From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 3 Jul 2025 01:26:41 +0000 (+0900)
Subject: openssl-util: allow to build with openssl without UI support
X-Git-Tag: v258-rc1~188^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1d16c624d029de4cace33b7c5dc59983b9739dc;p=thirdparty%2Fsystemd.git

openssl-util: allow to build with openssl without UI support

When OpenSSL is built without UI support, OPENSSL_NO_UI_CONSOLE is
defined. Or, even openssl is built with UI support, people may want to
build systemd without using OpenSSL's UI feature by specifying
-Dc_args='-DOPENSSL_NO_UI_CONSOLE=1'. This adds support for such cases.

Not tested, but hopefully, now systemd can be built with other ssl library,
like BoringSSL, which deos not support UIs.

Closes #38024.
---

diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 57b638596aa..4b5c495df65 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -24,7 +24,9 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ENGINE*, ENGINE_free, NULL);
 REENABLE_WARNING;
 #  endif
 
+#ifndef OPENSSL_NO_UI_CONSOLE
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(UI_METHOD*, UI_destroy_method, NULL);
+#endif
 
 /* For each error in the OpenSSL thread error queue, log the provided message and the OpenSSL error
  * string. If there are no errors in the OpenSSL thread queue, this logs the message with "No OpenSSL
@@ -1467,6 +1469,7 @@ static int load_key_from_engine(const char *engine, const char *private_key_uri,
 #endif
 }
 
+#ifndef OPENSSL_NO_UI_CONSOLE
 static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
         int r;
 
@@ -1502,6 +1505,7 @@ static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
                 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
         }
 }
+#endif
 
 static int openssl_load_private_key_from_file(const char *path, EVP_PKEY **ret) {
         _cleanup_(erase_and_freep) char *rawkey = NULL;
@@ -1539,6 +1543,7 @@ static int openssl_load_private_key_from_file(const char *path, EVP_PKEY **ret)
 static int openssl_ask_password_ui_new(const AskPasswordRequest *request, OpenSSLAskPasswordUI **ret) {
         assert(ret);
 
+#ifndef OPENSSL_NO_UI_CONSOLE
         _cleanup_(UI_destroy_methodp) UI_METHOD *method = UI_create_method("systemd-ask-password");
         if (!method)
                 return log_openssl_errors("Failed to initialize openssl user interface");
@@ -1562,6 +1567,9 @@ static int openssl_ask_password_ui_new(const AskPasswordRequest *request, OpenSS
 
         *ret = TAKE_PTR(ui);
         return 0;
+#else
+        return -EOPNOTSUPP;
+#endif
 }
 
 static int load_x509_certificate_from_file(const char *path, X509 **ret) {
@@ -1640,7 +1648,7 @@ static int load_x509_certificate_from_provider(const char *provider, const char
 #endif
 
 OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
-#if HAVE_OPENSSL
+#if HAVE_OPENSSL && !defined(OPENSSL_NO_UI_CONSOLE)
         if (!ui)
                 return NULL;
 
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index 6bcb16af312..f6c697672b3 100644
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -38,7 +38,9 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s
 #  include <openssl/opensslv.h>         /* IWYU pragma: export */
 #  include <openssl/pkcs7.h>            /* IWYU pragma: export */
 #  include <openssl/ssl.h>              /* IWYU pragma: export */
-#  include <openssl/ui.h>               /* IWYU pragma: export */
+#  ifndef OPENSSL_NO_UI_CONSOLE
+#    include <openssl/ui.h>             /* IWYU pragma: export */
+#  endif
 #  include <openssl/x509v3.h>           /* IWYU pragma: export */
 #  ifndef OPENSSL_VERSION_MAJOR
 /* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist,  we must be before OpenSSL 3. */