gcrypt: dlopenify for libsystemd

gcrypt is used only for journal sealing operations in libsystemd, so it
can be made into a dlopen dependency that is used only on demand. This
allows to reduce the footprint of libsystemd in the most common cases.

Keep systemd-pull and systemd-resolved with normal linking, as they are
executables, and usually built with OpenSSL support anyway.

meson.build

@@ -1319,6 +1319,9 @@ if not have
         # link to neither of the libs if one is not found
         libgcrypt = []
         libgpg_error = []
+        libgcrypt_cflags = []
+else
+        libgcrypt_cflags = libgcrypt.partial_dependency(includes: true, compile_args: true)
 endif
 conf.set10('HAVE_GCRYPT', have)
 
@@ -1951,8 +1954,7 @@ libsystemd = shared_library(
         include_directories : libsystemd_includes,
         link_args : ['-shared',
                      '-Wl,--version-script=' + libsystemd_sym_path],
-        link_with : [libbasic,
-                     libbasic_gcrypt],
+        link_with : [libbasic],
         link_whole : [libsystemd_static],
         dependencies : [librt,
                         threads,
@@ -1968,7 +1970,6 @@ install_libsystemd_static = static_library(
         'systemd',
         libsystemd_sources,
         basic_sources,
-        basic_gcrypt_sources,
         fundamental_sources,
         include_directories : libsystemd_includes,
         build_by_default : static_libsystemd != 'false',
@@ -1979,7 +1980,7 @@ install_libsystemd_static = static_library(
         dependencies : [libblkid,
                         libcap,
                         libdl,
-                        libgcrypt,
+                        libgcrypt_cflags,
                         liblz4_cflags,
                         libmount,
                         libopenssl,

src/basic/gcrypt-util.c

@@ -5,41 +5,123 @@
 #include "gcrypt-util.h"
 #include "hexdecoct.h"
 
-void initialize_libgcrypt(bool secmem) {
-        if (gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P))
-                return;
+static void *gcrypt_dl = NULL;
 
-        gcry_control(GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM);
-        assert_se(gcry_check_version("1.4.5"));
+static DLSYM_FUNCTION(gcry_control);
+static DLSYM_FUNCTION(gcry_check_version);
+DLSYM_FUNCTION(gcry_md_close);
+DLSYM_FUNCTION(gcry_md_copy);
+DLSYM_FUNCTION(gcry_md_ctl);
+DLSYM_FUNCTION(gcry_md_get_algo_dlen);
+DLSYM_FUNCTION(gcry_md_open);
+DLSYM_FUNCTION(gcry_md_read);
+DLSYM_FUNCTION(gcry_md_reset);
+DLSYM_FUNCTION(gcry_md_setkey);
+DLSYM_FUNCTION(gcry_md_write);
+DLSYM_FUNCTION(gcry_mpi_add);
+DLSYM_FUNCTION(gcry_mpi_add_ui);
+DLSYM_FUNCTION(gcry_mpi_cmp);
+DLSYM_FUNCTION(gcry_mpi_cmp_ui);
+DLSYM_FUNCTION(gcry_mpi_get_nbits);
+DLSYM_FUNCTION(gcry_mpi_invm);
+DLSYM_FUNCTION(gcry_mpi_mod);
+DLSYM_FUNCTION(gcry_mpi_mul);
+DLSYM_FUNCTION(gcry_mpi_mulm);
+DLSYM_FUNCTION(gcry_mpi_new);
+DLSYM_FUNCTION(gcry_mpi_powm);
+DLSYM_FUNCTION(gcry_mpi_print);
+DLSYM_FUNCTION(gcry_mpi_release);
+DLSYM_FUNCTION(gcry_mpi_scan);
+DLSYM_FUNCTION(gcry_mpi_set_ui);
+DLSYM_FUNCTION(gcry_mpi_sub);
+DLSYM_FUNCTION(gcry_mpi_subm);
+DLSYM_FUNCTION(gcry_mpi_sub_ui);
+DLSYM_FUNCTION(gcry_prime_check);
+DLSYM_FUNCTION(gcry_randomize);
+DLSYM_FUNCTION(gcry_strerror);
+
+static int dlopen_gcrypt(void) {
+        return dlopen_many_sym_or_warn(
+                        &gcrypt_dl,
+                        "libgcrypt.so.20", LOG_DEBUG,
+                        DLSYM_ARG(gcry_control),
+                        DLSYM_ARG(gcry_check_version),
+                        DLSYM_ARG(gcry_md_close),
+                        DLSYM_ARG(gcry_md_copy),
+                        DLSYM_ARG(gcry_md_ctl),
+                        DLSYM_ARG(gcry_md_get_algo_dlen),
+                        DLSYM_ARG(gcry_md_open),
+                        DLSYM_ARG(gcry_md_read),
+                        DLSYM_ARG(gcry_md_reset),
+                        DLSYM_ARG(gcry_md_setkey),
+                        DLSYM_ARG(gcry_md_write),
+                        DLSYM_ARG(gcry_mpi_add),
+                        DLSYM_ARG(gcry_mpi_add_ui),
+                        DLSYM_ARG(gcry_mpi_cmp),
+                        DLSYM_ARG(gcry_mpi_cmp_ui),
+                        DLSYM_ARG(gcry_mpi_get_nbits),
+                        DLSYM_ARG(gcry_mpi_invm),
+                        DLSYM_ARG(gcry_mpi_mod),
+                        DLSYM_ARG(gcry_mpi_mul),
+                        DLSYM_ARG(gcry_mpi_mulm),
+                        DLSYM_ARG(gcry_mpi_new),
+                        DLSYM_ARG(gcry_mpi_powm),
+                        DLSYM_ARG(gcry_mpi_print),
+                        DLSYM_ARG(gcry_mpi_release),
+                        DLSYM_ARG(gcry_mpi_scan),
+                        DLSYM_ARG(gcry_mpi_set_ui),
+                        DLSYM_ARG(gcry_mpi_sub),
+                        DLSYM_ARG(gcry_mpi_subm),
+                        DLSYM_ARG(gcry_mpi_sub_ui),
+                        DLSYM_ARG(gcry_prime_check),
+                        DLSYM_ARG(gcry_randomize),
+                        DLSYM_ARG(gcry_strerror));
+}
+
+int initialize_libgcrypt(bool secmem) {
+        int r;
+
+        r = dlopen_gcrypt();
+        if (r < 0)
+                return r;
+
+        if (sym_gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P))
+                return 0;
+
+        sym_gcry_control(GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM);
+        assert_se(sym_gcry_check_version("1.4.5"));
 
         /* Turn off "secmem". Clients which wish to make use of this
          * feature should initialize the library manually */
         if (!secmem)
-                gcry_control(GCRYCTL_DISABLE_SECMEM);
+                sym_gcry_control(GCRYCTL_DISABLE_SECMEM);
 
-        gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+        sym_gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+
+        return 0;
 }
 
 #  if !PREFER_OPENSSL
 int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
-        _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
+        _cleanup_(gcry_md_close_wrapperp) gcry_md_hd_t md = NULL;
         gcry_error_t err;
         size_t hash_size;
         void *hash;
         char *enc;
 
-        initialize_libgcrypt(false);
+        if (initialize_libgcrypt(false) < 0)
+                return -EOPNOTSUPP;
 
-        hash_size = gcry_md_get_algo_dlen(md_algorithm);
+        hash_size = sym_gcry_md_get_algo_dlen(md_algorithm);
         assert(hash_size > 0);
 
-        err = gcry_md_open(&md, md_algorithm, 0);
+        err = sym_gcry_md_open(&md, md_algorithm, 0);
         if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
                 return -EIO;
 
-        gcry_md_write(md, s, len);
+        sym_gcry_md_write(md, s, len);
 
-        hash = gcry_md_read(md, 0);
+        hash = sym_gcry_md_read(md, 0);
         if (!hash)
                 return -EIO;
 

src/basic/gcrypt-util.h

@@ -9,11 +9,57 @@
 #if HAVE_GCRYPT
 #include <gcrypt.h>
 
+#include "dlfcn-util.h"
 #include "macro.h"
 
-void initialize_libgcrypt(bool secmem);
+DLSYM_PROTOTYPE(gcry_md_close);
+DLSYM_PROTOTYPE(gcry_md_copy);
+DLSYM_PROTOTYPE(gcry_md_ctl);
+DLSYM_PROTOTYPE(gcry_md_get_algo_dlen);
+DLSYM_PROTOTYPE(gcry_md_open);
+DLSYM_PROTOTYPE(gcry_md_read);
+DLSYM_PROTOTYPE(gcry_md_reset);
+DLSYM_PROTOTYPE(gcry_md_setkey);
+DLSYM_PROTOTYPE(gcry_md_write);
+DLSYM_PROTOTYPE(gcry_mpi_add);
+DLSYM_PROTOTYPE(gcry_mpi_add_ui);
+DLSYM_PROTOTYPE(gcry_mpi_cmp);
+DLSYM_PROTOTYPE(gcry_mpi_cmp_ui);
+DLSYM_PROTOTYPE(gcry_mpi_get_nbits);
+DLSYM_PROTOTYPE(gcry_mpi_invm);
+DLSYM_PROTOTYPE(gcry_mpi_mod);
+DLSYM_PROTOTYPE(gcry_mpi_mul);
+DLSYM_PROTOTYPE(gcry_mpi_mulm);
+DLSYM_PROTOTYPE(gcry_mpi_new);
+DLSYM_PROTOTYPE(gcry_mpi_powm);
+DLSYM_PROTOTYPE(gcry_mpi_print);
+DLSYM_PROTOTYPE(gcry_mpi_release);
+DLSYM_PROTOTYPE(gcry_mpi_scan);
+DLSYM_PROTOTYPE(gcry_mpi_set_ui);
+DLSYM_PROTOTYPE(gcry_mpi_sub);
+DLSYM_PROTOTYPE(gcry_mpi_subm);
+DLSYM_PROTOTYPE(gcry_mpi_sub_ui);
+DLSYM_PROTOTYPE(gcry_prime_check);
+DLSYM_PROTOTYPE(gcry_randomize);
+DLSYM_PROTOTYPE(gcry_strerror);
 
+int initialize_libgcrypt(bool secmem);
+
+/* Compiler refuses to allow using sym_gcry_md_close directly */
+static inline void gcry_md_close_wrapper(gcry_md_hd_t md) {
+        sym_gcry_md_close(md);
+}
+
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close_wrapper, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL);
+
+#define sym_gcry_md_putc(h,c)  \
+            do {                                          \
+                gcry_md_hd_t h__ = (h);                   \
+                if( (h__)->bufpos == (h__)->bufsize )     \
+                    sym_gcry_md_write( (h__), NULL, 0 );      \
+                (h__)->buf[(h__)->bufpos++] = (c) & 0xff; \
+            } while(0)
 #endif
 
 #if !PREFER_OPENSSL

src/basic/meson.build

@@ -35,6 +35,7 @@ basic_sources = files(
         'filesystems.c',
         'format-util.c',
         'fs-util.c',
+        'gcrypt-util.c',
         'glob-util.c',
         'glyph-util.c',
         'gunicode.c',
@@ -277,6 +278,7 @@ libbasic = static_library(
         include_directories : basic_includes,
         dependencies : [libcap,
                         libdl,
+                        libgcrypt_cflags,
                         liblz4_cflags,
                         libm,
                         librt,
@@ -286,20 +288,3 @@ libbasic = static_library(
                         userspace],
         c_args : ['-fvisibility=default'],
         build_by_default : false)
-
-############################################################
-
-basic_gcrypt_sources = files(
-        'gcrypt-util.c',
-)
-
-# A convenience library that is separate from libbasic to avoid
-# unnecessary linking to libgcrypt.
-libbasic_gcrypt = static_library(
-        'basic-gcrypt',
-        basic_gcrypt_sources,
-        include_directories : basic_includes,
-        dependencies : [libgcrypt,
-                        userspace],
-        c_args : ['-fvisibility=default'],
-        build_by_default : false)

src/import/pull-job.c

@@ -431,7 +431,9 @@ static int pull_job_open_disk(PullJob *j) {
                         return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                "Failed to initialize hash context.");
 #else
-                initialize_libgcrypt(false);
+                r = initialize_libgcrypt(false);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to load libgcrypt: %m");
 
                 if (gcry_md_open(&j->checksum_ctx, GCRY_MD_SHA256, 0) != 0)
                         return log_error_errno(SYNTHETIC_ERRNO(EIO),

src/journal/meson.build

@@ -47,7 +47,6 @@ if get_option('link-journalctl-shared')
         journalctl_link_with = [libshared]
 else
         journalctl_link_with = [
-                libbasic_gcrypt,
                 libshared_static,
                 libsystemd_static,
         ]