openssl-util: compatible with restricted openssl3

openssl can be built without support for engines or with deprecated
definitions disabled.
This also will not pull in most headers automatically,
so add the rsa.h and ec.h header explicitly.

Remove Engine stuff from the header - it is only needed in one
source file.

Make Engine support dependent on the macros.

3 files changed, 19 insertions, 4 deletions

diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 63c443cbfd..dbb6537246 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -11,6 +11,16 @@
 #include "string-util.h"
 
 #if HAVE_OPENSSL
+#  include <openssl/rsa.h>
+#  include <openssl/ec.h>
+
+#  if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#    include <openssl/engine.h>
+DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ENGINE*, ENGINE_free, NULL);
+REENABLE_WARNING;
+#  endif
+
 /* For each error in the OpenSSL thread error queue, log the provided message and the OpenSSL error
  * string. If there are no errors in the OpenSSL thread queue, this logs the message with "No OpenSSL
  * errors." This logs at level debug. Returns -EIO (or -ENOMEM). */
@@ -1344,6 +1354,7 @@ static int load_key_from_engine(const char *engine, const char *private_key_uri,
         assert(private_key_uri);
         assert(ret);
 
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
         DISABLE_WARNING_DEPRECATED_DECLARATIONS;
         _cleanup_(ENGINE_freep) ENGINE *e = ENGINE_by_id(engine);
         if (!e)
@@ -1364,6 +1375,9 @@ static int load_key_from_engine(const char *engine, const char *private_key_uri,
         *ret = TAKE_PTR(private_key);
 
         return 0;
+#else
+        return -EOPNOTSUPP;
+#endif
 }
 
 int openssl_load_key_from_token(
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index e5ecbad86d..1a89fcc2bd 100644
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -21,7 +21,6 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s
 #  include <openssl/bio.h>
 #  include <openssl/bn.h>
 #  include <openssl/crypto.h>
-#  include <openssl/engine.h>
 #  include <openssl/err.h>
 #  include <openssl/evp.h>
 #  include <openssl/opensslv.h>
@@ -54,9 +53,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ENGINE*, ENGINE_free, NULL);
-REENABLE_WARNING;
+
 #if OPENSSL_VERSION_MAJOR >= 3
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER*, EVP_CIPHER_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF*, EVP_KDF_free, NULL);
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 42975cdb97..c9ab15d409 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -36,6 +36,10 @@
 #include "tpm2-util.h"
 #include "virt.h"
 
+#if HAVE_OPENSSL
+#  include <openssl/hmac.h>
+#endif
+
 #if HAVE_TPM2
 static void *libtss2_esys_dl = NULL;
 static void *libtss2_rc_dl = NULL;