[libcamera-devel] meson: enable IPA signing only if both libcrypto and openssl are present

19350 diff mbox series

Before this commit, if the build host had openssl installed, but had
neither openssl-dev nor gnutls-dev installed, then the IPA modules would
be signed and ipa_pub_key.cpp would contain the pubkey, but the function
PubKey::PubKey() would've been left empty, thereby valid_ being set to
false, rendering the pubkey unusable for verification purposes.

This commit checks for the availability of both the openssl executable
and either of the gnutls and libcrypto libraries before enabling signing
of the IPA modules. Either both HAVE_IPA_PUBKEY and HAVE_(CRYPTO|GNUTLS)
are defined, or neither is defined. This mitigates situations like the
one mentioned above.

This commit leverages the multi-name dependency feature introduced in
meson 0.60.0 to select between gnutls and libcrypto. The behaviour is
unchanged – gnutls is used if found, else libcrypto is used (if found).

Signed-off-by: Subhaditya Nath <sn03.general@gmail.com>
---
 src/libcamera/meson.build | 19 -------------------
 src/meson.build           | 26 ++++++++++++++++++++------
 2 files changed, 20 insertions(+), 25 deletions(-)

Hi Subhaditya,

Thank you for the patch.

On Mon, Dec 25, 2023 at 10:48:24PM +0530, Subhaditya Nath via libcamera-devel wrote:
> Before this commit, if the build host had openssl installed, but had
> neither openssl-dev nor gnutls-dev installed, then the IPA modules would
> be signed and ipa_pub_key.cpp would contain the pubkey, but the function
> PubKey::PubKey() would've been left empty, thereby valid_ being set to
> false, rendering the pubkey unusable for verification purposes.
> 
> This commit checks for the availability of both the openssl executable
> and either of the gnutls and libcrypto libraries before enabling signing
> of the IPA modules. Either both HAVE_IPA_PUBKEY and HAVE_(CRYPTO|GNUTLS)
> are defined, or neither is defined. This mitigates situations like the
> one mentioned above.

What problem does this fix ? If the signature is present but can't be
verified, won't libcamera just isolate IPA modules at runtime ? Is
something currently broken ?

> This commit leverages the multi-name dependency feature introduced in
> meson 0.60.0 to select between gnutls and libcrypto. The behaviour is
> unchanged – gnutls is used if found, else libcrypto is used (if found).
> 
> Signed-off-by: Subhaditya Nath <sn03.general@gmail.com>
> ---
>  src/libcamera/meson.build | 19 -------------------
>  src/meson.build           | 26 ++++++++++++++++++++------
>  2 files changed, 20 insertions(+), 25 deletions(-)
> 
> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
> index 45f63e93..9d17c9f1 100644
> --- a/src/libcamera/meson.build
> +++ b/src/libcamera/meson.build
> @@ -80,25 +80,6 @@ endif
>  libudev = dependency('libudev', required : get_option('udev'))
>  libyaml = dependency('yaml-0.1', required : false)
>  
> -# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
> -libcrypto = dependency('gnutls', required : false)
> -if libcrypto.found()
> -    config_h.set('HAVE_GNUTLS', 1)
> -else
> -    libcrypto = dependency('libcrypto', required : false)
> -    if libcrypto.found()
> -        config_h.set('HAVE_CRYPTO', 1)
> -    endif
> -endif
> -
> -if not libcrypto.found()
> -    warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
> -    summary({'IPA modules signed with': 'None (modules will run isolated)'},
> -            section : 'Configuration')
> -else
> -    summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration')
> -endif
> -
>  if liblttng.found()
>      tracing_enabled = true
>      config_h.set('HAVE_TRACING', 1)
> diff --git a/src/meson.build b/src/meson.build
> index 165a77bb..208cd760 100644
> --- a/src/meson.build
> +++ b/src/meson.build
> @@ -15,16 +15,30 @@ summary({
>           }, section : 'Paths')
>  
>  # Module Signing
> +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
> +libcrypto = dependency('gnutls', 'libcrypto', required : false)
>  openssl = find_program('openssl', required : false)
> -if openssl.found()
> +if not libcrypto.found()
> +    ipa_sign_module = false
> +    warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
> +    summary({'IPA modules signed with': 'None (modules will run isolated)'},
> +            section : 'Configuration')
> +elif not openssl.found()
> +    ipa_sign_module = false
> +    warning('openssl not found, all IPA modules will be isolated')
> +    ipa_sign_module = false
> +else
> +    ipa_sign_module = true
> +    config_h.set('HAVE_IPA_PUBKEY', 1)
> +    if libcrypto.name() == 'gnutls'
> +        config_h.set('HAVE_GNUTLS', 1)
> +    else
> +        config_h.set('HAVE_CRYPTO', 1)
> +    endif
> +    summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration')
>      ipa_priv_key = custom_target('ipa-priv-key',
>                                   output : ['ipa-priv-key.pem'],
>                                   command : [gen_ipa_priv_key, '@OUTPUT@'])
> -    config_h.set('HAVE_IPA_PUBKEY', 1)
> -    ipa_sign_module = true
> -else
> -    warning('openssl not found, all IPA modules will be isolated')
> -    ipa_sign_module = false
>  endif
>  
>  # libcamera must be built first as a dependency to the other components.