[{"id":13641,"web_url":"https://patchwork.libcamera.org/comment/13641/","msgid":"<20201109113609.GB6029@pendragon.ideasonboard.com>","date":"2020-11-09T11:36:09","subject":"Re: [libcamera-devel] [PATCH] libcamera: pub_key: Support GNUTLS <\n\tv3","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Kieran,\n\nThank you for the patch.\n\nOn Mon, Nov 09, 2020 at 10:51:59AM +0000, Kieran Bingham wrote:\n> It has been reported that SailfishOS is packaged with an older GnuTLS\n> library. Supporting GnuTLS < 3 appears to be trivial, but comes at the\n> cost of using a #define to switch.\n> \n> Use a #define block to support older GnuTLS installations.\n> \n> Reported-by: Simon Schmeisser <mail_to_wrt@gmx.de>\n> Suggested-by: Matti Lehtimaki <matti.lehtimaki@gmail.com>\n> Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>\n> ---\n>  src/libcamera/pub_key.cpp | 7 +++++++\n>  1 file changed, 7 insertions(+)\n> \n> This was reported at [0], with a fix proposed at [1]\n> \n> [0] https://github.com/sailfish-on-dontbeevil/droid-config-pinephone/issues/55\n> [1] https://git.sailfishos.org/mal/libcamera/blob/master/rpm/gnutls2.patch\n> \n> Alternatively we could just /require/ GnuTLS >= 3... but this seems\n> fairly cheap.\n\nIt is. However, the latest version of gnutls 2.x appears to be 2.12.24,\nreleased 4 years ago. For a crypto library, this seems a very big\nsecurity risk. Do we want to enable that ?\n\nOn a side note, I've been considering moving from gnutls to libnettle,\nwhich is the library that gnutls uses as its crypto backend. -ENOTIME so\nfar.\n\n> This patch is a simplified version of [1] (No need to check if we're\n> __cplusplus, in a cpp file, but I haven't seen that this is needed\n> either).\n> \n> I'd like to see Tested-by: tags on this before integration, as I have no\n> way to verify it.\n> \n> diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> index 9bb08fda34af..857c395373ea 100644\n> --- a/src/libcamera/pub_key.cpp\n> +++ b/src/libcamera/pub_key.cpp\n> @@ -8,7 +8,9 @@\n>  #include \"libcamera/internal/pub_key.h\"\n>  \n>  #if HAVE_GNUTLS\n> +extern \"C\" {\n>  #include <gnutls/abstract.h>\n> +}\n>  #endif\n>  \n>  /**\n> @@ -87,8 +89,13 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,\n>  \t\tstatic_cast<unsigned int>(sig.size())\n>  \t};\n>  \n> +#if GNUTLS_VERSION_MAJOR >= 3\n>  \tint ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_RSA_SHA256, 0,\n>  \t\t\t\t\t     &gnuTlsData, &gnuTlsSig);\n> +#else\n> +\tint ret = gnutls_pubkey_verify_data(pubkey_, 0, &gnuTlsData, &gnuTlsSig);\n> +#endif\n> +\n>  \treturn ret >= 0;\n>  #else\n>  \treturn false;","headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 4B223BDB89\n\tfor <parsemail@patchwork.libcamera.org>;\n\tMon,  9 Nov 2020 11:36:15 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id D613F63077;\n\tMon,  9 Nov 2020 12:36:14 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 2EF6663074\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tMon,  9 Nov 2020 12:36:13 +0100 (CET)","from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 8A09BB2B;\n\tMon,  9 Nov 2020 12:36:12 +0100 (CET)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"VAYO5v/H\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1604921772;\n\tbh=FBhu+4laLcBh/+jVfPaQzz0AVNon6jR1ectlovuaslM=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=VAYO5v/Hy6VFTXQPan4sjYg33bALMfm7TdBzsysIbY9Tce0J1EycZMB3p1D0wSs1D\n\tVozpgO8wtFu6LB6eQ4yuH8mBd+w/yiSzFscuofcMOhhIHVBnPPhXMn6g8G9FXm7IEE\n\tg0YtN/cV61pln+baglL2DER+1ns/rsXXCAEJ4jLw=","Date":"Mon, 9 Nov 2020 13:36:09 +0200","From":"Laurent Pinchart <laurent.pinchart@ideasonboard.com>","To":"Kieran Bingham <kieran.bingham@ideasonboard.com>","Message-ID":"<20201109113609.GB6029@pendragon.ideasonboard.com>","References":"<20201109105159.981412-1-kieran.bingham@ideasonboard.com>","MIME-Version":"1.0","Content-Disposition":"inline","In-Reply-To":"<20201109105159.981412-1-kieran.bingham@ideasonboard.com>","Subject":"Re: [libcamera-devel] [PATCH] libcamera: pub_key: Support GNUTLS <\n\tv3","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Cc":"Matti Lehtimaki <matti.lehtimaki@gmail.com>,\n\tlibcamera devel <libcamera-devel@lists.libcamera.org>,\n\tSimon Schmeisser <mail_to_wrt@gmx.de>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"}},{"id":13642,"web_url":"https://patchwork.libcamera.org/comment/13642/","msgid":"<561315cd-202b-579e-2895-62ce7d3b1665@ideasonboard.com>","date":"2020-11-09T11:46:45","subject":"Re: [libcamera-devel] [PATCH] libcamera: pub_key: Support GNUTLS <\n\tv3","submitter":{"id":4,"url":"https://patchwork.libcamera.org/api/people/4/","name":"Kieran Bingham","email":"kieran.bingham@ideasonboard.com"},"content":"Hi Laurent,\n\nOn 09/11/2020 11:36, Laurent Pinchart wrote:\n> Hi Kieran,\n> \n> Thank you for the patch.\n> \n> On Mon, Nov 09, 2020 at 10:51:59AM +0000, Kieran Bingham wrote:\n>> It has been reported that SailfishOS is packaged with an older GnuTLS\n>> library. Supporting GnuTLS < 3 appears to be trivial, but comes at the\n>> cost of using a #define to switch.\n>>\n>> Use a #define block to support older GnuTLS installations.\n>>\n>> Reported-by: Simon Schmeisser <mail_to_wrt@gmx.de>\n>> Suggested-by: Matti Lehtimaki <matti.lehtimaki@gmail.com>\n>> Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>\n>> ---\n>>  src/libcamera/pub_key.cpp | 7 +++++++\n>>  1 file changed, 7 insertions(+)\n>>\n>> This was reported at [0], with a fix proposed at [1]\n>>\n>> [0] https://github.com/sailfish-on-dontbeevil/droid-config-pinephone/issues/55\n>> [1] https://git.sailfishos.org/mal/libcamera/blob/master/rpm/gnutls2.patch\n>>\n>> Alternatively we could just /require/ GnuTLS >= 3... but this seems\n>> fairly cheap.\n> \n> It is. However, the latest version of gnutls 2.x appears to be 2.12.24,\n> released 4 years ago. For a crypto library, this seems a very big\n> security risk. Do we want to enable that ?\n\nIndeed, and overall for the project reporting the issue packaging such\nan older version might be a concern.\n\nI'd be tempted to /require/ newer version ... and ignore this patch.\n\n> On a side note, I've been considering moving from gnutls to libnettle,\n> which is the library that gnutls uses as its crypto backend. -ENOTIME so\n> far.\n\nThat might also clean things up anyway.\n\nLets add that (libnettle support) to the list of potential newcomer\ntasks and not worry about it.\n--\nKieran\n\n\n\n>> This patch is a simplified version of [1] (No need to check if we're\n>> __cplusplus, in a cpp file, but I haven't seen that this is needed\n>> either).\n>>\n>> I'd like to see Tested-by: tags on this before integration, as I have no\n>> way to verify it.\n>>\n>> diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n>> index 9bb08fda34af..857c395373ea 100644\n>> --- a/src/libcamera/pub_key.cpp\n>> +++ b/src/libcamera/pub_key.cpp\n>> @@ -8,7 +8,9 @@\n>>  #include \"libcamera/internal/pub_key.h\"\n>>  \n>>  #if HAVE_GNUTLS\n>> +extern \"C\" {\n>>  #include <gnutls/abstract.h>\n>> +}\n>>  #endif\n>>  \n>>  /**\n>> @@ -87,8 +89,13 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,\n>>  \t\tstatic_cast<unsigned int>(sig.size())\n>>  \t};\n>>  \n>> +#if GNUTLS_VERSION_MAJOR >= 3\n>>  \tint ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_RSA_SHA256, 0,\n>>  \t\t\t\t\t     &gnuTlsData, &gnuTlsSig);\n>> +#else\n>> +\tint ret = gnutls_pubkey_verify_data(pubkey_, 0, &gnuTlsData, &gnuTlsSig);\n>> +#endif\n>> +\n>>  \treturn ret >= 0;\n>>  #else\n>>  \treturn false;\n>","headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 6EC08BE082\n\tfor <parsemail@patchwork.libcamera.org>;\n\tMon,  9 Nov 2020 11:46:51 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id F41AE63075;\n\tMon,  9 Nov 2020 12:46:50 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 1E30463074\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tMon,  9 Nov 2020 12:46:49 +0100 (CET)","from [192.168.0.20]\n\t(cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net [86.31.172.11])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 4FEBAB2B;\n\tMon,  9 Nov 2020 12:46:48 +0100 (CET)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"i6MMLezo\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1604922408;\n\tbh=AX3Rqf8INoSyHLET+ZSs80atTzTVJQBpVGa0jk7AQ4I=;\n\th=Reply-To:Subject:To:Cc:References:From:Date:In-Reply-To:From;\n\tb=i6MMLezoorhYo7tWMs3YiGVyeh5K+7XwEK/Gcr5caCeREHhkraaA02LMQPGKgsZRI\n\tTsc0M790VrYbGySFeYK7jWcLiMWWVV/z74lNCb0XQuK/VNzhtgPua7imRUpzEmuJgw\n\t15G0Wi5U2xcmjNwHo4vq93Uq7MoruX3wAAb6MmSI=","To":"Laurent Pinchart <laurent.pinchart@ideasonboard.com>","References":"<20201109105159.981412-1-kieran.bingham@ideasonboard.com>\n\t<20201109113609.GB6029@pendragon.ideasonboard.com>","From":"Kieran Bingham <kieran.bingham@ideasonboard.com>","Autocrypt":"addr=kieran.bingham@ideasonboard.com; keydata=\n\tmQINBFYE/WYBEACs1PwjMD9rgCu1hlIiUA1AXR4rv2v+BCLUq//vrX5S5bjzxKAryRf0uHat\n\tV/zwz6hiDrZuHUACDB7X8OaQcwhLaVlq6byfoBr25+hbZG7G3+5EUl9cQ7dQEdvNj6V6y/SC\n\trRanWfelwQThCHckbobWiQJfK9n7rYNcPMq9B8e9F020LFH7Kj6YmO95ewJGgLm+idg1Kb3C\n\tpotzWkXc1xmPzcQ1fvQMOfMwdS+4SNw4rY9f07Xb2K99rjMwZVDgESKIzhsDB5GY465sCsiQ\n\tcSAZRxqE49RTBq2+EQsbrQpIc8XiffAB8qexh5/QPzCmR4kJgCGeHIXBtgRj+nIkCJPZvZtf\n\tKr2EAbc6tgg6DkAEHJb+1okosV09+0+TXywYvtEop/WUOWQ+zo+Y/OBd+8Ptgt1pDRyOBzL8\n\tRXa8ZqRf0Mwg75D+dKntZeJHzPRJyrlfQokngAAs4PaFt6UfS+ypMAF37T6CeDArQC41V3ko\n\tlPn1yMsVD0p+6i3DPvA/GPIksDC4owjnzVX9kM8Zc5Cx+XoAN0w5Eqo4t6qEVbuettxx55gq\n\t8K8FieAjgjMSxngo/HST8TpFeqI5nVeq0/lqtBRQKumuIqDg+Bkr4L1V/PSB6XgQcOdhtd36\n\tOe9X9dXB8YSNt7VjOcO7BTmFn/Z8r92mSAfHXpb07YJWJosQOQARAQABtDBLaWVyYW4gQmlu\n\tZ2hhbSA8a2llcmFuLmJpbmdoYW1AaWRlYXNvbmJvYXJkLmNvbT6JAlcEEwEKAEECGwMFCwkI\n\tBwIGFQgJCgsCBBYCAwECHgECF4ACGQEWIQSQLdeYP70o/eNy1HqhHkZyEKRh/QUCXWTtygUJ\n\tCyJXZAAKCRChHkZyEKRh/f8dEACTDsbLN2nioNZMwyLuQRUAFcXNolDX48xcUXsWS2QjxaPm\n\tVsJx8Uy8aYkS85mdPBh0C83OovQR/OVbr8AxhGvYqBs3nQvbWuTl/+4od7DfK2VZOoKBAu5S\n\tQK2FYuUcikDqYcFWJ8DQnubxfE8dvzojHEkXw0sA4igINHDDFX3HJGZtLio+WpEFQtCbfTAG\n\tYZslasz1YZRbwEdSsmO3/kqy5eMnczlm8a21A3fKUo3g8oAZEFM+f4DUNzqIltg31OAB/kZS\n\tenKZQ/SWC8PmLg/ZXBrReYakxXtkP6w3FwMlzOlhGxqhIRNiAJfXJBaRhuUWzPOpEDE9q5YJ\n\tBmqQL2WJm1VSNNVxbXJHpaWMH1sA2R00vmvRrPXGwyIO0IPYeUYQa3gsy6k+En/aMQJd27dp\n\taScf9am9PFICPY5T4ppneeJLif2lyLojo0mcHOV+uyrds9XkLpp14GfTkeKPdPMrLLTsHRfH\n\tfA4I4OBpRrEPiGIZB/0im98MkGY/Mu6qxeZmYLCcgD6qz4idOvfgVOrNh+aA8HzIVR+RMW8H\n\tQGBN9f0E3kfwxuhl3omo6V7lDw8XOdmuWZNC9zPq1UfryVHANYbLGz9KJ4Aw6M+OgBC2JpkD\n\thXMdHUkC+d20dwXrwHTlrJi1YNp6rBc+xald3wsUPOZ5z8moTHUX/uPA/qhGsbkCDQRWBP1m\n\tARAAzijkb+Sau4hAncr1JjOY+KyFEdUNxRy+hqTJdJfaYihxyaj0Ee0P0zEi35CbE6lgU0Uz\n\ttih9fiUbSV3wfsWqg1Ut3/5rTKu7kLFp15kF7eqvV4uezXRD3Qu4yjv/rMmEJbbD4cTvGCYI\n\td6MDC417f7vK3hCbCVIZSp3GXxyC1LU+UQr3fFcOyCwmP9vDUR9JV0BSqHHxRDdpUXE26Dk6\n\tmhf0V1YkspE5St814ETXpEus2urZE5yJIUROlWPIL+hm3NEWfAP06vsQUyLvr/GtbOT79vXl\n\tEn1aulcYyu20dRRxhkQ6iILaURcxIAVJJKPi8dsoMnS8pB0QW12AHWuirPF0g6DiuUfPmrA5\n\tPKe56IGlpkjc8cO51lIxHkWTpCMWigRdPDexKX+Sb+W9QWK/0JjIc4t3KBaiG8O4yRX8ml2R\n\t+rxfAVKM6V769P/hWoRGdgUMgYHFpHGSgEt80OKK5HeUPy2cngDUXzwrqiM5Sz6Od0qw5pCk\n\tNlXqI0W/who0iSVM+8+RmyY0OEkxEcci7rRLsGnM15B5PjLJjh1f2ULYkv8s4SnDwMZ/kE04\n\t/UqCMK/KnX8pwXEMCjz0h6qWNpGwJ0/tYIgQJZh6bqkvBrDogAvuhf60Sogw+mH8b+PBlx1L\n\toeTK396wc+4c3BfiC6pNtUS5GpsPMMjYMk7kVvEAEQEAAYkCPAQYAQoAJgIbDBYhBJAt15g/\n\tvSj943LUeqEeRnIQpGH9BQJdizzIBQkLSKZiAAoJEKEeRnIQpGH9eYgQAJpjaWNgqNOnMTmD\n\tMJggbwjIotypzIXfhHNCeTkG7+qCDlSaBPclcPGYrTwCt0YWPU2TgGgJrVhYT20ierN8LUvj\n\t6qOPTd+Uk7NFzL65qkh80ZKNBFddx1AabQpSVQKbdcLb8OFs85kuSvFdgqZwgxA1vl4TFhNz\n\tPZ79NAmXLackAx3sOVFhk4WQaKRshCB7cSl+RIng5S/ThOBlwNlcKG7j7W2MC06BlTbdEkUp\n\tECzuuRBv8wX4OQl+hbWbB/VKIx5HKlLu1eypen/5lNVzSqMMIYkkZcjV2SWQyUGxSwq0O/sx\n\tS0A8/atCHUXOboUsn54qdxrVDaK+6jIAuo8JiRWctP16KjzUM7MO0/+4zllM8EY57rXrj48j\n\tsbEYX0YQnzaj+jO6kJtoZsIaYR7rMMq9aUAjyiaEZpmP1qF/2sYenDx0Fg2BSlLvLvXM0vU8\n\tpQk3kgDu7kb/7PRYrZvBsr21EIQoIjXbZxDz/o7z95frkP71EaICttZ6k9q5oxxA5WC6sTXc\n\tMW8zs8avFNuA9VpXt0YupJd2ijtZy2mpZNG02fFVXhIn4G807G7+9mhuC4XG5rKlBBUXTvPU\n\tAfYnB4JBDLmLzBFavQfvonSfbitgXwCG3vS+9HEwAjU30Bar1PEOmIbiAoMzuKeRm2LVpmq4\n\tWZw01QYHU/GUV/zHJSFk","Organization":"Ideas on Board","Message-ID":"<561315cd-202b-579e-2895-62ce7d3b1665@ideasonboard.com>","Date":"Mon, 9 Nov 2020 11:46:45 +0000","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101\n\tThunderbird/68.10.0","MIME-Version":"1.0","In-Reply-To":"<20201109113609.GB6029@pendragon.ideasonboard.com>","Content-Language":"en-GB","Subject":"Re: [libcamera-devel] [PATCH] libcamera: pub_key: Support GNUTLS <\n\tv3","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Reply-To":"kieran.bingham@ideasonboard.com","Cc":"Matti Lehtimaki <matti.lehtimaki@gmail.com>,\n\tlibcamera devel <libcamera-devel@lists.libcamera.org>,\n\tSimon Schmeisser <mail_to_wrt@gmx.de>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"}}]