sd-id128: make sure sd_id128_get_machine_app_specific() logic also works without...

So, as it turns out AF_ALG is turned off in a lot of kernels/container
environments, including our CI. Hence, if we link against OpenSSL
anyway, let's just use that client side. It's also faster.

One of those days we should drop the khash code, and ust use OpenSSL,
once the licensing issues are resolved.

diff --git a/meson.build b/meson.build
index 738879eb21bee262400ab1edf18844dda2a6cf63..e4d8f29ec64c5562f8f02831a01df65f95773374 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -1707,7 +1707,8 @@ install_libsystemd_static = static_library(
                         libcap,
                         libblkid,
                         libmount,
-                        libgcrypt],
+                        libgcrypt,
+                        libopenssl],
         c_args : libsystemd_c_args + (static_libsystemd_pic ? [] : ['-fno-PIC']))
 
 libudev = shared_library(

diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build
index 489ed12a73465cc40c287f9cac5eb604223bd09b..154d9acd2a295f3043819980ffd8d68cd25ce3dc 100644 (file)
--- a/src/libsystemd/meson.build
+++ b/src/libsystemd/meson.build
@@ -166,7 +166,8 @@ libsystemd_static = static_library(
         include_directories : libsystemd_includes,
         link_with : libbasic,
         dependencies : [threads,
-                        librt],
+                        librt,
+                        libopenssl],
         c_args : libsystemd_c_args)
 
 libsystemd_sym = files('libsystemd.sym')

diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c
index d5de935c77f066b3ec3c8480bb958d869048bfac..28ae10a19867f82100fbdbc87cfc114d1a23dd5a 100644 (file)
--- a/src/libsystemd/sd-id128/sd-id128.c
+++ b/src/libsystemd/sd-id128/sd-id128.c
@@ -4,6 +4,11 @@
 #include <fcntl.h>
 #include <unistd.h>
 
+#if HAVE_OPENSSL
+#include <openssl/hmac.h>
+#include <openssl/sha.h>
+#endif
+
 #include "sd-id128.h"
 
 #include "alloc-util.h"
@@ -11,7 +16,9 @@
 #include "hexdecoct.h"
 #include "id128-util.h"
 #include "io-util.h"
+#if !HAVE_OPENSSL
 #include "khash.h"
+#endif
 #include "macro.h"
 #include "missing_syscall.h"
 #include "random-util.h"
@@ -271,13 +278,28 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
 }
 
 static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret) {
-        _cleanup_(khash_unrefp) khash *h = NULL;
         sd_id128_t result;
-        const void *p;
-        int r;
 
         assert(ret);
 
+#if HAVE_OPENSSL
+        /* We prefer doing this in-process, since we this means we are not dependent on kernel configuration,
+         * and this also works in locked down container environments. But some distros don't like OpenSSL's
+         * license and its (in-) compatibility with GPL2, hence also support khash */
+        uint8_t md[256/8];
+        if (!HMAC(EVP_sha256(),
+                  &base, sizeof(base),
+                  (const unsigned char*) &app_id, sizeof(app_id),
+                  md, NULL))
+                return -ENOTRECOVERABLE;
+
+        /* Take only the first half. */
+        memcpy(&result, md, MIN(sizeof(md), sizeof(result)));
+#else
+        _cleanup_(khash_unrefp) khash *h = NULL;
+        const void *p;
+        int r;
+
         r = khash_new_with_key(&h, "hmac(sha256)", &base, sizeof(base));
         if (r < 0)
                 return r;
@@ -292,6 +314,7 @@ static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret)
 
         /* We chop off the trailing 16 bytes */
         memcpy(&result, p, MIN(khash_get_size(h), sizeof(result)));
+#endif
 
         *ret = id128_make_v4_uuid(result);
         return 0;