From: Daniel P. Berrangé Date: Tue, 1 Jul 2025 16:45:26 +0000 (+0100) Subject: meson: default to system crypto policies where available X-Git-Tag: CVE-2025-12748~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15833693e6bf0a5a97806d793832352f44f2b0ba;p=thirdparty%2Flibvirt.git meson: default to system crypto policies where available In RHEL and Fedora, the built-in GNUTLS default priority is changed from "NORMAL" to "@SYSTEM", but because libvirt sets an explicit policy with gnutls we don't honour that. Instead we force "NORMAL" unless the 'tls_priority' meson option is changed. In RPM builds, meanwhile, we ask for "@LIBVIRT,SYSTEM" to make it look for a libvirt specific profile first, falling back to "@SYSTEM" This changes the meson option to default to "@LIBVIRT,SYSTEM" if the crypto-policies config is present on the local machine and the meson option -Dsystem=true is given. This gives developers more appropriate default behaviour, matching that seen in package builds. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrangé --- diff --git a/meson.build b/meson.build index d68b37d0ba..c1871de64c 100644 --- a/meson.build +++ b/meson.build @@ -2035,7 +2035,18 @@ elif get_option('userfaultfd_sysctl').enabled() error('userfaultfd_sysctl option requires sysctl_config to be enabled') endif -conf.set_quoted('TLS_PRIORITY', get_option('tls_priority')) +prio = get_option('tls_priority') +if prio == 'auto' + # If local OS has 'crypto-policies' then default to that + policy = '/etc/crypto-policies/config' + if get_option('system') and \ + run_command('test', '-f', policy, check: false).returncode() == 0 + prio = '@LIBVIRT,SYSTEM' + else + prio = 'NORMAL' + endif +endif +conf.set_quoted('TLS_PRIORITY', prio) # test options diff --git a/meson_options.txt b/meson_options.txt index 3dc3e8667b..8b6b26dfc6 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -134,4 +134,4 @@ option('ssh_proxy', type: 'feature', value: 'auto', description: 'Build ssh-prox option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether to install sysctl configs') # dep:sysctl_config option('userfaultfd_sysctl', type: 'feature', value: 'auto', description: 'Whether to install sysctl config for enabling unprivileged userfaultfd') -option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the default TLS session priority string') +option('tls_priority', type: 'string', value: 'auto', description: 'set the default TLS session priority string')