bpftool: Use libcrypto feature test to optionally support signing

New libcrypto test verifies presence of openssl3 needed for BPF
signing; use that feature to conditionally compile signing-related
code so bpftool build will not break in the absence of libcrypto v3.

Fixes: 40863f4 ("bpftool: Add support for signing BPF programs")
Suggested-by: Quentin Monnet <[email protected]>
Signed-off-by: Alan Maguire <[email protected]>

Author: alan-maguire

tools/bpf/bpftool/Makefile

@@ -101,6 +101,7 @@ FEATURE_TESTS := clang-bpf-co-re
 FEATURE_TESTS += llvm
 FEATURE_TESTS += libcap
 FEATURE_TESTS += libbfd
+FEATURE_TESTS += libcrypto
 FEATURE_TESTS += libbfd-liberty
 FEATURE_TESTS += libbfd-liberty-z
 FEATURE_TESTS += disassembler-four-args
@@ -110,6 +111,7 @@ FEATURE_TESTS += libelf-zstd
 FEATURE_DISPLAY := clang-bpf-co-re
 FEATURE_DISPLAY += llvm
 FEATURE_DISPLAY += libcap
+FEATURE_DISPLAY += libcrypto
 FEATURE_DISPLAY += libbfd
 FEATURE_DISPLAY += libbfd-liberty
 FEATURE_DISPLAY += libbfd-liberty-z
@@ -130,8 +132,14 @@ include $(FEATURES_DUMP)
 endif
 endif
 
-LIBS = $(LIBBPF) -lelf -lz -lcrypto
-LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
+LIBS = $(LIBBPF) -lelf -lz
+LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
+
+ifeq ($(feature-libcrypto),1)
+CFLAGS += -DUSE_CRYPTO
+LIBS += -lcrypto
+LIBS_BOOTSTRAP += -lcrypto
+endif
 
 ifeq ($(feature-libelf-zstd),1)
 LIBS += -lzstd
@@ -194,7 +202,10 @@ endif
 
 BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
 
-BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
+BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
+ifeq ($(feature-libcrypto),1)
+BOOTSTRAP_OBJS += $(addprefix $(BOOTSTRAP_OUTPUT),sign.o)
+endif
 $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
 
 OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o

tools/bpf/bpftool/gen.c

@@ -688,16 +688,15 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
 static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
 {
 	DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
-	struct bpf_load_and_run_opts sopts = {};
-	char sig_buf[MAX_SIG_SIZE];
-	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	struct bpf_map *map;
 
 	char ident[256];
 	int err = 0;
 
+#ifdef USE_CRYPTO
 	if (sign_progs)
 		opts.gen_hash = true;
+#endif
 
 	err = bpf_object__gen_loader(obj, &opts);
 	if (err)
@@ -790,7 +789,12 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 		\n\
 		\";\n");
 
+#ifdef USE_CRYPTO
 	if (sign_progs) {
+		struct bpf_load_and_run_opts sopts = {};
+		char sig_buf[MAX_SIG_SIZE];
+		__u8 prog_sha[SHA256_DIGEST_LENGTH];
+
 		sopts.insns = opts.insns;
 		sopts.insns_sz = opts.insns_sz;
 		sopts.excl_prog_hash = prog_sha;
@@ -831,7 +835,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 			opts.keyring_id = skel->keyring_id;			\n\
 		");
 	}
-
+#endif /* USE_CRYPTO */
 	codegen("\
 		\n\
 			opts.ctx = (struct bpf_loader_ctx *)skel;	    \n\
@@ -1406,13 +1410,14 @@ static int do_skeleton(int argc, char **argv)
 
 		printf("\t} links;\n");
 	}
-
+#ifdef USE_CRYPTO
 	if (sign_progs) {
 		codegen("\
 		\n\
 			__s32 keyring_id;				   \n\
 		");
 	}
+#endif /* USE_CRYPTO */
 
 	if (btf) {
 		err = codegen_datasecs(obj, obj_name);
@@ -1990,7 +1995,9 @@ static int do_help(int argc, char **argv)
 		"       %1$s %2$s help\n"
 		"\n"
 		"       " HELP_SPEC_OPTIONS " |\n"
+#ifdef USE_CRYPTO
 		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
+#endif
 		"",
 		bin_name, "gen");
 

tools/bpf/bpftool/prog.c

@@ -1931,12 +1931,10 @@ static int try_loader(struct gen_loader_opts *gen)
 {
 	struct bpf_load_and_run_opts opts = {};
 	struct bpf_loader_ctx *ctx;
-	char sig_buf[MAX_SIG_SIZE];
-	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
 					     sizeof(struct bpf_prog_desc));
 	int log_buf_sz = (1u << 24) - 1;
-	int err, fds_before, fd_delta;
+	int err = 0, fds_before, fd_delta;
 	char *log_buf = NULL;
 
 	ctx = alloca(ctx_sz);
@@ -1947,7 +1945,7 @@ static int try_loader(struct gen_loader_opts *gen)
 		ctx->log_size = log_buf_sz;
 		log_buf = malloc(log_buf_sz);
 		if (!log_buf)
-			return -ENOMEM;
+			goto out;
 		ctx->log_buf = (long) log_buf;
 	}
 	opts.ctx = ctx;
@@ -1956,8 +1954,11 @@ static int try_loader(struct gen_loader_opts *gen)
 	opts.insns = gen->insns;
 	opts.insns_sz = gen->insns_sz;
 	fds_before = count_open_fds();
-
+#ifdef USE_CRYPTO
 	if (sign_progs) {
+		char sig_buf[MAX_SIG_SIZE];
+		__u8 prog_sha[SHA256_DIGEST_LENGTH];
+
 		opts.excl_prog_hash = prog_sha;
 		opts.excl_prog_hash_sz = sizeof(prog_sha);
 		opts.signature = sig_buf;
@@ -1976,6 +1977,7 @@ static int try_loader(struct gen_loader_opts *gen)
 			goto out;
 		}
 	}
+#endif
 	err = bpf_load_and_run(&opts);
 	fd_delta = count_open_fds() - fds_before;
 	if (err < 0 || verifier_logs) {

tools/bpf/bpftool/sign.c

@@ -3,6 +3,7 @@
  * Copyright (C) 2025 Google LLC.
  */
 
+#ifdef USE_CRYPTO
 #ifndef _GNU_SOURCE
 #define _GNU_SOURCE
 #endif
@@ -209,3 +210,4 @@ int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
 	DISPLAY_OSSL_ERR(err < 0);
 	return err;
 }
+#endif /* USE_CRYPTO */