Patch Detail
Show a patch.
GET /api/1.1/patches/17003/?format=api
{ "id": 17003, "url": "https://patchwork.libcamera.org/api/1.1/patches/17003/?format=api", "web_url": "https://patchwork.libcamera.org/patch/17003/", "project": { "id": 1, "url": "https://patchwork.libcamera.org/api/1.1/projects/1/?format=api", "name": "libcamera", "link_name": "libcamera", "list_id": "libcamera_core", "list_email": "libcamera-devel@lists.libcamera.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20220807021456.9578-6-laurent.pinchart@ideasonboard.com>", "date": "2022-08-07T02:14:56", "name": "[libcamera-devel,5/5] libcamera: pub_key: Support openssl as an alternative to gnutls", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "000e3b7a0979fcaa9f71b24a276707e25cf9dbc4", "submitter": { "id": 2, "url": "https://patchwork.libcamera.org/api/1.1/people/2/?format=api", "name": "Laurent Pinchart", "email": "laurent.pinchart@ideasonboard.com" }, "delegate": null, "mbox": "https://patchwork.libcamera.org/patch/17003/mbox/", "series": [ { "id": 3380, "url": "https://patchwork.libcamera.org/api/1.1/series/3380/?format=api", "web_url": "https://patchwork.libcamera.org/project/libcamera/list/?series=3380", "date": "2022-08-07T02:14:51", "name": "libcamera: Support openssl as an alternative to gnutls", "version": 1, "mbox": "https://patchwork.libcamera.org/series/3380/mbox/" } ], "comments": "https://patchwork.libcamera.org/api/patches/17003/comments/", "check": "pending", "checks": "https://patchwork.libcamera.org/api/patches/17003/checks/", "tags": {}, "headers": { "Return-Path": "<libcamera-devel-bounces@lists.libcamera.org>", "X-Original-To": "parsemail@patchwork.libcamera.org", "Delivered-To": "parsemail@patchwork.libcamera.org", "Received": [ "from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 0ED9DC3275\n\tfor <parsemail@patchwork.libcamera.org>;\n\tSun, 7 Aug 2022 02:15:16 +0000 (UTC)", "from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id CB20963339;\n\tSun, 7 Aug 2022 04:15:15 +0200 (CEST)", "from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 5BB5663330\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tSun, 7 Aug 2022 04:15:12 +0200 (CEST)", "from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id E8864749\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tSun, 7 Aug 2022 04:15:11 +0200 (CEST)" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1659838515;\n\tbh=NQ40KL5ezQj70dfWmfSu3R7EhQSSDX7qm+FRJ6vTIBg=;\n\th=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\tFrom;\n\tb=wCIUV+Fq5Ih/zti0+KNjPCvssak43lcLNGyLjfxLdm8JBxfJTvKiS5q8VJWY/mcAj\n\tjj8mwVsJvaDpBV+HlcebRwIx4EOVHNyBAo6GkWkc1ARvrf2j7ke7EdCcYw/+yjEtym\n\t7FY513t87t34/Zf0Y0tgtSivNhm0kcImcaGHT4RY+7mhb17/Xidc3wS9ew7/PojLue\n\tv7SdOqXS3pUpsxVz3WxZ+aOyDMA3DtzwmDAkJqewZpxKmtVrbsNr8ilTd6Zz/F1oAC\n\tIuxNmRz7lVIP06bLzkG+qFwXrYFJBnjKb73jn/WFhgZvyaLZgiiL7fOpbGYq4Exy7y\n\tneH29U6lANgUQ==", "v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1659838512;\n\tbh=NQ40KL5ezQj70dfWmfSu3R7EhQSSDX7qm+FRJ6vTIBg=;\n\th=From:To:Subject:Date:In-Reply-To:References:From;\n\tb=E/qzqoZTNnbR+vQLUW432SXgA0um/HvtBmyLwl/tAlW5KQzBbvEzXIoljJVT41mxZ\n\tGbWYf1jesqJnTMq4hTwtjB9vROk1Vq/6GOd6YniJe2hEsTLuJ84ivpZvcSheOX/ex0\n\tMZF7B3vZDUxN6ajBqV+G0MIflvVbYjARDZMH01KU=" ], "Authentication-Results": "lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"E/qzqoZT\"; dkim-atps=neutral", "To": "libcamera-devel@lists.libcamera.org", "Date": "Sun, 7 Aug 2022 05:14:56 +0300", "Message-Id": "<20220807021456.9578-6-laurent.pinchart@ideasonboard.com>", "X-Mailer": "git-send-email 2.35.1", "In-Reply-To": "<20220807021456.9578-1-laurent.pinchart@ideasonboard.com>", "References": "<20220807021456.9578-1-laurent.pinchart@ideasonboard.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support openssl\n\tas an alternative to gnutls", "X-BeenThere": "libcamera-devel@lists.libcamera.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "<libcamera-devel.lists.libcamera.org>", "List-Unsubscribe": "<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>", "List-Archive": "<https://lists.libcamera.org/pipermail/libcamera-devel/>", "List-Post": "<mailto:libcamera-devel@lists.libcamera.org>", "List-Help": "<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>", "List-Subscribe": "<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>", "From": "Laurent Pinchart via libcamera-devel\n\t<libcamera-devel@lists.libcamera.org>", "Reply-To": "Laurent Pinchart <laurent.pinchart@ideasonboard.com>", "Errors-To": "libcamera-devel-bounces@lists.libcamera.org", "Sender": "\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>" }, "content": "Support verify IPA signatures with openssl as an alternative to gnutls,\nto offer more flexibility in the selection of dependencies. Use gnutls\nby default, for no specific reason as both are equally well supported.\n\nSigned-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n---\n README.rst | 2 +-\n include/libcamera/internal/pub_key.h | 8 +++++--\n src/libcamera/meson.build | 16 +++++++++----\n src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++----\n 4 files changed, 50 insertions(+), 11 deletions(-)", "diff": "diff --git a/README.rst b/README.rst\nindex 3606057ff706..e9dd4207ae55 100644\n--- a/README.rst\n+++ b/README.rst\n@@ -61,7 +61,7 @@ for the libcamera core: [required]\n libyaml-dev python3-yaml python3-ply python3-jinja2\n \n for IPA module signing: [recommended]\n- libgnutls28-dev openssl\n+ Either libgnutls28-dev or libssl-dev, openssl\n \n Without IPA module signing, all IPA modules will be isolated in a\n separate process. This adds an unnecessary extra overhead at runtime.\ndiff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\nindex a22ba037cff6..ea7d9af84515 100644\n--- a/include/libcamera/internal/pub_key.h\n+++ b/include/libcamera/internal/pub_key.h\n@@ -11,7 +11,9 @@\n \n #include <libcamera/base/span.h>\n \n-#if HAVE_GNUTLS\n+#if HAVE_CRYPTO\n+struct rsa_st;\n+#elif HAVE_GNUTLS\n struct gnutls_pubkey_st;\n #endif\n \n@@ -28,7 +30,9 @@ public:\n \n private:\n \tbool valid_;\n-#if HAVE_GNUTLS\n+#if HAVE_CRYPTO\n+\tstruct rsa_st *pubkey_;\n+#elif HAVE_GNUTLS\n \tstruct gnutls_pubkey_st *pubkey_;\n #endif\n };\ndiff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\nindex e144d4f9ae70..ce1f0f2f3ef6 100644\n--- a/src/libcamera/meson.build\n+++ b/src/libcamera/meson.build\n@@ -65,14 +65,22 @@ subdir('pipeline')\n subdir('proxy')\n \n libdl = cc.find_library('dl')\n-libgnutls = dependency('gnutls', required : false)\n libudev = dependency('libudev', required : false)\n libyaml = dependency('yaml-0.1', required : false)\n \n-if libgnutls.found()\n+# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n+libcrypto = dependency('gnutls', required : false)\n+if libcrypto.found()\n config_h.set('HAVE_GNUTLS', 1)\n else\n- warning('gnutls not found, all IPA modules will be isolated')\n+ libcrypto = dependency('libcrypto', required : false)\n+ if libcrypto.found()\n+ config_h.set('HAVE_CRYPTO', 1)\n+ endif\n+endif\n+\n+if not libcrypto.found()\n+ warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n endif\n \n if liblttng.found()\n@@ -137,8 +145,8 @@ libcamera_deps = [\n libatomic,\n libcamera_base,\n libcamera_base_private,\n+ libcrypto,\n libdl,\n- libgnutls,\n liblttng,\n libudev,\n libyaml,\ndiff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\nindex b2045a103bc0..723f311b91a2 100644\n--- a/src/libcamera/pub_key.cpp\n+++ b/src/libcamera/pub_key.cpp\n@@ -7,7 +7,12 @@\n \n #include \"libcamera/internal/pub_key.h\"\n \n-#if HAVE_GNUTLS\n+#if HAVE_CRYPTO\n+#include <openssl/bio.h>\n+#include <openssl/rsa.h>\n+#include <openssl/ssl.h>\n+#include <openssl/x509.h>\n+#elif HAVE_GNUTLS\n #include <gnutls/abstract.h>\n #endif\n \n@@ -33,7 +38,14 @@ namespace libcamera {\n PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key)\n \t: valid_(false)\n {\n-#if HAVE_GNUTLS\n+#if HAVE_CRYPTO\n+\tconst uint8_t *data = key.data();\n+\tpubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size());\n+\tif (!pubkey_)\n+\t\treturn;\n+\n+\tvalid_ = true;\n+#elif HAVE_GNUTLS\n \tint ret = gnutls_pubkey_init(&pubkey_);\n \tif (ret < 0)\n \t\treturn;\n@@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key)\n \n PubKey::~PubKey()\n {\n-#if HAVE_GNUTLS\n+#if HAVE_CRYPTO\n+\tRSA_free(pubkey_);\n+#elif HAVE_GNUTLS\n \tgnutls_pubkey_deinit(pubkey_);\n #endif\n }\n@@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,\n \tif (!valid_)\n \t\treturn false;\n \n-#if HAVE_GNUTLS\n+#if HAVE_CRYPTO\n+\t/* Calculate the SHA256 digest of the data. */\n+\tSHA256_CTX ctx;\n+\tSHA256_Init(&ctx);\n+\tSHA256_Update(&ctx, data.data(), data.size());\n+\n+\tuint8_t digest[SHA256_DIGEST_LENGTH];\n+\tSHA256_Final(digest, &ctx);\n+\n+\t/* Decrypt the signature and verify it matches the digest. */\n+\tint ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,\n+\t\t\t sig.data(), sig.size(), pubkey_);\n+\treturn ret == 1;\n+#elif HAVE_GNUTLS\n \tconst gnutls_datum_t gnuTlsData{\n \t\tconst_cast<unsigned char *>(data.data()),\n \t\tstatic_cast<unsigned int>(data.size())\n", "prefixes": [ "libcamera-devel", "5/5" ] }