA256,
                         DNSSEC_ALGORITHM_ECDSAP384SHA384,
-#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
+#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
                         DNSSEC_ALGORITHM_ED25519,
 #endif
 

src/resolve/resolved-link.c

@@ -414,9 +414,9 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) {
 
         assert(l);
 
-#if !HAVE_OPENSSL_OR_GCRYPT
+#if ! HAVE_GCRYPT
         if (IN_SET(mode, DNSSEC_YES, DNSSEC_ALLOW_DOWNGRADE))
-                log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
+                log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
         return;
 #endif
 

src/resolve/test-dnssec.c

@@ -1,12 +1,11 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <arpa/inet.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-
 #if HAVE_GCRYPT
 #include <gcrypt.h>
 #endif
+#include <netinet/in.h>
+#include <sys/socket.h>
 
 #include "alloc-util.h"
 #include "resolved-dns-dnssec.h"
@@ -14,6 +13,8 @@
 #include "string-util.h"
 #include "hexdecoct.h"
 
+#if HAVE_GCRYPT
+
 static void test_dnssec_verify_dns_key(void) {
 
         static const uint8_t ds1_fprint[] = {
@@ -173,7 +174,7 @@ static void test_dnssec_verify_rfc8080_ed25519_example1(void) {
 
         assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey,
                                 rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
-#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600
+#if GCRYPT_VERSION_NUMBER >= 0x010600
         assert_se(result == DNSSEC_VALIDATED);
 #else
         assert_se(result == DNSSEC_UNSUPPORTED_ALGORITHM);
@@ -265,195 +266,12 @@ static void test_dnssec_verify_rfc8080_ed25519_example2(void) {
 
         assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey,
                                 rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
-#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600
+#if GCRYPT_VERSION_NUMBER >= 0x010600
         assert_se(result == DNSSEC_VALIDATED);
 #else
         assert_se(result == DNSSEC_UNSUPPORTED_ALGORITHM);
 #endif
 }
-
-static void test_dnssec_verify_rfc6605_example1(void) {
-        static const uint8_t signature_blob[] = {
-                0xab, 0x1e, 0xb0, 0x2d, 0x8a, 0xa6, 0x87, 0xe9, 0x7d, 0xa0, 0x22, 0x93, 0x37, 0xaa, 0x88, 0x73,
-                0xe6, 0xf0, 0xeb, 0x26, 0xbe, 0x28, 0x9f, 0x28, 0x33, 0x3d, 0x18, 0x3f, 0x5d, 0x3b, 0x7a, 0x95,
-                0xc0, 0xc8, 0x69, 0xad, 0xfb, 0x74, 0x8d, 0xae, 0xe3, 0xc5, 0x28, 0x6e, 0xed, 0x66, 0x82, 0xc1,
-                0x2e, 0x55, 0x33, 0x18, 0x6b, 0xac, 0xed, 0x9c, 0x26, 0xc1, 0x67, 0xa9, 0xeb, 0xae, 0x95, 0x0b,
-        };
-
-        static const uint8_t ds_fprint[] = {
-                0x6f, 0x87, 0x3c, 0x73, 0x57, 0xde, 0xd9, 0xee, 0xf8, 0xef, 0xbd, 0x76, 0xed, 0xbd, 0xbb, 0xd7,
-                0x5e, 0x7a, 0xe7, 0xa6, 0x9d, 0xeb, 0x6e, 0x7a, 0x7f, 0x8d, 0xb8, 0xeb, 0x6e, 0x5b, 0x7f, 0x97,
-                0x35, 0x7b, 0x6e, 0xfb, 0xd1, 0xc7, 0xba, 0x77, 0xa7, 0xb7, 0xed, 0xd7, 0xfa, 0xd5, 0xdd, 0x7b,
-        };
-
-        static const uint8_t dnskey_blob[] = {
-                0x1a, 0x88, 0xc8, 0x86, 0x15, 0xd4, 0x37, 0xfb, 0xb8, 0xbf, 0x9e, 0x19, 0x42, 0xa1, 0x92, 0x9f,
-                0x28, 0x56, 0x27, 0x06, 0xae, 0x6c, 0x2b, 0xd3, 0x99, 0xe7, 0xb1, 0xbf, 0xb6, 0xd1, 0xe9, 0xe7,
-                0x5b, 0x92, 0xb4, 0xaa, 0x42, 0x91, 0x7a, 0xe1, 0xc6, 0x1b, 0x70, 0x1e, 0xf0, 0x35, 0xc3, 0xfe,
-                0x7b, 0xe3, 0x00, 0x9c, 0xba, 0xfe, 0x5a, 0x2f, 0x71, 0x31, 0x6c, 0x90, 0x2d, 0xcf, 0x0d, 0x00,
-        };
-
-        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds = NULL, *a = NULL,
-                *rrsig = NULL;
-        _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
-        DnssecResult result;
-
-        dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "example.net.");
-        assert_se(dnskey);
-
-        dnskey->dnskey.flags = 257;
-        dnskey->dnskey.protocol = 3;
-        dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_ECDSAP256SHA256;
-        dnskey->dnskey.key_size = sizeof(dnskey_blob);
-        dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
-        assert_se(dnskey->dnskey.key);
-
-        log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
-
-        ds = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "example.net.");
-        assert_se(ds);
-
-        ds->ds.key_tag = 55648;
-        ds->ds.algorithm = DNSSEC_ALGORITHM_ECDSAP256SHA256;
-        ds->ds.digest_type = DNSSEC_DIGEST_SHA256;
-        ds->ds.digest_size = sizeof(ds_fprint);
-        ds->ds.digest = memdup(ds_fprint, ds->ds.digest_size);
-        assert_se(ds->ds.digest);
-
-        log_info("DS: %s", strna(dns_resource_record_to_string(ds)));
-
-        a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "www.example.net");
-        assert_se(a);
-
-        a->a.in_addr.s_addr = inet_addr("192.0.2.1");
-
-        log_info("A: %s", strna(dns_resource_record_to_string(a)));
-
-        rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "www.example.net.");
-        assert_se(rrsig);
-
-        rrsig->rrsig.type_covered = DNS_TYPE_A;
-        rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_ECDSAP256SHA256;
-        rrsig->rrsig.labels = 3;
-        rrsig->rrsig.expiration = 1284026679;
-        rrsig->rrsig.inception = 1281607479;
-        rrsig->rrsig.key_tag = 55648;
-        rrsig->rrsig.original_ttl = 3600;
-        rrsig->rrsig.signer = strdup("example.net.");
-        assert_se(rrsig->rrsig.signer);
-        rrsig->rrsig.signature_size = sizeof(signature_blob);
-        rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
-        assert_se(rrsig->rrsig.signature);
-
-        log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
-
-        assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
-        assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
-
-        answer = dns_answer_new(1);
-        assert_se(answer);
-        assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
-
-        assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey,
-                                      rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
-        assert_se(result == DNSSEC_VALIDATED);
-}
-
-static void test_dnssec_verify_rfc6605_example2(void) {
-        static const uint8_t signature_blob[] = {
-                0xfc, 0xbe, 0x61, 0x0c, 0xa2, 0x2f, 0x18, 0x3c, 0x88, 0xd5, 0xf7, 0x00, 0x45, 0x7d, 0xf3, 0xeb,
-                0x9a, 0xab, 0x98, 0xfb, 0x15, 0xcf, 0xbd, 0xd0, 0x0f, 0x53, 0x2b, 0xe4, 0x21, 0x2a, 0x3a, 0x22,
-                0xcf, 0xf7, 0x98, 0x71, 0x42, 0x8b, 0xae, 0xae, 0x81, 0x82, 0x79, 0x93, 0xaf, 0xcc, 0x56, 0xb1,
-                0xb1, 0x3f, 0x06, 0x96, 0xbe, 0xf8, 0x85, 0xb6, 0xaf, 0x44, 0xa6, 0xb2, 0x24, 0xdb, 0xb2, 0x74,
-                0x2b, 0xb3, 0x59, 0x34, 0x92, 0x3d, 0xdc, 0xfb, 0xc2, 0x7a, 0x97, 0x2f, 0x96, 0xdd, 0x70, 0x9c,
-                0xee, 0xb1, 0xd9, 0xc8, 0xd1, 0x14, 0x8c, 0x44, 0xec, 0x71, 0xc0, 0x68, 0xa9, 0x59, 0xc2, 0x66,
-
-        };
-
-        static const uint8_t ds_fprint[] = {
-                0xef, 0x67, 0x7b, 0x6f, 0xad, 0xbd, 0xef, 0xa7, 0x1e, 0xd3, 0xae, 0x37, 0xf1, 0xef, 0x5c, 0xd1,
-                0xb7, 0xf7, 0xd7, 0xdd, 0x35, 0xdd, 0xc7, 0xfc, 0xd3, 0x57, 0xf4, 0xf5, 0xe7, 0x1c, 0xf3, 0x86,
-                0xfc, 0x77, 0xb7, 0xbd, 0xe3, 0xde, 0x5f, 0xdb, 0xb7, 0xb7, 0xd3, 0x97, 0x3a, 0x6b, 0xd6, 0xf4,
-                0xe7, 0xad, 0xda, 0xf5, 0xbe, 0x5f, 0xe1, 0xdd, 0xbc, 0xf3, 0x8d, 0x39, 0x73, 0x7d, 0x34, 0xf1,
-                0xaf, 0x78, 0xe9, 0xd7, 0xfd, 0xf3, 0x77, 0x7a,
-        };
-
-        static const uint8_t dnskey_blob[] = {
-                0xc4, 0xa6, 0x1a, 0x36, 0x15, 0x9d, 0x18, 0xe7, 0xc9, 0xfa, 0x73, 0xeb, 0x2f, 0xcf, 0xda, 0xae,
-                0x4c, 0x1f, 0xd8, 0x46, 0x37, 0x30, 0x32, 0x7e, 0x48, 0x4a, 0xca, 0x8a, 0xf0, 0x55, 0x4a, 0xe9,
-                0xb5, 0xc3, 0xf7, 0xa0, 0xb1, 0x7b, 0xd2, 0x00, 0x3b, 0x4d, 0x26, 0x1c, 0x9e, 0x9b, 0x94, 0x42,
-                0x3a, 0x98, 0x10, 0xe8, 0xaf, 0x17, 0xd4, 0x34, 0x52, 0x12, 0x4a, 0xdb, 0x61, 0x0f, 0x8e, 0x07,
-                0xeb, 0xfc, 0xfe, 0xe5, 0xf8, 0xe4, 0xd0, 0x70, 0x63, 0xca, 0xe9, 0xeb, 0x91, 0x7a, 0x1a, 0x5b,
-                0xab, 0xf0, 0x8f, 0xe6, 0x95, 0x53, 0x60, 0x17, 0xa5, 0xbf, 0xa9, 0x32, 0x37, 0xee, 0x6e, 0x34,
-        };
-
-
-        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds = NULL, *a = NULL,
-                *rrsig = NULL;
-        _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
-        DnssecResult result;
-
-        dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "example.net.");
-        assert_se(dnskey);
-
-        dnskey->dnskey.flags = 257;
-        dnskey->dnskey.protocol = 3;
-        dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_ECDSAP384SHA384;
-        dnskey->dnskey.key_size = sizeof(dnskey_blob);
-        dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
-        assert_se(dnskey->dnskey.key);
-
-        log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
-
-        ds = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "example.net.");
-        assert_se(ds);
-
-        ds->ds.key_tag = 10771;
-        ds->ds.algorithm = DNSSEC_ALGORITHM_ECDSAP384SHA384;
-        ds->ds.digest_type = DNSSEC_DIGEST_SHA384;
-        ds->ds.digest_size = sizeof(ds_fprint);
-        ds->ds.digest = memdup(ds_fprint, ds->ds.digest_size);
-        assert_se(ds->ds.digest);
-
-        log_info("DS: %s", strna(dns_resource_record_to_string(ds)));
-
-        a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "www.example.net");
-        assert_se(a);
-
-        a->a.in_addr.s_addr = inet_addr("192.0.2.1");
-
-        log_info("A: %s", strna(dns_resource_record_to_string(a)));
-
-        rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "www.example.net.");
-        assert_se(rrsig);
-
-        rrsig->rrsig.type_covered = DNS_TYPE_A;
-        rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_ECDSAP384SHA384;
-        rrsig->rrsig.labels = 3;
-        rrsig->rrsig.expiration = 1284027625;
-        rrsig->rrsig.inception = 1281608425;
-        rrsig->rrsig.key_tag = 10771;
-        rrsig->rrsig.original_ttl = 3600;
-        rrsig->rrsig.signer = strdup("example.net.");
-        assert_se(rrsig->rrsig.signer);
-        rrsig->rrsig.signature_size = sizeof(signature_blob);
-        rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
-        assert_se(rrsig->rrsig.signature);
-
-        log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
-
-        assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
-        assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
-
-        answer = dns_answer_new(1);
-        assert_se(answer);
-        assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
-
-        assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey,
-                                      rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
-        assert_se(result == DNSSEC_VALIDATED);
-}
-
 static void test_dnssec_verify_rrset(void) {
 
         static const uint8_t signature_blob[] = {
@@ -787,16 +605,19 @@ static void test_dnssec_nsec3_hash(void) {
         assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
 }
 
+#endif
+
 int main(int argc, char *argv[]) {
+
+#if HAVE_GCRYPT
         test_dnssec_verify_dns_key();
         test_dnssec_verify_rfc8080_ed25519_example1();
         test_dnssec_verify_rfc8080_ed25519_example2();
-        test_dnssec_verify_rfc6605_example1();
-        test_dnssec_verify_rfc6605_example2();
         test_dnssec_verify_rrset();
         test_dnssec_verify_rrset2();
         test_dnssec_verify_rrset3();
         test_dnssec_nsec3_hash();
+#endif
 
         return 0;
 }

src/shared/mount-util.h

@@ -11,9 +11,9 @@
 #include "errno-util.h"
 #include "macro.h"
 
-/* 4MB for contents of regular files, 128k inodes for directories, symbolic links and device specials, using
+/* 4MB for contents of regular files, 64k inodes for directories, symbolic links and device specials, using
  * large storage array systems as a baseline */
-#define TMPFS_LIMITS_DEV             ",size=4m,nr_inodes=128k"
+#define TMPFS_LIMITS_DEV             ",size=4m,nr_inodes=64k"
 
 /* Very little, if any use expected */
 #define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k"

src/shared/openssl-util.c

@@ -2,46 +2,8 @@
 
 #include "openssl-util.h"
 #include "alloc-util.h"
-#include "hexdecoct.h"
 
 #if HAVE_OPENSSL
-int openssl_hash(const EVP_MD *alg,
-                 const void *msg,
-                 size_t msg_len,
-                 uint8_t *ret_hash,
-                 size_t *ret_hash_len) {
-
-        _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *ctx = NULL;
-        unsigned len;
-        int r;
-
-        ctx = EVP_MD_CTX_new();
-        if (!ctx)
-                /* This function just calls OPENSSL_zalloc, so failure
-                 * here is almost certainly a failed allocation. */
-                return -ENOMEM;
-
-        /* The documentation claims EVP_DigestInit behaves just like
-         * EVP_DigestInit_ex if passed NULL, except it also calls
-         * EVP_MD_CTX_reset, which deinitializes the context. */
-        r = EVP_DigestInit_ex(ctx, alg, NULL);
-        if (r == 0)
-                return -EIO;
-
-        r = EVP_DigestUpdate(ctx, msg, msg_len);
-        if (r == 0)
-                return -EIO;
-
-        r = EVP_DigestFinal_ex(ctx, ret_hash, &len);
-        if (r == 0)
-                return -EIO;
-
-        if (ret_hash_len)
-                *ret_hash_len = len;
-
-        return 0;
-}
-
 int rsa_encrypt_bytes(
                 EVP_PKEY *pkey,
                 const void *decrypted_key,
@@ -108,33 +70,4 @@ int rsa_pkey_to_suitable_key_size(
         *ret_suitable_key_size = suitable_key_size;
         return 0;
 }
-
-#  if PREFER_OPENSSL
-int string_hashsum(
-                const char *s,
-                size_t len,
-                const EVP_MD *md_algorithm,
-                char **ret) {
-
-        uint8_t hash[EVP_MAX_MD_SIZE];
-        size_t hash_size;
-        char *enc;
-        int r;
-
-        hash_size = EVP_MD_size(md_algorithm);
-        assert(hash_size > 0);
-
-        r = openssl_hash(md_algorithm, s, len, hash, NULL);
-        if (r < 0)
-                return r;
-
-        enc = hexmem(hash, hash_size);
-        if (!enc)
-                return -ENOMEM;
-
-        *ret = enc;
-        return 0;
-
-}
-#  endif
 #endif

src/shared/openssl-util.h

@@ -5,8 +5,6 @@
 
 #if HAVE_OPENSSL
 #  include <openssl/bio.h>
-#  include <openssl/bn.h>
-#  include <openssl/err.h>
 #  include <openssl/evp.h>
 #  include <openssl/pkcs7.h>
 #  include <openssl/ssl.h>
@@ -15,15 +13,7 @@
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIGNUM*, BN_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BN_CTX*, BN_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ECDSA_SIG*, ECDSA_SIG_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
@@ -36,41 +26,8 @@ static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
         sk_X509_pop_free(*sk, X509_free);
 }
 
-int openssl_hash(const EVP_MD *alg, const void *msg, size_t msg_len, uint8_t *ret_hash, size_t *ret_hash_len);
-
 int rsa_encrypt_bytes(EVP_PKEY *pkey, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size);
 
 int rsa_pkey_to_suitable_key_size(EVP_PKEY *pkey, size_t *ret_suitable_key_size);
-#endif
-
-#if PREFER_OPENSSL
-/* The openssl definition */
-typedef const EVP_MD* hash_md_t;
-typedef const EVP_MD* hash_algorithm_t;
-typedef int elliptic_curve_t;
-typedef EVP_MD_CTX* hash_context_t;
-#  define OPENSSL_OR_GCRYPT(a, b) (a)
-
-#elif HAVE_GCRYPT
-
-#  include <gcrypt.h>
-
-/* The gcrypt definition */
-typedef int hash_md_t;
-typedef const char* hash_algorithm_t;
-typedef const char* elliptic_curve_t;
-typedef gcry_md_hd_t hash_context_t;
-#  define OPENSSL_OR_GCRYPT(a, b) (b)
-#endif
-
-#if PREFER_OPENSSL
-int string_hashsum(const char *s, size_t len, hash_algorithm_t md_algorithm, char **ret);
-
-static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
-        return string_hashsum(s, len, EVP_sha224(), ret);
-}
-
-static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
-        return string_hashsum(s, len, EVP_sha256(), ret);
-}
+
 #endif

src/test/meson.build

@@ -594,10 +594,8 @@ tests += [
 
         [['src/test/test-id128.c']],
 
-        [['src/test/test-cryptolib.c'],
-         [libshared],
-         [lib_openssl_or_gcrypt],
-         [], 'HAVE_OPENSSL_OR_GCRYPT'],
+        [['src/test/test-gcrypt-util.c'],
+         [], [], [], 'HAVE_GCRYPT'],
 
         [['src/test/test-nss-hosts.c',
           'src/test/nss-test-util.c',

src/test/test-gcrypt-util.c

@@ -3,34 +3,25 @@
 #include "alloc-util.h"
 #include "gcrypt-util.h"
 #include "macro.h"
-#include "openssl-util.h"
 #include "string-util.h"
 #include "tests.h"
 
 TEST(string_hashsum) {
         _cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL;
 
-        assert_se(string_hashsum("asdf", 4,
-                                 OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
-                                 &out1) == 0);
+        assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA224, &out1) == 0);
         /* echo -n 'asdf' | sha224sum - */
         assert_se(streq(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a"));
 
-        assert_se(string_hashsum("asdf", 4,
-                                 OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
-                                 &out2) == 0);
+        assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA256, &out2) == 0);
         /* echo -n 'asdf' | sha256sum - */
         assert_se(streq(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"));
 
-        assert_se(string_hashsum("", 0,
-                                 OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
-                                 &out3) == 0);
+        assert_se(string_hashsum("", 0, GCRY_MD_SHA224, &out3) == 0);
         /* echo -n '' | sha224sum - */
         assert_se(streq(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"));
 
-        assert_se(string_hashsum("", 0,
-                                 OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
-                                 &out4) == 0);
+        assert_se(string_hashsum("", 0, GCRY_MD_SHA256, &out4) == 0);
         /* echo -n '' | sha256sum - */
         assert_se(streq(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
 }