DaanDeMeyer
diff --git a/‎.github/workflows/build_test.sh‎
Lines changed: 2 additions & 3 deletions b/‎.github/workflows/build_test.sh‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎.github/workflows/build_test.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/build_test.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/unit_tests.sh‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/unit_tests.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/unit_tests.yml‎
Lines changed: 3 additions & 8 deletions b/‎.github/workflows/unit_tests.yml‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎meson.build‎
Lines changed: 3 additions & 23 deletions b/‎meson.build‎
Lines changed: 3 additions & 23 deletions
diff --git a/‎meson_options.txt‎
Lines changed: 2 additions & 2 deletions b/‎meson_options.txt‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/basic/gcrypt-util.c‎
Lines changed: 0 additions & 35 deletions b/‎src/basic/gcrypt-util.c‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎src/basic/gcrypt-util.h‎
Lines changed: 0 additions & 22 deletions b/‎src/basic/gcrypt-util.h‎
Lines changed: 0 additions & 22 deletions
diff --git a/‎src/import/meson.build‎
Lines changed: 1 addition & 1 deletion b/‎src/import/meson.build‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/import/pull-job.c‎
Lines changed: 0 additions & 35 deletions b/‎src/import/pull-job.c‎
Lines changed: 0 additions & 35 deletions
@@ -10,7 +10,7 @@ fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; }
 success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
 
 ARGS=(
-    "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Dtpm=true -Dtpm2=enabled"
+    "--optimization=0 -Dopenssl=disabled -Dtpm=true -Dtpm2=enabled"
     "--optimization=s -Dutmp=false"
     "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
     "--optimization=3 -Db_lto=true -Ddns-over-tls=false"
@@ -67,7 +67,6 @@ PACKAGES=(
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 LINKER="${LINKER:?}"
-CRYPTOLIB="${CRYPTOLIB:?}"
 RELEASE="$(lsb_release -cs)"
 
 # Note: As we use postfixed clang/gcc binaries, we need to override $AR
@@ -150,7 +149,7 @@ for args in "${ARGS[@]}"; do
          CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
          meson setup \
                -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
-               -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
+               -Dnobody-group=nogroup -Ddebug=false \
                $args build; then
 
         cat build/meson-logs/meson-log.txt
 
@@ -25,11 +25,11 @@ jobs:
       fail-fast: false
       matrix:
         env:
-          - { COMPILER: "gcc",   COMPILER_VERSION: "11", LINKER: "bfd",  CRYPTOLIB: "gcrypt"  }
-          - { COMPILER: "gcc",   COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
-          - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt"  }
-          - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd",  CRYPTOLIB: "openssl" }
-          - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld",  CRYPTOLIB: "auto"    }
+          - { COMPILER: "gcc",   COMPILER_VERSION: "11", LINKER: "bfd"  }
+          - { COMPILER: "gcc",   COMPILER_VERSION: "13", LINKER: "mold" }
+          - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold" }
+          - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd"  }
+          - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld"  }
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout
 
@@ -41,7 +41,7 @@ function run_meson() {
 
 set -ex
 
-MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
+MESON_ARGS=()
 
 # (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
 # its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the
 
@@ -16,18 +16,15 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     concurrency:
-      group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
+      group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }}
       cancel-in-progress: true
     strategy:
       fail-fast: false
       matrix:
         run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS]
-        cryptolib: [auto]
         include:
           - run_phase: GCC
-            cryptolib: openssl
           - run_phase: CLANG
-            cryptolib: gcrypt
     steps:
       - name: Repository checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -38,8 +35,6 @@ jobs:
           sudo sed -i '/^XDG_/d' /etc/environment
           # Pass only specific env variables through sudo, to avoid having
           # the already existing XDG_* stuff on the "other side"
-          sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
+          sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
       - name: Build & test
-        run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
-        env:
-          CRYPTOLIB: ${{ matrix.cryptolib }}
+        run: sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
@@ -1475,18 +1475,6 @@ endif
 dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'loongarch64', 'mips', 'riscv64']
 conf.set10('HAVE_DMI', host_machine.cpu_family() in dmi_arches)
 
-# We support one or the other. If gcrypt is available, we assume it's there to
-# be used, and use it in preference.
-opt = get_option('cryptolib')
-if opt == 'openssl' and conf.get('HAVE_OPENSSL') == 0
-        error('openssl requested as the default cryptolib, but not available')
-endif
-conf.set10('PREFER_OPENSSL',
-           opt == 'openssl' or (opt == 'auto' and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_GCRYPT') == 0))
-conf.set10('HAVE_OPENSSL_OR_GCRYPT',
-           conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
-lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error]
-
 dns_over_tls = get_option('dns-over-tls')
 have_openssl = conf.get('HAVE_OPENSSL') == 1
 if dns_over_tls == 'false'
@@ -1525,8 +1513,8 @@ have = get_option('repart').require(
 conf.set10('ENABLE_REPART', have)
 
 default_dnssec = get_option('default-dnssec')
-if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
-        message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
+if default_dnssec != 'no' and conf.get('HAVE_OPENSSL') == 0
+        message('default-dnssec cannot be set to yes or allow-downgrade when openssl is disabled. Setting default-dnssec to no.')
         default_dnssec = 'no'
 endif
 conf.set('DEFAULT_DNSSEC_MODE',
@@ -1557,7 +1545,7 @@ conf.set10('ENABLE_STORAGETM', get_option('storagetm'))
 
 have = get_option('importd').require(
         conf.get('HAVE_LIBCURL') == 1 and
-        conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and
+        conf.get('HAVE_OPENSSL') == 1 and
         conf.get('HAVE_ZLIB') == 1 and
         conf.get('HAVE_XZ') == 1,
         error_message : 'curl, openssl/grypt, zlib and xz required').allowed()
@@ -3125,14 +3113,6 @@ else
         found += 'static-libudev(@0@)'.format(static_libudev)
 endif
 
-if conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and conf.get('PREFER_OPENSSL') == 1
-        found += 'cryptolib(openssl)'
-elif conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1
-        found += 'cryptolib(gcrypt)'
-else
-        missing += 'cryptolib'
-endif
-
 summary({
         'enabled' :  ', '.join(found),
         'disabled' : ', '.join(missing)},
 
@@ -439,8 +439,8 @@ option('gnutls', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
        description : 'gnutls support')
 option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'openssl support')
-option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'],
-       description : 'whether to use openssl or gcrypt where both are supported')
+option('cryptolib', type : 'combo', choices : ['auto', 'openssl'],
+       description : 'This option is deprecated and will be removed in a future release')
 option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'p11kit support')
 option('libfido2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
 
@@ -105,39 +105,4 @@ int initialize_libgcrypt(bool secmem) {
 
         return 0;
 }
-
-#  if !PREFER_OPENSSL
-int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
-        _cleanup_(sym_gcry_md_closep) gcry_md_hd_t md = NULL;
-        gcry_error_t err;
-        size_t hash_size;
-        void *hash;
-        char *enc;
-        int r;
-
-        r = initialize_libgcrypt(false);
-        if (r < 0)
-                return r;
-
-        hash_size = sym_gcry_md_get_algo_dlen(md_algorithm);
-        assert(hash_size > 0);
-
-        err = sym_gcry_md_open(&md, md_algorithm, 0);
-        if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
-                return -EIO;
-
-        sym_gcry_md_write(md, s, len);
-
-        hash = sym_gcry_md_read(md, 0);
-        if (!hash)
-                return -EIO;
-
-        enc = hexmem(hash, hash_size);
-        if (!enc)
-                return -ENOMEM;
-
-        *out = enc;
-        return 0;
-}
-#  endif
 #endif
@@ -63,25 +63,3 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL);
                 (h__)->buf[(h__)->bufpos++] = (c) & 0xff;  \
         } while(false)
 #endif
-
-#if !PREFER_OPENSSL
-#  if HAVE_GCRYPT
-int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
-#  endif
-
-static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
-#  if HAVE_GCRYPT
-        return string_hashsum(s, len, GCRY_MD_SHA224, out);
-#  else
-        return -EOPNOTSUPP;
-#  endif
-}
-
-static inline int string_hashsum_sha256(const char *s, size_t len, char **out) {
-#  if HAVE_GCRYPT
-        return string_hashsum(s, len, GCRY_MD_SHA256, out);
-#  else
-        return -EOPNOTSUPP;
-#  endif
-}
-#endif
@@ -78,7 +78,7 @@ executables += [
                 'sources' : systemd_pull_sources,
                 'link_with' : common_libs,
                 'dependencies' : common_deps + [
-                        lib_openssl_or_gcrypt,
+                        libopenssl,
                 ],
         },
         libexec_template + {
 
@@ -7,7 +7,6 @@
 #include "alloc-util.h"
 #include "fd-util.h"
 #include "format-util.h"
-#include "gcrypt-util.h"
 #include "hexdecoct.h"
 #include "import-util.h"
 #include "io-util.h"
@@ -42,11 +41,7 @@ PullJob* pull_job_unref(PullJob *j) {
         import_compress_free(&j->compress);
 
         if (j->checksum_ctx)
-#if PREFER_OPENSSL
                 EVP_MD_CTX_free(j->checksum_ctx);
-#else
-                gcry_md_close(j->checksum_ctx);
-#endif
 
         free(j->url);
         free(j->etag);
@@ -107,11 +102,7 @@ static int pull_job_restart(PullJob *j, const char *new_url) {
         import_compress_free(&j->compress);
 
         if (j->checksum_ctx) {
-#if PREFER_OPENSSL
                 EVP_MD_CTX_free(j->checksum_ctx);
-#else
-                gcry_md_close(j->checksum_ctx);
-#endif
                 j->checksum_ctx = NULL;
         }
 
@@ -210,7 +201,6 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
 
         if (j->checksum_ctx) {
                 unsigned checksum_len;
-#if PREFER_OPENSSL
                 uint8_t k[EVP_MAX_MD_SIZE];
 
                 r = EVP_DigestFinal_ex(j->checksum_ctx, k, &checksum_len);
@@ -219,17 +209,6 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
                         goto finish;
                 }
                 assert(checksum_len <= sizeof k);
-#else
-                const uint8_t *k;
-
-                k = gcry_md_read(j->checksum_ctx, GCRY_MD_SHA256);
-                if (!k) {
-                        r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get checksum.");
-                        goto finish;
-                }
-
-                checksum_len = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
-#endif
 
                 j->checksum = hexmem(k, checksum_len);
                 if (!j->checksum) {
@@ -380,14 +359,10 @@ static int pull_job_write_compressed(PullJob *j, void *p, size_t sz) {
                                        "Content length incorrect.");
 
         if (j->checksum_ctx) {
-#if PREFER_OPENSSL
                 r = EVP_DigestUpdate(j->checksum_ctx, p, sz);
                 if (r == 0)
                         return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                "Could not hash chunk.");
-#else
-                gcry_md_write(j->checksum_ctx, p, sz);
-#endif
         }
 
         r = import_uncompress(&j->compress, p, sz, pull_job_write_uncompressed, j);
@@ -421,7 +396,6 @@ static int pull_job_open_disk(PullJob *j) {
         }
 
         if (j->calc_checksum) {
-#if PREFER_OPENSSL
                 j->checksum_ctx = EVP_MD_CTX_new();
                 if (!j->checksum_ctx)
                         return log_oom();
@@ -430,15 +404,6 @@ static int pull_job_open_disk(PullJob *j) {
                 if (r == 0)
                         return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                "Failed to initialize hash context.");
-#else
-                r = initialize_libgcrypt(false);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to load libgcrypt: %m");
-
-                if (gcry_md_open(&j->checksum_ctx, GCRY_MD_SHA256, 0) != 0)
-                        return log_error_errno(SYNTHETIC_ERRNO(EIO),
-                                               "Failed to initialize hash context.");
-#endif
         }
 
         return 0;