Message ID | 20231225171824.3776-1-sn03.general@gmail.com |
---|---|
State | Rejected |
Headers | show |
Series |
|
Related | show |
Hi Subhaditya, Thank you for the patch. On Mon, Dec 25, 2023 at 10:48:24PM +0530, Subhaditya Nath via libcamera-devel wrote: > Before this commit, if the build host had openssl installed, but had > neither openssl-dev nor gnutls-dev installed, then the IPA modules would > be signed and ipa_pub_key.cpp would contain the pubkey, but the function > PubKey::PubKey() would've been left empty, thereby valid_ being set to > false, rendering the pubkey unusable for verification purposes. > > This commit checks for the availability of both the openssl executable > and either of the gnutls and libcrypto libraries before enabling signing > of the IPA modules. Either both HAVE_IPA_PUBKEY and HAVE_(CRYPTO|GNUTLS) > are defined, or neither is defined. This mitigates situations like the > one mentioned above. What problem does this fix ? If the signature is present but can't be verified, won't libcamera just isolate IPA modules at runtime ? Is something currently broken ? > This commit leverages the multi-name dependency feature introduced in > meson 0.60.0 to select between gnutls and libcrypto. The behaviour is > unchanged – gnutls is used if found, else libcrypto is used (if found). > > Signed-off-by: Subhaditya Nath <sn03.general@gmail.com> > --- > src/libcamera/meson.build | 19 ------------------- > src/meson.build | 26 ++++++++++++++++++++------ > 2 files changed, 20 insertions(+), 25 deletions(-) > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > index 45f63e93..9d17c9f1 100644 > --- a/src/libcamera/meson.build > +++ b/src/libcamera/meson.build > @@ -80,25 +80,6 @@ endif > libudev = dependency('libudev', required : get_option('udev')) > libyaml = dependency('yaml-0.1', required : false) > > -# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > -libcrypto = dependency('gnutls', required : false) > -if libcrypto.found() > - config_h.set('HAVE_GNUTLS', 1) > -else > - libcrypto = dependency('libcrypto', required : false) > - if libcrypto.found() > - config_h.set('HAVE_CRYPTO', 1) > - endif > -endif > - > -if not libcrypto.found() > - warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > - summary({'IPA modules signed with': 'None (modules will run isolated)'}, > - section : 'Configuration') > -else > - summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration') > -endif > - > if liblttng.found() > tracing_enabled = true > config_h.set('HAVE_TRACING', 1) > diff --git a/src/meson.build b/src/meson.build > index 165a77bb..208cd760 100644 > --- a/src/meson.build > +++ b/src/meson.build > @@ -15,16 +15,30 @@ summary({ > }, section : 'Paths') > > # Module Signing > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > +libcrypto = dependency('gnutls', 'libcrypto', required : false) > openssl = find_program('openssl', required : false) > -if openssl.found() > +if not libcrypto.found() > + ipa_sign_module = false > + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > + summary({'IPA modules signed with': 'None (modules will run isolated)'}, > + section : 'Configuration') > +elif not openssl.found() > + ipa_sign_module = false > + warning('openssl not found, all IPA modules will be isolated') > + ipa_sign_module = false > +else > + ipa_sign_module = true > + config_h.set('HAVE_IPA_PUBKEY', 1) > + if libcrypto.name() == 'gnutls' > + config_h.set('HAVE_GNUTLS', 1) > + else > + config_h.set('HAVE_CRYPTO', 1) > + endif > + summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration') > ipa_priv_key = custom_target('ipa-priv-key', > output : ['ipa-priv-key.pem'], > command : [gen_ipa_priv_key, '@OUTPUT@']) > - config_h.set('HAVE_IPA_PUBKEY', 1) > - ipa_sign_module = true > -else > - warning('openssl not found, all IPA modules will be isolated') > - ipa_sign_module = false > endif > > # libcamera must be built first as a dependency to the other components.
diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index 45f63e93..9d17c9f1 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -80,25 +80,6 @@ endif libudev = dependency('libudev', required : get_option('udev')) libyaml = dependency('yaml-0.1', required : false) -# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. -libcrypto = dependency('gnutls', required : false) -if libcrypto.found() - config_h.set('HAVE_GNUTLS', 1) -else - libcrypto = dependency('libcrypto', required : false) - if libcrypto.found() - config_h.set('HAVE_CRYPTO', 1) - endif -endif - -if not libcrypto.found() - warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') - summary({'IPA modules signed with': 'None (modules will run isolated)'}, - section : 'Configuration') -else - summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration') -endif - if liblttng.found() tracing_enabled = true config_h.set('HAVE_TRACING', 1) diff --git a/src/meson.build b/src/meson.build index 165a77bb..208cd760 100644 --- a/src/meson.build +++ b/src/meson.build @@ -15,16 +15,30 @@ summary({ }, section : 'Paths') # Module Signing +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. +libcrypto = dependency('gnutls', 'libcrypto', required : false) openssl = find_program('openssl', required : false) -if openssl.found() +if not libcrypto.found() + ipa_sign_module = false + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') + summary({'IPA modules signed with': 'None (modules will run isolated)'}, + section : 'Configuration') +elif not openssl.found() + ipa_sign_module = false + warning('openssl not found, all IPA modules will be isolated') + ipa_sign_module = false +else + ipa_sign_module = true + config_h.set('HAVE_IPA_PUBKEY', 1) + if libcrypto.name() == 'gnutls' + config_h.set('HAVE_GNUTLS', 1) + else + config_h.set('HAVE_CRYPTO', 1) + endif + summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration') ipa_priv_key = custom_target('ipa-priv-key', output : ['ipa-priv-key.pem'], command : [gen_ipa_priv_key, '@OUTPUT@']) - config_h.set('HAVE_IPA_PUBKEY', 1) - ipa_sign_module = true -else - warning('openssl not found, all IPA modules will be isolated') - ipa_sign_module = false endif # libcamera must be built first as a dependency to the other components.
Before this commit, if the build host had openssl installed, but had neither openssl-dev nor gnutls-dev installed, then the IPA modules would be signed and ipa_pub_key.cpp would contain the pubkey, but the function PubKey::PubKey() would've been left empty, thereby valid_ being set to false, rendering the pubkey unusable for verification purposes. This commit checks for the availability of both the openssl executable and either of the gnutls and libcrypto libraries before enabling signing of the IPA modules. Either both HAVE_IPA_PUBKEY and HAVE_(CRYPTO|GNUTLS) are defined, or neither is defined. This mitigates situations like the one mentioned above. This commit leverages the multi-name dependency feature introduced in meson 0.60.0 to select between gnutls and libcrypto. The behaviour is unchanged – gnutls is used if found, else libcrypto is used (if found). Signed-off-by: Subhaditya Nath <sn03.general@gmail.com> --- src/libcamera/meson.build | 19 ------------------- src/meson.build | 26 ++++++++++++++++++++------ 2 files changed, 20 insertions(+), 25 deletions(-)