[{"id":24418,"web_url":"https://patchwork.libcamera.org/comment/24418/","msgid":"","date":"2022-08-08T09:09:08","subject":"Re: [libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":101,"url":"https://patchwork.libcamera.org/api/people/101/","name":"Eric Curtin","email":"ecurtin@redhat.com"},"content":"Was happy to see this change so we could build with just openssl if desired.\n\nOn Sun, 7 Aug 2022 at 03:15, Laurent Pinchart via libcamera-devel\n wrote:\n>\n> Support verify IPA signatures with openssl as an alternative to gnutls,\n> to offer more flexibility in the selection of dependencies. Use gnutls\n> by default, for no specific reason as both are equally well supported.\n>\n> Signed-off-by: Laurent Pinchart \n> ---\n> README.rst | 2 +-\n> include/libcamera/internal/pub_key.h | 8 +++++--\n> src/libcamera/meson.build | 16 +++++++++----\n> src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++----\n> 4 files changed, 50 insertions(+), 11 deletions(-)\n>\n> diff --git a/README.rst b/README.rst\n> index 3606057ff706..e9dd4207ae55 100644\n> --- a/README.rst\n> +++ b/README.rst\n> @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> libyaml-dev python3-yaml python3-ply python3-jinja2\n>\n> for IPA module signing: [recommended]\n> - libgnutls28-dev openssl\n> + Either libgnutls28-dev or libssl-dev, openssl\n>\n> Without IPA module signing, all IPA modules will be isolated in a\n> separate process. This adds an unnecessary extra overhead at runtime.\n> diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> index a22ba037cff6..ea7d9af84515 100644\n> --- a/include/libcamera/internal/pub_key.h\n> +++ b/include/libcamera/internal/pub_key.h\n> @@ -11,7 +11,9 @@\n>\n> #include \n>\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +struct rsa_st;\n> +#elif HAVE_GNUTLS\n> struct gnutls_pubkey_st;\n> #endif\n>\n> @@ -28,7 +30,9 @@ public:\n>\n> private:\n> bool valid_;\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> + struct rsa_st *pubkey_;\n> +#elif HAVE_GNUTLS\n> struct gnutls_pubkey_st *pubkey_;\n> #endif\n> };\n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index e144d4f9ae70..ce1f0f2f3ef6 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -65,14 +65,22 @@ subdir('pipeline')\n> subdir('proxy')\n>\n> libdl = cc.find_library('dl')\n> -libgnutls = dependency('gnutls', required : false)\n> libudev = dependency('libudev', required : false)\n> libyaml = dependency('yaml-0.1', required : false)\n>\n> -if libgnutls.found()\n> +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> +libcrypto = dependency('gnutls', required : false)\n> +if libcrypto.found()\n> config_h.set('HAVE_GNUTLS', 1)\n> else\n> - warning('gnutls not found, all IPA modules will be isolated')\n> + libcrypto = dependency('libcrypto', required : false)\n> + if libcrypto.found()\n> + config_h.set('HAVE_CRYPTO', 1)\n> + endif\n> +endif\n> +\n> +if not libcrypto.found()\n> + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> endif\n>\n> if liblttng.found()\n> @@ -137,8 +145,8 @@ libcamera_deps = [\n> libatomic,\n> libcamera_base,\n> libcamera_base_private,\n> + libcrypto,\n> libdl,\n> - libgnutls,\n> liblttng,\n> libudev,\n> libyaml,\n> diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> index b2045a103bc0..723f311b91a2 100644\n> --- a/src/libcamera/pub_key.cpp\n> +++ b/src/libcamera/pub_key.cpp\n> @@ -7,7 +7,12 @@\n>\n> #include \"libcamera/internal/pub_key.h\"\n>\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +#include \n> +#include \n> +#include \n> +#include \n> +#elif HAVE_GNUTLS\n> #include \n> #endif\n>\n> @@ -33,7 +38,14 @@ namespace libcamera {\n> PubKey::PubKey([[maybe_unused]] Span key)\n> : valid_(false)\n> {\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> + const uint8_t *data = key.data();\n> + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size());\n\nIt's failing the build here on Fedora 36 at least:\n\nFAILED: src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o\nccache c++ -Isrc/libcamera/libcamera.so.0.0.0.p -Isrc/libcamera\n-I../src/libcamera -Iinclude -I../include\n-I../subprojects/libyaml/include\n-Isubprojects/libyaml/__CMake_build/include\n-I../subprojects/libyaml/__CMake_build/include\n-Isubprojects/libyaml/__CMake_build\n-I../subprojects/libyaml/__CMake_build -Isubprojects/libyaml\n-I../subprojects/libyaml -Iinclude/libcamera -Iinclude/libcamera/ipa\n-Iinclude/libcamera/internal -Isrc/libcamera/proxy\n-fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch\n-Wnon-virtual-dtor -Wextra -Werror -std=c++17 -O3 -Wshadow -include\n/home/curtine/git/libcamera/build/config.h -fPIC -DYAML_DECLARE_STATIC\n-D_CRT_SECURE_NO_WARNINGS -DLIBCAMERA_BASE_PRIVATE -MD -MQ\nsrc/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -MF\nsrc/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o.d -o\nsrc/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -c\n../src/libcamera/pub_key.cpp\n../src/libcamera/pub_key.cpp: In constructor\n‘libcamera::PubKey::PubKey(libcamera::Span)’:\n../src/libcamera/pub_key.cpp:43:33: error: ‘RSA* d2i_RSA_PUBKEY(RSA**,\nconst unsigned char**, long int)’ is deprecated: Since OpenSSL 3.0\n[-Werror=deprecated-declarations]\n 43 | pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size());\n | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~\nIn file included from /usr/include/openssl/rsa.h:21,\n from ../src/libcamera/pub_key.cpp:12:\n/usr/include/openssl/x509.h:710:1: note: declared here\n 710 | DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA,\nRSA_PUBKEY)\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n../src/libcamera/pub_key.cpp: In destructor ‘libcamera::PubKey::~PubKey()’:\n../src/libcamera/pub_key.cpp:68:17: error: ‘void RSA_free(RSA*)’ is\ndeprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]\n 68 | RSA_free(pubkey_);\n | ~~~~~~~~^~~~~~~~~\n/usr/include/openssl/rsa.h:293:28: note: declared here\n 293 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);\n | ^~~~~~~~\n../src/libcamera/pub_key.cpp: In member function ‘bool\nlibcamera::PubKey::verify(libcamera::Span,\nlibcamera::Span) const’:\n../src/libcamera/pub_key.cpp:99:20: error: ‘int\nSHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0\n[-Werror=deprecated-declarations]\n 99 | SHA256_Init(&ctx);\n | ~~~~~~~~~~~^~~~~~\nIn file included from /usr/include/openssl/x509.h:41,\n from /usr/include/openssl/ssl.h:31,\n from ../src/libcamera/pub_key.cpp:13:\n/usr/include/openssl/sha.h:73:27: note: declared here\n 73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);\n | ^~~~~~~~~~~\n../src/libcamera/pub_key.cpp:100:22: error: ‘int\nSHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since\nOpenSSL 3.0 [-Werror=deprecated-declarations]\n 100 | SHA256_Update(&ctx, data.data(), data.size());\n | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n/usr/include/openssl/sha.h:74:27: note: declared here\n 74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,\n | ^~~~~~~~~~~~~\n../src/libcamera/pub_key.cpp:103:21: error: ‘int SHA256_Final(unsigned\nchar*, SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0\n[-Werror=deprecated-declarations]\n 103 | SHA256_Final(digest, &ctx);\n | ~~~~~~~~~~~~^~~~~~~~~~~~~~\n/usr/include/openssl/sha.h:76:27: note: declared here\n 76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md,\nSHA256_CTX *c);\n | ^~~~~~~~~~~~\n../src/libcamera/pub_key.cpp:106:29: error: ‘int RSA_verify(int, const\nunsigned char*, unsigned int, const unsigned char*, unsigned int,\nRSA*)’ is deprecated: Since OpenSSL 3.0\n[-Werror=deprecated-declarations]\n 106 | int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,\n | ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n 107 | sig.data(), sig.size(), pubkey_);\n | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n/usr/include/openssl/rsa.h:351:27: note: declared here\n 351 | OSSL_DEPRECATEDIN_3_0 int RSA_verify(int type, const unsigned char *m,\n | ^~~~~~~~~~\ncc1plus: all warnings being treated as errors\n\n> + if (!pubkey_)\n> + return;\n> +\n> + valid_ = true;\n> +#elif HAVE_GNUTLS\n> int ret = gnutls_pubkey_init(&pubkey_);\n> if (ret < 0)\n> return;\n> @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n>\n> PubKey::~PubKey()\n> {\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> + RSA_free(pubkey_);\n> +#elif HAVE_GNUTLS\n> gnutls_pubkey_deinit(pubkey_);\n> #endif\n> }\n> @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> if (!valid_)\n> return false;\n>\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> + /* Calculate the SHA256 digest of the data. */\n> + SHA256_CTX ctx;\n> + SHA256_Init(&ctx);\n> + SHA256_Update(&ctx, data.data(), data.size());\n> +\n> + uint8_t digest[SHA256_DIGEST_LENGTH];\n> + SHA256_Final(digest, &ctx);\n> +\n> + /* Decrypt the signature and verify it matches the digest. */\n> + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,\n> + sig.data(), sig.size(), pubkey_);\n> + return ret == 1;\n> +#elif HAVE_GNUTLS\n> const gnutls_datum_t gnuTlsData{\n> const_cast(data.data()),\n> static_cast(data.size())\n> --\n> Regards,\n>\n> Laurent Pinchart\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 0475DBE173\n\tfor ;\n\tMon, 8 Aug 2022 09:09:31 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 7C8E263327;\n\tMon, 8 Aug 2022 11:09:30 +0200 (CEST)","from us-smtp-delivery-124.mimecast.com\n\t(us-smtp-delivery-124.mimecast.com [170.10.129.124])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 43F3063326\n\tfor ;\n\tMon, 8 Aug 2022 11:09:28 +0200 (CEST)","from mail-qv1-f72.google.com (mail-qv1-f72.google.com\n\t[209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS\n\t(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n\tus-mta-55-xdqKlM5iOpSTNvvryzSjrg-1; Mon, 08 Aug 2022 05:09:25 -0400","by mail-qv1-f72.google.com with SMTP id\n\tkk30-20020a056214509e00b004780ff644d7so4123161qvb.12\n\tfor ;\n\tMon, 08 Aug 2022 02:09:25 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1659949770;\n\tbh=rHUgcJnni00Q3gFDvQwlaI67wT3X2DQWJ7bO89zVq+w=;\n\th=References:In-Reply-To:Date:To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=dMhyXckQamLYhIDEzkoyhssNcgoD59QRtfwQJBAD0bRdISd9G5a37nK53wbL2ryqx\n\tebKZUCSDNzqXBUq4x2qEniT1uyk8hbo4t5NgNfzGLHkvCAPmBTS+Hdwd2ZU3U2PBvY\n\tNp6IAcU77OS1UX2tK+xYbVMIi4KH+VUEb9TzTnc4EelEFCK4yDYU3qaOathuRBpOnT\n\tFpsPVEKZEmx/U8y5MQhZGZSTcx7nUvo77EjpMAt5QRVF0DsTRxsCDhc5ACtIVj614t\n\ttHpGLPVzN3rdmHZ1sTms/9IrQW6Ve6RcNEaZwJp/Sxe0bV4hIMoZWyu65U1E801KXL\n\tSWTY9///qsRVQ==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1659949767;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\tto:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\tcontent-transfer-encoding:content-transfer-encoding:\n\tin-reply-to:in-reply-to:references:references;\n\tbh=n7Oj7hLxC4M9jWL2p34w+Y61+O6HxDrrIjWQ8a2lcHk=;\n\tb=gtqgD2zxjTNcdnJmy+X8JbGTggiWpROrMcWbTmEv5l/1RnuhJZEqSLCWdyV34FRSg9rkEz\n\tRhk93zUnGX0de2jeifwGecASn4gL8ydY/yaHbnfWL7E6Fyj+VVu9GU6WcKC3gL2J/YjAno\n\tT1EQwG82mk86FJvJN4VjU6kRxx3B/uM="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=redhat.com\n\theader.i=@redhat.com header.b=\"gtqgD2zx\"; \n\tdkim-atps=neutral","X-MC-Unique":"xdqKlM5iOpSTNvvryzSjrg-1","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20210112;\n\th=x-gm-message-state:mime-version:references:in-reply-to:from:date\n\t:message-id:subject:to:cc:content-transfer-encoding;\n\tbh=n7Oj7hLxC4M9jWL2p34w+Y61+O6HxDrrIjWQ8a2lcHk=;\n\tb=L4K5p4rEE6Jn1Lm6gnVXfRuMY+Sj2khV47RzlzRLLalXr64hkdA8yoV+Z9pM9f7gtC\n\tyA9gPAYQMjFZmxQMeDDPGF2ZrntRHMA33HfUr+QWWWTxLBxZO4RNE6K+FvLP8hMOARy2\n\tb8p683pvFgzwgA2Are5P7Os/rFpnZJ9p7njle+z19hLIOrQLCFoXJMCOlhlc7WZGhh6s\n\t7dmoVdnK15LsDM3DgfIh+edEpslaGydzwnYsgvCu8zlHxoxONa4cHJTNvaNFn1agokAm\n\tPJQMMXoKiwurGd+8jhO0ZRejXmEktl5K2Xvz51/IuqggcuzkaUtCU0uda3wrv0c2T+1L\n\tOwow==","X-Gm-Message-State":"ACgBeo2/AN8uQ5XXNyPe72dHMLzZxu7Ffj7zrAICRSxxUVuua294Zu6I\n\t2I+SX5w0aWu046p6PPGcH9Y0eIF8wFXJJxAJmtB8BdMf1aTdxLZdNSnprgQcBUMWediJ9YdTjzP\n\tlmPe/1QgyoQTdL6hI4B6AaLfwfIiWzoXOq61fjvvX0jB8PE1VBA==","X-Received":["by 2002:a05:620a:2947:b0:6b9:6fa7:abd1 with SMTP id\n\tn7-20020a05620a294700b006b96fa7abd1mr107917qkp.202.1659949765082; \n\tMon, 08 Aug 2022 02:09:25 -0700 (PDT)","by 2002:a05:620a:2947:b0:6b9:6fa7:abd1 with SMTP id\n\tn7-20020a05620a294700b006b96fa7abd1mr107906qkp.202.1659949764793;\n\tMon, 08 Aug 2022 02:09:24 -0700 (PDT)"],"X-Google-Smtp-Source":"AA6agR4v0yfxt1dqVdeaoDg6aF+y50ralRDcSYTm+CnFdpthC8Yx/9mnGGMcRuhVnDFjgobTb3XTZ8+dC9c23lVGfAk=","MIME-Version":"1.0","References":"<20220807021456.9578-1-laurent.pinchart@ideasonboard.com>\n\t<20220807021456.9578-6-laurent.pinchart@ideasonboard.com>","In-Reply-To":"<20220807021456.9578-6-laurent.pinchart@ideasonboard.com>","Date":"Mon, 8 Aug 2022 10:09:08 +0100","Message-ID":"","To":"Laurent Pinchart ","X-Mimecast-Spam-Score":"0","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","Subject":"Re: [libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Eric Curtin via libcamera-devel ","Reply-To":"Eric Curtin ","Cc":"libcamera devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":24433,"web_url":"https://patchwork.libcamera.org/comment/24433/","msgid":"","date":"2022-08-08T15:46:14","subject":"Re: [libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Eric,\n\nOn Mon, Aug 08, 2022 at 10:09:08AM +0100, Eric Curtin wrote:\n> Was happy to see this change so we could build with just openssl if desired.\n> \n> On Sun, 7 Aug 2022 at 03:15, Laurent Pinchart via libcamera-devel wrote:\n> >\n> > Support verify IPA signatures with openssl as an alternative to gnutls,\n> > to offer more flexibility in the selection of dependencies. Use gnutls\n> > by default, for no specific reason as both are equally well supported.\n> >\n> > Signed-off-by: Laurent Pinchart \n> > ---\n> > README.rst | 2 +-\n> > include/libcamera/internal/pub_key.h | 8 +++++--\n> > src/libcamera/meson.build | 16 +++++++++----\n> > src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++----\n> > 4 files changed, 50 insertions(+), 11 deletions(-)\n> >\n> > diff --git a/README.rst b/README.rst\n> > index 3606057ff706..e9dd4207ae55 100644\n> > --- a/README.rst\n> > +++ b/README.rst\n> > @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> > libyaml-dev python3-yaml python3-ply python3-jinja2\n> >\n> > for IPA module signing: [recommended]\n> > - libgnutls28-dev openssl\n> > + Either libgnutls28-dev or libssl-dev, openssl\n> >\n> > Without IPA module signing, all IPA modules will be isolated in a\n> > separate process. This adds an unnecessary extra overhead at runtime.\n> > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> > index a22ba037cff6..ea7d9af84515 100644\n> > --- a/include/libcamera/internal/pub_key.h\n> > +++ b/include/libcamera/internal/pub_key.h\n> > @@ -11,7 +11,9 @@\n> >\n> > #include \n> >\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > +struct rsa_st;\n> > +#elif HAVE_GNUTLS\n> > struct gnutls_pubkey_st;\n> > #endif\n> >\n> > @@ -28,7 +30,9 @@ public:\n> >\n> > private:\n> > bool valid_;\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + struct rsa_st *pubkey_;\n> > +#elif HAVE_GNUTLS\n> > struct gnutls_pubkey_st *pubkey_;\n> > #endif\n> > };\n> > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> > index e144d4f9ae70..ce1f0f2f3ef6 100644\n> > --- a/src/libcamera/meson.build\n> > +++ b/src/libcamera/meson.build\n> > @@ -65,14 +65,22 @@ subdir('pipeline')\n> > subdir('proxy')\n> >\n> > libdl = cc.find_library('dl')\n> > -libgnutls = dependency('gnutls', required : false)\n> > libudev = dependency('libudev', required : false)\n> > libyaml = dependency('yaml-0.1', required : false)\n> >\n> > -if libgnutls.found()\n> > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> > +libcrypto = dependency('gnutls', required : false)\n> > +if libcrypto.found()\n> > config_h.set('HAVE_GNUTLS', 1)\n> > else\n> > - warning('gnutls not found, all IPA modules will be isolated')\n> > + libcrypto = dependency('libcrypto', required : false)\n> > + if libcrypto.found()\n> > + config_h.set('HAVE_CRYPTO', 1)\n> > + endif\n> > +endif\n> > +\n> > +if not libcrypto.found()\n> > + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> > endif\n> >\n> > if liblttng.found()\n> > @@ -137,8 +145,8 @@ libcamera_deps = [\n> > libatomic,\n> > libcamera_base,\n> > libcamera_base_private,\n> > + libcrypto,\n> > libdl,\n> > - libgnutls,\n> > liblttng,\n> > libudev,\n> > libyaml,\n> > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> > index b2045a103bc0..723f311b91a2 100644\n> > --- a/src/libcamera/pub_key.cpp\n> > +++ b/src/libcamera/pub_key.cpp\n> > @@ -7,7 +7,12 @@\n> >\n> > #include \"libcamera/internal/pub_key.h\"\n> >\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > +#include \n> > +#include \n> > +#include \n> > +#include \n> > +#elif HAVE_GNUTLS\n> > #include \n> > #endif\n> >\n> > @@ -33,7 +38,14 @@ namespace libcamera {\n> > PubKey::PubKey([[maybe_unused]] Span key)\n> > : valid_(false)\n> > {\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + const uint8_t *data = key.data();\n> > + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size());\n> \n> It's failing the build here on Fedora 36 at least:\n\nAarrghhhh why are there so many versions of the same package ? :-)\n\nThank you for testing, I'll see if I can fix this.\n\n> FAILED: src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o\n> ccache c++ -Isrc/libcamera/libcamera.so.0.0.0.p -Isrc/libcamera\n> -I../src/libcamera -Iinclude -I../include\n> -I../subprojects/libyaml/include\n> -Isubprojects/libyaml/__CMake_build/include\n> -I../subprojects/libyaml/__CMake_build/include\n> -Isubprojects/libyaml/__CMake_build\n> -I../subprojects/libyaml/__CMake_build -Isubprojects/libyaml\n> -I../subprojects/libyaml -Iinclude/libcamera -Iinclude/libcamera/ipa\n> -Iinclude/libcamera/internal -Isrc/libcamera/proxy\n> -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch\n> -Wnon-virtual-dtor -Wextra -Werror -std=c++17 -O3 -Wshadow -include\n> /home/curtine/git/libcamera/build/config.h -fPIC -DYAML_DECLARE_STATIC\n> -D_CRT_SECURE_NO_WARNINGS -DLIBCAMERA_BASE_PRIVATE -MD -MQ\n> src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -MF\n> src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o.d -o\n> src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -c\n> ../src/libcamera/pub_key.cpp\n> ../src/libcamera/pub_key.cpp: In constructor\n> ‘libcamera::PubKey::PubKey(libcamera::Span)’:\n> ../src/libcamera/pub_key.cpp:43:33: error: ‘RSA* d2i_RSA_PUBKEY(RSA**,\n> const unsigned char**, long int)’ is deprecated: Since OpenSSL 3.0\n> [-Werror=deprecated-declarations]\n> 43 | pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size());\n> | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~\n> In file included from /usr/include/openssl/rsa.h:21,\n> from ../src/libcamera/pub_key.cpp:12:\n> /usr/include/openssl/x509.h:710:1: note: declared here\n> 710 | DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA,\n> RSA_PUBKEY)\n> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n> ../src/libcamera/pub_key.cpp: In destructor ‘libcamera::PubKey::~PubKey()’:\n> ../src/libcamera/pub_key.cpp:68:17: error: ‘void RSA_free(RSA*)’ is\n> deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]\n> 68 | RSA_free(pubkey_);\n> | ~~~~~~~~^~~~~~~~~\n> /usr/include/openssl/rsa.h:293:28: note: declared here\n> 293 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);\n> | ^~~~~~~~\n> ../src/libcamera/pub_key.cpp: In member function ‘bool\n> libcamera::PubKey::verify(libcamera::Span,\n> libcamera::Span) const’:\n> ../src/libcamera/pub_key.cpp:99:20: error: ‘int\n> SHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0\n> [-Werror=deprecated-declarations]\n> 99 | SHA256_Init(&ctx);\n> | ~~~~~~~~~~~^~~~~~\n> In file included from /usr/include/openssl/x509.h:41,\n> from /usr/include/openssl/ssl.h:31,\n> from ../src/libcamera/pub_key.cpp:13:\n> /usr/include/openssl/sha.h:73:27: note: declared here\n> 73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);\n> | ^~~~~~~~~~~\n> ../src/libcamera/pub_key.cpp:100:22: error: ‘int\n> SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since\n> OpenSSL 3.0 [-Werror=deprecated-declarations]\n> 100 | SHA256_Update(&ctx, data.data(), data.size());\n> | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n> /usr/include/openssl/sha.h:74:27: note: declared here\n> 74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,\n> | ^~~~~~~~~~~~~\n> ../src/libcamera/pub_key.cpp:103:21: error: ‘int SHA256_Final(unsigned\n> char*, SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0\n> [-Werror=deprecated-declarations]\n> 103 | SHA256_Final(digest, &ctx);\n> | ~~~~~~~~~~~~^~~~~~~~~~~~~~\n> /usr/include/openssl/sha.h:76:27: note: declared here\n> 76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md,\n> SHA256_CTX *c);\n> | ^~~~~~~~~~~~\n> ../src/libcamera/pub_key.cpp:106:29: error: ‘int RSA_verify(int, const\n> unsigned char*, unsigned int, const unsigned char*, unsigned int,\n> RSA*)’ is deprecated: Since OpenSSL 3.0\n> [-Werror=deprecated-declarations]\n> 106 | int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,\n> | ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n> 107 | sig.data(), sig.size(), pubkey_);\n> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n> /usr/include/openssl/rsa.h:351:27: note: declared here\n> 351 | OSSL_DEPRECATEDIN_3_0 int RSA_verify(int type, const unsigned char *m,\n> | ^~~~~~~~~~\n> cc1plus: all warnings being treated as errors\n> \n> > + if (!pubkey_)\n> > + return;\n> > +\n> > + valid_ = true;\n> > +#elif HAVE_GNUTLS\n> > int ret = gnutls_pubkey_init(&pubkey_);\n> > if (ret < 0)\n> > return;\n> > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n> >\n> > PubKey::~PubKey()\n> > {\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + RSA_free(pubkey_);\n> > +#elif HAVE_GNUTLS\n> > gnutls_pubkey_deinit(pubkey_);\n> > #endif\n> > }\n> > @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> > if (!valid_)\n> > return false;\n> >\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + /* Calculate the SHA256 digest of the data. */\n> > + SHA256_CTX ctx;\n> > + SHA256_Init(&ctx);\n> > + SHA256_Update(&ctx, data.data(), data.size());\n> > +\n> > + uint8_t digest[SHA256_DIGEST_LENGTH];\n> > + SHA256_Final(digest, &ctx);\n> > +\n> > + /* Decrypt the signature and verify it matches the digest. */\n> > + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH,\n> > + sig.data(), sig.size(), pubkey_);\n> > + return ret == 1;\n> > +#elif HAVE_GNUTLS\n> > const gnutls_datum_t gnuTlsData{\n> > const_cast(data.data()),\n> > static_cast(data.size())","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 285E9BE173\n\tfor ;\n\tMon, 8 Aug 2022 15:46:29 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id F0CB26332B;\n\tMon, 8 Aug 2022 17:46:26 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id C28F963315\n\tfor ;\n\tMon, 8 Aug 2022 17:46:25 +0200 (CEST)","from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 48792481;\n\tMon, 8 Aug 2022 17:46:25 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1659973587;\n\tbh=0XlvDy1+RGiJIYRrrSBdDk/JHLlmDWKJb7qBd3EZ1lw=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=qhK6vEUvqs9rFvvxEdpGBj6Dw5PPfZyGIFLk4CMifGl5MlAkvxM9K8vEH9CvzEOlG\n\tbgTc4OXMlEzArLe8jQ1XGtK/s7/2AMmyGvVf/vx73OgUyAECZb4S38Cho1TGnNdtIL\n\tFYbAVg3xKO4kdxYhRu+8hG3L/+HHTw7XuFDUesMV9koxfCB0LMtdpQXiU5gozPE+Lz\n\tuDsdwMMasYzUwUaRAGRWEGdbkLJYIMQ2b20d1s3/ZQX0rMBXzpgp4PKnSAT+ZX0Kr5\n\tpINGYsJ5p0+P0atfvzfd6jtS8JGQ/YNbCvE37ng+JpmD42nRUakEH3Z0tH3splLnHn\n\tFzfR7E9agUqhw==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1659973585;\n\tbh=0XlvDy1+RGiJIYRrrSBdDk/JHLlmDWKJb7qBd3EZ1lw=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=fwXxp7m0WxrrqyT6Uv4FEu6AfOXOwbQKL/HqisjAcimnloiVrcmsZb5qYMIUUGHNT\n\tigeIkYKcFOwLCxFdglJuQThENdV3gDb84NP0ft5QjOzLsRpxpoPpjG0xOtiVLVf03r\n\tuf0divW+cxMEmvu7A8oURmiBg9jWFK7z0ONqjog8="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"fwXxp7m0\"; dkim-atps=neutral","Date":"Mon, 8 Aug 2022 18:46:14 +0300","To":"Eric Curtin ","Message-ID":"","References":"<20220807021456.9578-1-laurent.pinchart@ideasonboard.com>\n\t<20220807021456.9578-6-laurent.pinchart@ideasonboard.com>\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","Content-Transfer-Encoding":"8bit","In-Reply-To":"","Subject":"Re: [libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Laurent Pinchart via libcamera-devel\n\t","Reply-To":"Laurent Pinchart ","Cc":"libcamera devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]