[{"id":24449,"web_url":"https://patchwork.libcamera.org/comment/24449/","msgid":"","date":"2022-08-08T23:18:23","subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote:\n> Support verify IPA signatures with openssl as an alternative to gnutls,\n> to offer more flexibility in the selection of dependencies. Use gnutls\n> by default, for no specific reason as both are equally well supported.\n> \n> Signed-off-by: Laurent Pinchart \n> ---\n> Changes since v1:\n> \n> - Don't use functions deprecated in OpenSSL 3.0\n> ---\n> README.rst | 2 +-\n> include/libcamera/internal/pub_key.h | 8 +++--\n> src/libcamera/meson.build | 10 ++++--\n> src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++---\n> 4 files changed, 57 insertions(+), 10 deletions(-)\n> \n> diff --git a/README.rst b/README.rst\n> index 77374c6a72b1..3bf4685b0e15 100644\n> --- a/README.rst\n> +++ b/README.rst\n> @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> libyaml-dev python3-yaml python3-ply python3-jinja2\n> \n> for IPA module signing: [required]\n> - libgnutls28-dev openssl\n> + Either libgnutls28-dev or libssl-dev, openssl\n> \n> for improved debugging: [optional]\n> libdw-dev libunwind-dev\n> diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> index a22ba037cff6..8653a912b2d5 100644\n> --- a/include/libcamera/internal/pub_key.h\n> +++ b/include/libcamera/internal/pub_key.h\n> @@ -11,7 +11,9 @@\n> \n> #include \n> \n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +struct evp_pkey_st;\n> +#elif HAVE_GNUTLS\n> struct gnutls_pubkey_st;\n> #endif\n> \n> @@ -28,7 +30,9 @@ public:\n> \n> private:\n> \tbool valid_;\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +\tstruct evp_pkey_st *pubkey_;\n> +#elif HAVE_GNUTLS\n> \tstruct gnutls_pubkey_st *pubkey_;\n> #endif\n> };\n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index 7cc06de4aedc..401fc498cfbc 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -65,12 +65,16 @@ subdir('pipeline')\n> subdir('proxy')\n> \n> libdl = cc.find_library('dl')\n> -libgnutls = dependency('gnutls', required : true)\n> libudev = dependency('libudev', required : false)\n> libyaml = dependency('yaml-0.1', required : false)\n> \n> -if libgnutls.found()\n> +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> +libcrypto = dependency('gnutls2', required : false)\n\nThis should have been\n\nlibcrypto = dependency('gnutls', required : false)\n\nIt was a test left-over, sorry.\n\n> +if libcrypto.found()\n> config_h.set('HAVE_GNUTLS', 1)\n> +else\n> + libcrypto = dependency('libcrypto', required : true)\n> + config_h.set('HAVE_CRYPTO', 1)\n> endif\n> \n> if liblttng.found()\n> @@ -135,8 +139,8 @@ libcamera_deps = [\n> libatomic,\n> libcamera_base,\n> libcamera_base_private,\n> + libcrypto,\n> libdl,\n> - libgnutls,\n> liblttng,\n> libudev,\n> libyaml,\n> diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> index b2045a103bc0..64dfa23497c2 100644\n> --- a/src/libcamera/pub_key.cpp\n> +++ b/src/libcamera/pub_key.cpp\n> @@ -7,7 +7,12 @@\n> \n> #include \"libcamera/internal/pub_key.h\"\n> \n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +#include \n> +#include \n> +#include \n> +#include \n> +#elif HAVE_GNUTLS\n> #include \n> #endif\n> \n> @@ -33,7 +38,14 @@ namespace libcamera {\n> PubKey::PubKey([[maybe_unused]] Span key)\n> \t: valid_(false)\n> {\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +\tconst uint8_t *data = key.data();\n> +\tpubkey_ = d2i_PUBKEY(nullptr, &data, key.size());\n> +\tif (!pubkey_)\n> +\t\treturn;\n> +\n> +\tvalid_ = true;\n> +#elif HAVE_GNUTLS\n> \tint ret = gnutls_pubkey_init(&pubkey_);\n> \tif (ret < 0)\n> \t\treturn;\n> @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n> \n> PubKey::~PubKey()\n> {\n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +\tEVP_PKEY_free(pubkey_);\n> +#elif HAVE_GNUTLS\n> \tgnutls_pubkey_deinit(pubkey_);\n> #endif\n> }\n> @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> \tif (!valid_)\n> \t\treturn false;\n> \n> -#if HAVE_GNUTLS\n> +#if HAVE_CRYPTO\n> +\t/*\n> +\t * Create and initialize a public key algorithm context for signature\n> +\t * verification.\n> +\t */\n> +\tEVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr);\n> +\tif (!ctx)\n> +\t\treturn false;\n> +\n> +\tif (EVP_PKEY_verify_init(ctx) <= 0 ||\n> +\t EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 ||\n> +\t EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {\n> +\t\tEVP_PKEY_CTX_free(ctx);\n> +\t\treturn false;\n> +\t}\n> +\n> +\t/* Calculate the SHA256 digest of the data. */\n> +\tuint8_t digest[SHA256_DIGEST_LENGTH];\n> +\tSHA256(data.data(), data.size(), digest);\n> +\n> +\t/* Decrypt the signature and verify it matches the digest. */\n> +\tint ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest,\n> +\t\t\t\t SHA256_DIGEST_LENGTH);\n> +\tEVP_PKEY_CTX_free(ctx);\n> +\treturn ret == 1;\n> +#elif HAVE_GNUTLS\n> \tconst gnutls_datum_t gnuTlsData{\n> \t\tconst_cast(data.data()),\n> \t\tstatic_cast(data.size())","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id A14A3BE173\n\tfor ;\n\tMon, 8 Aug 2022 23:18:36 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 2306B600EA;\n\tTue, 9 Aug 2022 01:18:36 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 2D2DC600EA\n\tfor ;\n\tTue, 9 Aug 2022 01:18:34 +0200 (CEST)","from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id A89F8481\n\tfor ;\n\tTue, 9 Aug 2022 01:18:33 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660000716;\n\tbh=fdHxtZYM9oj8OWlryQzdqPGBrg6O9OmzPLn+Uo3QwD4=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\tFrom;\n\tb=D3F+yjA/lu1MIptV0h+zV8TCmGJujLarQL8ca2jvgPpoW5DAdbABxr1elB2aCvnGT\n\tKh8RFujHlsCjD1W+VoANkGVGfRReVgStZNJPB7xH6nodTdqRgoFBn7gO9j/4l2iC6x\n\tP5j6qV5Uap2gWb/AvwYcz8eSYl4Eer1VYb5UYzzkP6j5Acs64WHF+PhO7OtkT82pIA\n\tBcOVb3EcvIoj1uynQ+ACdhtK7rkUWhcTF3Tk/Xcea421XrgNUqsTKqy881PEf9n2WP\n\tBfRZCSnqS68k+491Z06LKfjeDKiao+qfUYHSVWPbc2xVpYtoQMYY7euC4jZPcsRJqp\n\tBFn0ZPLOppBBA==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1660000713;\n\tbh=fdHxtZYM9oj8OWlryQzdqPGBrg6O9OmzPLn+Uo3QwD4=;\n\th=Date:From:To:Subject:References:In-Reply-To:From;\n\tb=vZuEO2ATWJvHyxKw/deYMop0sKS68jIvJrb/PX/0Mc+YlGbXo1Gk0C144ErcB6ry2\n\tVU1mnEMSdFypJzg8T5nMIXor2HLHWQTFeaLnZIOuc7pyXqGMBmgmcwwsOHLvvIQh/H\n\t0VULwE8PX4uqKbhhBpqSgqHzJkZKJvvB/QgriKSA="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"vZuEO2AT\"; dkim-atps=neutral","Date":"Tue, 9 Aug 2022 02:18:23 +0300","To":"libcamera-devel@lists.libcamera.org","Message-ID":"","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-4-laurent.pinchart@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20220808230833.16275-4-laurent.pinchart@ideasonboard.com>","Subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Laurent Pinchart via libcamera-devel\n\t","Reply-To":"Laurent Pinchart ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":24465,"web_url":"https://patchwork.libcamera.org/comment/24465/","msgid":"","date":"2022-08-09T10:46:09","subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":101,"url":"https://patchwork.libcamera.org/api/people/101/","name":"Eric Curtin","email":"ecurtin@redhat.com"},"content":"On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel\n wrote:\n>\n> On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote:\n> > Support verify IPA signatures with openssl as an alternative to gnutls,\n> > to offer more flexibility in the selection of dependencies. Use gnutls\n> > by default, for no specific reason as both are equally well supported.\n> >\n> > Signed-off-by: Laurent Pinchart \n> > ---\n> > Changes since v1:\n> >\n> > - Don't use functions deprecated in OpenSSL 3.0\n> > ---\n> > README.rst | 2 +-\n> > include/libcamera/internal/pub_key.h | 8 +++--\n> > src/libcamera/meson.build | 10 ++++--\n> > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++---\n> > 4 files changed, 57 insertions(+), 10 deletions(-)\n> >\n> > diff --git a/README.rst b/README.rst\n> > index 77374c6a72b1..3bf4685b0e15 100644\n> > --- a/README.rst\n> > +++ b/README.rst\n> > @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> > libyaml-dev python3-yaml python3-ply python3-jinja2\n> >\n> > for IPA module signing: [required]\n> > - libgnutls28-dev openssl\n> > + Either libgnutls28-dev or libssl-dev, openssl\n> >\n> > for improved debugging: [optional]\n> > libdw-dev libunwind-dev\n> > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> > index a22ba037cff6..8653a912b2d5 100644\n> > --- a/include/libcamera/internal/pub_key.h\n> > +++ b/include/libcamera/internal/pub_key.h\n> > @@ -11,7 +11,9 @@\n> >\n> > #include \n> >\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > +struct evp_pkey_st;\n> > +#elif HAVE_GNUTLS\n> > struct gnutls_pubkey_st;\n> > #endif\n> >\n> > @@ -28,7 +30,9 @@ public:\n> >\n> > private:\n> > bool valid_;\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + struct evp_pkey_st *pubkey_;\n> > +#elif HAVE_GNUTLS\n> > struct gnutls_pubkey_st *pubkey_;\n> > #endif\n> > };\n> > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> > index 7cc06de4aedc..401fc498cfbc 100644\n> > --- a/src/libcamera/meson.build\n> > +++ b/src/libcamera/meson.build\n> > @@ -65,12 +65,16 @@ subdir('pipeline')\n> > subdir('proxy')\n> >\n> > libdl = cc.find_library('dl')\n> > -libgnutls = dependency('gnutls', required : true)\n> > libudev = dependency('libudev', required : false)\n> > libyaml = dependency('yaml-0.1', required : false)\n> >\n> > -if libgnutls.found()\n> > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> > +libcrypto = dependency('gnutls2', required : false)\n>\n> This should have been\n>\n> libcrypto = dependency('gnutls', required : false)\n>\n\nWith this change:\n\nReviewed-by: Eric Curtin \n\n> It was a test left-over, sorry.\n>\n> > +if libcrypto.found()\n> > config_h.set('HAVE_GNUTLS', 1)\n> > +else\n> > + libcrypto = dependency('libcrypto', required : true)\n> > + config_h.set('HAVE_CRYPTO', 1)\n> > endif\n> >\n> > if liblttng.found()\n> > @@ -135,8 +139,8 @@ libcamera_deps = [\n> > libatomic,\n> > libcamera_base,\n> > libcamera_base_private,\n> > + libcrypto,\n> > libdl,\n> > - libgnutls,\n> > liblttng,\n> > libudev,\n> > libyaml,\n> > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> > index b2045a103bc0..64dfa23497c2 100644\n> > --- a/src/libcamera/pub_key.cpp\n> > +++ b/src/libcamera/pub_key.cpp\n> > @@ -7,7 +7,12 @@\n> >\n> > #include \"libcamera/internal/pub_key.h\"\n> >\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > +#include \n> > +#include \n> > +#include \n> > +#include \n> > +#elif HAVE_GNUTLS\n> > #include \n> > #endif\n> >\n> > @@ -33,7 +38,14 @@ namespace libcamera {\n> > PubKey::PubKey([[maybe_unused]] Span key)\n> > : valid_(false)\n> > {\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + const uint8_t *data = key.data();\n> > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size());\n> > + if (!pubkey_)\n> > + return;\n> > +\n> > + valid_ = true;\n> > +#elif HAVE_GNUTLS\n> > int ret = gnutls_pubkey_init(&pubkey_);\n> > if (ret < 0)\n> > return;\n> > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n> >\n> > PubKey::~PubKey()\n> > {\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + EVP_PKEY_free(pubkey_);\n> > +#elif HAVE_GNUTLS\n> > gnutls_pubkey_deinit(pubkey_);\n> > #endif\n> > }\n> > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> > if (!valid_)\n> > return false;\n> >\n> > -#if HAVE_GNUTLS\n> > +#if HAVE_CRYPTO\n> > + /*\n> > + * Create and initialize a public key algorithm context for signature\n> > + * verification.\n> > + */\n> > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr);\n> > + if (!ctx)\n> > + return false;\n> > +\n> > + if (EVP_PKEY_verify_init(ctx) <= 0 ||\n> > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 ||\n> > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {\n> > + EVP_PKEY_CTX_free(ctx);\n> > + return false;\n> > + }\n> > +\n> > + /* Calculate the SHA256 digest of the data. */\n> > + uint8_t digest[SHA256_DIGEST_LENGTH];\n> > + SHA256(data.data(), data.size(), digest);\n> > +\n> > + /* Decrypt the signature and verify it matches the digest. */\n> > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest,\n> > + SHA256_DIGEST_LENGTH);\n> > + EVP_PKEY_CTX_free(ctx);\n> > + return ret == 1;\n> > +#elif HAVE_GNUTLS\n> > const gnutls_datum_t gnuTlsData{\n> > const_cast(data.data()),\n> > static_cast(data.size())\n>\n> --\n> Regards,\n>\n> Laurent Pinchart\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id EF219C3272\n\tfor ;\n\tTue, 9 Aug 2022 10:46:29 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id A972263328;\n\tTue, 9 Aug 2022 12:46:29 +0200 (CEST)","from us-smtp-delivery-124.mimecast.com\n\t(us-smtp-delivery-124.mimecast.com [170.10.129.124])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 632E5600EA\n\tfor ;\n\tTue, 9 Aug 2022 12:46:28 +0200 (CEST)","from mail-qk1-f198.google.com (mail-qk1-f198.google.com\n\t[209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS\n\t(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n\tus-mta-539-KBMiqmETMxGMGl_iHz6YGA-1; Tue, 09 Aug 2022 06:46:26 -0400","by mail-qk1-f198.google.com with SMTP id\n\tbm34-20020a05620a19a200b006b5f1d95ceeso9874256qkb.5\n\tfor ;\n\tTue, 09 Aug 2022 03:46:26 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660041989;\n\tbh=eb9rE6MOw64WVleqspLjGMTMZI+yIiO7ITBJQAuZt68=;\n\th=References:In-Reply-To:Date:To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=2kgdYpbXM0wLiPRpr4Pu4FYn25PuTFWjrZqoUubflRfAbuV1KqNCRaG3RVL2whU90\n\tUA0auvTBHbplIXq+9tQLK+fpLb0K7HJesCcLJjEGChE4t73Cy5Bx7evN3Cb1KU/UiP\n\tIVYzMvz7A5VFYW8CDOEbDVpm0cYGFe87jPATyv7V0frxz5z3aKbAY/DEL1IWMreEJD\n\tQScf7YQXbsN4Dv1vxYwTM9t4FFRHt3V/Sb9/Sn4YY3JOb9m2q99MZLmm/P235g2Js9\n\tWATcudbIi2Ua0qVe48g2RGYIupQQGzOalZHa4xdkRjaaxLEZBjU9Ta92F3KeOUMi5B\n\tAMKHnPJ+xCbbg==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1660041987;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\tto:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\tin-reply-to:in-reply-to:references:references;\n\tbh=4ZS2pJdPtYlHG/W+V7vDvwZu23zP4S7NC+F7Wgn8Rb4=;\n\tb=jIEBWr7hIU2o03Cyzlaku516G8nnpLPlVhNBEp5e2XSheIjH+6FkKlojglIbbSP++PDyoP\n\t5ediSarF3kv64LCUm4DKElc5Kg4V+aDahn9YEROwKZtYFtpDr1aA/lC7BsxdoC6os1l4Z1\n\tgsE44TaSm7UyD3/gKJrTgy4k1W4JPp8="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=redhat.com\n\theader.i=@redhat.com header.b=\"jIEBWr7h\"; \n\tdkim-atps=neutral","X-MC-Unique":"KBMiqmETMxGMGl_iHz6YGA-1","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20210112;\n\th=x-gm-message-state:mime-version:references:in-reply-to:from:date\n\t:message-id:subject:to:cc;\n\tbh=4ZS2pJdPtYlHG/W+V7vDvwZu23zP4S7NC+F7Wgn8Rb4=;\n\tb=0rh+ZEtWQhOfTQsN1D9Yl+dZiiPTqOer9sQuZKRaewVe7K3/CzayhjwYPRVTp1Huxh\n\t02MMFy9vUcFiysL/fp8Z4au9VXllPVCQIjZNOo9oi2VxnybBCUxSsaCeWPljj/vF2zO6\n\tdYoiUw62ByzxxFzJbv0gW82mj8E53c3B45xjq6JWa+OAFQvVOzOnyzod1LqV84hMX2Yv\n\tmlBBR0rc/VC9VFc5WIClch56hlRZeHQi8jknUd7j1byP/3lKNal5tvDTCKvkwkluVVwO\n\t3Ye9uejkuHkjFxBiQBjOJT3xyhTzw1yXDZasORYdcaNfWcUD6a+WIk223He46MLfAAfw\n\tx88w==","X-Gm-Message-State":"ACgBeo2ihyN6oFW2ixysmPTq4J1Z4M9yUyjjZLCsFudAflOFbVugsZ6l\n\tbyk/nM44YzEQhZWOxsDzQJFAi9lREPeAVhTQdggg58rapXjLNc78oVpoaiHcEd0V43L6VDCbYAI\n\tNDnTujv6MMwBXTk4H1iObpwi6pfN2XFWYfxhghqaVDM0SpI3lsA==","X-Received":["by 2002:a05:620a:2849:b0:6a6:5998:f743 with SMTP id\n\th9-20020a05620a284900b006a65998f743mr17119194qkp.757.1660041985936; \n\tTue, 09 Aug 2022 03:46:25 -0700 (PDT)","by 2002:a05:620a:2849:b0:6a6:5998:f743 with SMTP id\n\th9-20020a05620a284900b006a65998f743mr17119179qkp.757.1660041985616;\n\tTue, 09 Aug 2022 03:46:25 -0700 (PDT)"],"X-Google-Smtp-Source":"AA6agR4qzhkj/AksUm7HMPzaZbKkLSWNnBVvV/7u6gL2wzDqtotC7Yj+gThd66p6g6QHubrKnK8IbnJKeZU5Cg0/4hE=","MIME-Version":"1.0","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-4-laurent.pinchart@ideasonboard.com>\n\t","In-Reply-To":"","Date":"Tue, 9 Aug 2022 11:46:09 +0100","Message-ID":"","To":"Laurent Pinchart ","X-Mimecast-Spam-Score":"0","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain; charset=\"UTF-8\"","Subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Eric Curtin via libcamera-devel ","Reply-To":"Eric Curtin ","Cc":"libcamera devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":24470,"web_url":"https://patchwork.libcamera.org/comment/24470/","msgid":"<166004786460.2190824.2855285903774591269@Monstersaurus>","date":"2022-08-09T12:24:24","subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":4,"url":"https://patchwork.libcamera.org/api/people/4/","name":"Kieran Bingham","email":"kieran.bingham@ideasonboard.com"},"content":"Quoting Eric Curtin via libcamera-devel (2022-08-09 11:46:09)\n> On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel\n> wrote:\n> >\n> > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote:\n> > > Support verify IPA signatures with openssl as an alternative to gnutls,\n> > > to offer more flexibility in the selection of dependencies. Use gnutls\n> > > by default, for no specific reason as both are equally well supported.\n> > >\n> > > Signed-off-by: Laurent Pinchart \n> > > ---\n> > > Changes since v1:\n> > >\n> > > - Don't use functions deprecated in OpenSSL 3.0\n> > > ---\n> > > README.rst | 2 +-\n> > > include/libcamera/internal/pub_key.h | 8 +++--\n> > > src/libcamera/meson.build | 10 ++++--\n> > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++---\n> > > 4 files changed, 57 insertions(+), 10 deletions(-)\n> > >\n> > > diff --git a/README.rst b/README.rst\n> > > index 77374c6a72b1..3bf4685b0e15 100644\n> > > --- a/README.rst\n> > > +++ b/README.rst\n> > > @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> > > libyaml-dev python3-yaml python3-ply python3-jinja2\n> > >\n> > > for IPA module signing: [required]\n> > > - libgnutls28-dev openssl\n> > > + Either libgnutls28-dev or libssl-dev, openssl\n> > >\n> > > for improved debugging: [optional]\n> > > libdw-dev libunwind-dev\n> > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> > > index a22ba037cff6..8653a912b2d5 100644\n> > > --- a/include/libcamera/internal/pub_key.h\n> > > +++ b/include/libcamera/internal/pub_key.h\n> > > @@ -11,7 +11,9 @@\n> > >\n> > > #include \n> > >\n> > > -#if HAVE_GNUTLS\n> > > +#if HAVE_CRYPTO\n> > > +struct evp_pkey_st;\n> > > +#elif HAVE_GNUTLS\n> > > struct gnutls_pubkey_st;\n> > > #endif\n> > >\n> > > @@ -28,7 +30,9 @@ public:\n> > >\n> > > private:\n> > > bool valid_;\n> > > -#if HAVE_GNUTLS\n> > > +#if HAVE_CRYPTO\n> > > + struct evp_pkey_st *pubkey_;\n> > > +#elif HAVE_GNUTLS\n> > > struct gnutls_pubkey_st *pubkey_;\n> > > #endif\n> > > };\n> > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> > > index 7cc06de4aedc..401fc498cfbc 100644\n> > > --- a/src/libcamera/meson.build\n> > > +++ b/src/libcamera/meson.build\n> > > @@ -65,12 +65,16 @@ subdir('pipeline')\n> > > subdir('proxy')\n> > >\n> > > libdl = cc.find_library('dl')\n> > > -libgnutls = dependency('gnutls', required : true)\n> > > libudev = dependency('libudev', required : false)\n> > > libyaml = dependency('yaml-0.1', required : false)\n> > >\n> > > -if libgnutls.found()\n> > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> > > +libcrypto = dependency('gnutls2', required : false)\n> >\n> > This should have been\n> >\n> > libcrypto = dependency('gnutls', required : false)\n\nI'm a bit bemused by this, as gnutls != libcrypto?\n\nBut I see it's just to be able to reference a single dep variable.\n\n\n> >\n> \n> With this change:\n> \n> Reviewed-by: Eric Curtin \n> \n> > It was a test left-over, sorry.\n> >\n> > > +if libcrypto.found()\n> > > config_h.set('HAVE_GNUTLS', 1)\n> > > +else\n> > > + libcrypto = dependency('libcrypto', required : true)\n> > > + config_h.set('HAVE_CRYPTO', 1)\n\nand at this point, libcrypto is either of gnutls, or libcrypto.\n\nI don't have anything much better to offer as an alternative so lets\ncarry on.\n\n\nReviewed-by: Kieran Bingham \n\n> > > endif\n> > >\n> > > if liblttng.found()\n> > > @@ -135,8 +139,8 @@ libcamera_deps = [\n> > > libatomic,\n> > > libcamera_base,\n> > > libcamera_base_private,\n> > > + libcrypto,\n> > > libdl,\n> > > - libgnutls,\n> > > liblttng,\n> > > libudev,\n> > > libyaml,\n> > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> > > index b2045a103bc0..64dfa23497c2 100644\n> > > --- a/src/libcamera/pub_key.cpp\n> > > +++ b/src/libcamera/pub_key.cpp\n> > > @@ -7,7 +7,12 @@\n> > >\n> > > #include \"libcamera/internal/pub_key.h\"\n> > >\n> > > -#if HAVE_GNUTLS\n> > > +#if HAVE_CRYPTO\n> > > +#include \n> > > +#include \n> > > +#include \n> > > +#include \n> > > +#elif HAVE_GNUTLS\n> > > #include \n> > > #endif\n> > >\n> > > @@ -33,7 +38,14 @@ namespace libcamera {\n> > > PubKey::PubKey([[maybe_unused]] Span key)\n> > > : valid_(false)\n> > > {\n> > > -#if HAVE_GNUTLS\n> > > +#if HAVE_CRYPTO\n> > > + const uint8_t *data = key.data();\n> > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size());\n> > > + if (!pubkey_)\n> > > + return;\n> > > +\n> > > + valid_ = true;\n> > > +#elif HAVE_GNUTLS\n> > > int ret = gnutls_pubkey_init(&pubkey_);\n> > > if (ret < 0)\n> > > return;\n> > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n> > >\n> > > PubKey::~PubKey()\n> > > {\n> > > -#if HAVE_GNUTLS\n> > > +#if HAVE_CRYPTO\n> > > + EVP_PKEY_free(pubkey_);\n> > > +#elif HAVE_GNUTLS\n> > > gnutls_pubkey_deinit(pubkey_);\n> > > #endif\n> > > }\n> > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> > > if (!valid_)\n> > > return false;\n> > >\n> > > -#if HAVE_GNUTLS\n> > > +#if HAVE_CRYPTO\n> > > + /*\n> > > + * Create and initialize a public key algorithm context for signature\n> > > + * verification.\n> > > + */\n> > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr);\n> > > + if (!ctx)\n> > > + return false;\n> > > +\n> > > + if (EVP_PKEY_verify_init(ctx) <= 0 ||\n> > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 ||\n> > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {\n> > > + EVP_PKEY_CTX_free(ctx);\n> > > + return false;\n> > > + }\n> > > +\n> > > + /* Calculate the SHA256 digest of the data. */\n> > > + uint8_t digest[SHA256_DIGEST_LENGTH];\n> > > + SHA256(data.data(), data.size(), digest);\n> > > +\n> > > + /* Decrypt the signature and verify it matches the digest. */\n> > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest,\n> > > + SHA256_DIGEST_LENGTH);\n> > > + EVP_PKEY_CTX_free(ctx);\n> > > + return ret == 1;\n> > > +#elif HAVE_GNUTLS\n> > > const gnutls_datum_t gnuTlsData{\n> > > const_cast(data.data()),\n> > > static_cast(data.size())\n> >\n> > --\n> > Regards,\n> >\n> > Laurent Pinchart\n> >\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 5B7DEC3272\n\tfor ;\n\tTue, 9 Aug 2022 12:24:31 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id A97DA63326;\n\tTue, 9 Aug 2022 14:24:30 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 7CCCE61FAA\n\tfor ;\n\tTue, 9 Aug 2022 14:24:28 +0200 (CEST)","from pendragon.ideasonboard.com\n\t(cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net [86.31.172.11])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id ED418481;\n\tTue, 9 Aug 2022 14:24:27 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660047870;\n\tbh=+ALWsEO9ntS47x6gCqNSd7/UTnY1ZON83HgHm/AD0vM=;\n\th=In-Reply-To:References:To:Date:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=P2qlKTfi8/ff6kztU5RToBUCchWvKJhYR/aGyUAek4IfZ3AIeRzWl2Lchldp1U0wT\n\tRchm9PRa+JNsRuyqu6WI4P0tHNQxHyQp9E9q/ZaSFLzoQjrmiFbt+faSt9dU+YMFBN\n\thjQcuWwL8K98hNcHWKQMUnXH74qlJlVTp718scAadYlIndIBt/C9B6d0SdKGS9kLYj\n\tfqmGU2VtF8L7yw2FbdHoAd2gWHLHBovhHipJMLsuuXgYjVojoUPbtGSeKw8TncX3El\n\tIXML5yLvpN9tD3wGBKFRFLWyTYBe5QoVR0TqpbFnu7x7ivg1P++edD+1knOYBvZ/zW\n\tK3R7fOFh1Q5MQ==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1660047868;\n\tbh=+ALWsEO9ntS47x6gCqNSd7/UTnY1ZON83HgHm/AD0vM=;\n\th=In-Reply-To:References:Subject:From:Cc:To:Date:From;\n\tb=RJiinho41cXBWjhiv3/+KlGPiIHc/MaCrM4crwZuRDqo/y+w7Brx838dt2yzeiWe2\n\tVp/PGw3XIFdRQPeJweCZ+wzjnouN5wbiNK9motNS5o+Yfw5of8k3lISTNLmFSJbOf8\n\tYTVT2zkbyiqW7gzWLCbr5dinjRKfA1cW80p6/mQw="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"RJiinho4\"; dkim-atps=neutral","Content-Type":"text/plain; charset=\"utf-8\"","MIME-Version":"1.0","Content-Transfer-Encoding":"quoted-printable","In-Reply-To":"","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-4-laurent.pinchart@ideasonboard.com>\n\t\n\t","To":"Eric Curtin ,\n\tEric Curtin via libcamera-devel ,\n\tLaurent Pinchart ","Date":"Tue, 09 Aug 2022 13:24:24 +0100","Message-ID":"<166004786460.2190824.2855285903774591269@Monstersaurus>","User-Agent":"alot/0.10","Subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Kieran Bingham via libcamera-devel\n\t","Reply-To":"Kieran Bingham ","Cc":"libcamera devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":24472,"web_url":"https://patchwork.libcamera.org/comment/24472/","msgid":"","date":"2022-08-09T12:37:51","subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":101,"url":"https://patchwork.libcamera.org/api/people/101/","name":"Eric Curtin","email":"ecurtin@redhat.com"},"content":"On Tue, 9 Aug 2022 at 13:24, Kieran Bingham\n wrote:\n>\n> Quoting Eric Curtin via libcamera-devel (2022-08-09 11:46:09)\n> > On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel\n> > wrote:\n> > >\n> > > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote:\n> > > > Support verify IPA signatures with openssl as an alternative to gnutls,\n> > > > to offer more flexibility in the selection of dependencies. Use gnutls\n> > > > by default, for no specific reason as both are equally well supported.\n> > > >\n> > > > Signed-off-by: Laurent Pinchart \n> > > > ---\n> > > > Changes since v1:\n> > > >\n> > > > - Don't use functions deprecated in OpenSSL 3.0\n> > > > ---\n> > > > README.rst | 2 +-\n> > > > include/libcamera/internal/pub_key.h | 8 +++--\n> > > > src/libcamera/meson.build | 10 ++++--\n> > > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++---\n> > > > 4 files changed, 57 insertions(+), 10 deletions(-)\n> > > >\n> > > > diff --git a/README.rst b/README.rst\n> > > > index 77374c6a72b1..3bf4685b0e15 100644\n> > > > --- a/README.rst\n> > > > +++ b/README.rst\n> > > > @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> > > > libyaml-dev python3-yaml python3-ply python3-jinja2\n> > > >\n> > > > for IPA module signing: [required]\n> > > > - libgnutls28-dev openssl\n> > > > + Either libgnutls28-dev or libssl-dev, openssl\n> > > >\n> > > > for improved debugging: [optional]\n> > > > libdw-dev libunwind-dev\n> > > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> > > > index a22ba037cff6..8653a912b2d5 100644\n> > > > --- a/include/libcamera/internal/pub_key.h\n> > > > +++ b/include/libcamera/internal/pub_key.h\n> > > > @@ -11,7 +11,9 @@\n> > > >\n> > > > #include \n> > > >\n> > > > -#if HAVE_GNUTLS\n> > > > +#if HAVE_CRYPTO\n> > > > +struct evp_pkey_st;\n> > > > +#elif HAVE_GNUTLS\n> > > > struct gnutls_pubkey_st;\n> > > > #endif\n> > > >\n> > > > @@ -28,7 +30,9 @@ public:\n> > > >\n> > > > private:\n> > > > bool valid_;\n> > > > -#if HAVE_GNUTLS\n> > > > +#if HAVE_CRYPTO\n> > > > + struct evp_pkey_st *pubkey_;\n> > > > +#elif HAVE_GNUTLS\n> > > > struct gnutls_pubkey_st *pubkey_;\n> > > > #endif\n> > > > };\n> > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> > > > index 7cc06de4aedc..401fc498cfbc 100644\n> > > > --- a/src/libcamera/meson.build\n> > > > +++ b/src/libcamera/meson.build\n> > > > @@ -65,12 +65,16 @@ subdir('pipeline')\n> > > > subdir('proxy')\n> > > >\n> > > > libdl = cc.find_library('dl')\n> > > > -libgnutls = dependency('gnutls', required : true)\n> > > > libudev = dependency('libudev', required : false)\n> > > > libyaml = dependency('yaml-0.1', required : false)\n> > > >\n> > > > -if libgnutls.found()\n> > > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> > > > +libcrypto = dependency('gnutls2', required : false)\n> > >\n> > > This should have been\n> > >\n> > > libcrypto = dependency('gnutls', required : false)\n>\n> I'm a bit bemused by this, as gnutls != libcrypto?\n\nI was briefly bemused as when I saw libcrypto here, I normally\nautomatically assume the openssl one because that's what it's called.\nBut they are both cryptographic libraries so I get the context here.\n\n>\n> But I see it's just to be able to reference a single dep variable.\n>\n>\n> > >\n> >\n> > With this change:\n> >\n> > Reviewed-by: Eric Curtin \n> >\n> > > It was a test left-over, sorry.\n> > >\n> > > > +if libcrypto.found()\n> > > > config_h.set('HAVE_GNUTLS', 1)\n> > > > +else\n> > > > + libcrypto = dependency('libcrypto', required : true)\n> > > > + config_h.set('HAVE_CRYPTO', 1)\n>\n> and at this point, libcrypto is either of gnutls, or libcrypto.\n>\n> I don't have anything much better to offer as an alternative so lets\n> carry on.\n>\n>\n> Reviewed-by: Kieran Bingham \n>\n> > > > endif\n> > > >\n> > > > if liblttng.found()\n> > > > @@ -135,8 +139,8 @@ libcamera_deps = [\n> > > > libatomic,\n> > > > libcamera_base,\n> > > > libcamera_base_private,\n> > > > + libcrypto,\n> > > > libdl,\n> > > > - libgnutls,\n> > > > liblttng,\n> > > > libudev,\n> > > > libyaml,\n> > > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> > > > index b2045a103bc0..64dfa23497c2 100644\n> > > > --- a/src/libcamera/pub_key.cpp\n> > > > +++ b/src/libcamera/pub_key.cpp\n> > > > @@ -7,7 +7,12 @@\n> > > >\n> > > > #include \"libcamera/internal/pub_key.h\"\n> > > >\n> > > > -#if HAVE_GNUTLS\n> > > > +#if HAVE_CRYPTO\n> > > > +#include \n> > > > +#include \n> > > > +#include \n> > > > +#include \n> > > > +#elif HAVE_GNUTLS\n> > > > #include \n> > > > #endif\n> > > >\n> > > > @@ -33,7 +38,14 @@ namespace libcamera {\n> > > > PubKey::PubKey([[maybe_unused]] Span key)\n> > > > : valid_(false)\n> > > > {\n> > > > -#if HAVE_GNUTLS\n> > > > +#if HAVE_CRYPTO\n> > > > + const uint8_t *data = key.data();\n> > > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size());\n> > > > + if (!pubkey_)\n> > > > + return;\n> > > > +\n> > > > + valid_ = true;\n> > > > +#elif HAVE_GNUTLS\n> > > > int ret = gnutls_pubkey_init(&pubkey_);\n> > > > if (ret < 0)\n> > > > return;\n> > > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n> > > >\n> > > > PubKey::~PubKey()\n> > > > {\n> > > > -#if HAVE_GNUTLS\n> > > > +#if HAVE_CRYPTO\n> > > > + EVP_PKEY_free(pubkey_);\n> > > > +#elif HAVE_GNUTLS\n> > > > gnutls_pubkey_deinit(pubkey_);\n> > > > #endif\n> > > > }\n> > > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> > > > if (!valid_)\n> > > > return false;\n> > > >\n> > > > -#if HAVE_GNUTLS\n> > > > +#if HAVE_CRYPTO\n> > > > + /*\n> > > > + * Create and initialize a public key algorithm context for signature\n> > > > + * verification.\n> > > > + */\n> > > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr);\n> > > > + if (!ctx)\n> > > > + return false;\n> > > > +\n> > > > + if (EVP_PKEY_verify_init(ctx) <= 0 ||\n> > > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 ||\n> > > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {\n> > > > + EVP_PKEY_CTX_free(ctx);\n> > > > + return false;\n> > > > + }\n> > > > +\n> > > > + /* Calculate the SHA256 digest of the data. */\n> > > > + uint8_t digest[SHA256_DIGEST_LENGTH];\n> > > > + SHA256(data.data(), data.size(), digest);\n> > > > +\n> > > > + /* Decrypt the signature and verify it matches the digest. */\n> > > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest,\n> > > > + SHA256_DIGEST_LENGTH);\n> > > > + EVP_PKEY_CTX_free(ctx);\n> > > > + return ret == 1;\n> > > > +#elif HAVE_GNUTLS\n> > > > const gnutls_datum_t gnuTlsData{\n> > > > const_cast(data.data()),\n> > > > static_cast(data.size())\n> > >\n> > > --\n> > > Regards,\n> > >\n> > > Laurent Pinchart\n> > >\n> >\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 22C80BE173\n\tfor ;\n\tTue, 9 Aug 2022 12:38:13 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 920B763326;\n\tTue, 9 Aug 2022 14:38:12 +0200 (CEST)","from us-smtp-delivery-124.mimecast.com\n\t(us-smtp-delivery-124.mimecast.com [170.10.133.124])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 7A3B661FAA\n\tfor ;\n\tTue, 9 Aug 2022 14:38:10 +0200 (CEST)","from mail-qk1-f199.google.com (mail-qk1-f199.google.com\n\t[209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS\n\t(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n\tus-mta-518-ZlyLeg6UOJ-cZUM0mNsajA-1; Tue, 09 Aug 2022 08:38:08 -0400","by mail-qk1-f199.google.com with SMTP id\n\tbi22-20020a05620a319600b006b92f4b2ebbso7203096qkb.22\n\tfor ;\n\tTue, 09 Aug 2022 05:38:08 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660048692;\n\tbh=0QWOYhIX7CZbW/Ro3JpyywvLCS2AIFcElsLKbHSCYd4=;\n\th=References:In-Reply-To:Date:To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=f6evAtvsCnZhT1dtgF+Ev6UX5SjpakqAsYALBS4Imu73chYKWi6ZkYw9jK7zkMJJa\n\tJwK5n/LrmuNHbsOpRV8L33z1TxpbnmsALvJ0cEAlk++SWu3pnwZNw3BECJRblf3mLy\n\tNQV9KyqfXqygueFlfnfdCtItZFVgDOPcPgQVUXvVVvnXQvmk0oQiZDeAFMCC9vu+E3\n\tl/iR2mKT095U7P8eGmjwBXix84y9d5DTIhb5ldLOO2H00cSOllL1tkKhHuOcs7+v9S\n\tTKkIDYmgbtpTvP6sMcDuPF1nwmq9BqWTgDOhmjdU8Yg5dIhS1Nu5BFvxFVLvAQRf8n\n\t6q1aq/oPAeSew==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1660048689;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\tto:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\tin-reply-to:in-reply-to:references:references;\n\tbh=mRk1KO23nTrWCAvtTaWpqKYrBfJ/gICH2xArlkxlRfo=;\n\tb=RDZ8qaPPVmQ6i5IN3AA0iTod9cx+awxm+wlsHzC3ldWIPhjWiJwmnQEQ6XJkoP34Lfr4nY\n\tS3Sv/GoN7IuLstB4JjzRYkuDK9t/ezulOnzgFpZmO9aEpDCjac7lvc2F8s3J9agmfV50Ar\n\tDdv+4SJ5g0TCbSrIBllLF8nbYSN17XQ="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=redhat.com\n\theader.i=@redhat.com header.b=\"RDZ8qaPP\"; \n\tdkim-atps=neutral","X-MC-Unique":"ZlyLeg6UOJ-cZUM0mNsajA-1","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20210112;\n\th=x-gm-message-state:mime-version:references:in-reply-to:from:date\n\t:message-id:subject:to:cc;\n\tbh=mRk1KO23nTrWCAvtTaWpqKYrBfJ/gICH2xArlkxlRfo=;\n\tb=yKeAIxuDw1NdczMDAMyRA6WVsjtGZiedA+IIlBnct/OIDEm8h8Yji2qeA5w9VFWrmQ\n\tHXbsHnttc3Per8q0zHhpmlALVqoCejCfGBS+EZC+wr3pSbWjxZekR+naZpq6vjkwde4b\n\taAwW6P5FboCE8ypWraR90H5akPGRa23UriGB2FXc/CiFIYpGvvW+QvmTJuaAsBA/sKc3\n\tLz0V59PtLyyvJAnucvUKewx/3hwAzD3oOyTMF2yI8AIpBZKXBQt450xbUEKXtWOXgaPP\n\tRloAb1PFSCLUd24OBkpWFKa91HdFeu0jyJBYTlfsV4aTFEZgy6TrZSRuciCjBoW/9HbK\n\tj1Yg==","X-Gm-Message-State":"ACgBeo0OEBBTnEGPS61HIk+4qs39wMzpMqw21VEt7BbkN7AGjJ3B8EsC\n\ti7+MmJULqalCQX+1CtQdK8qYZCDSBMTosBdoncM+v4FP+9d83Rlt7hsJIKg0SnNU8BxMuV8H0yi\n\tsPPwvvPbN+bmKlkPU4TRXcddZdKybRjJ38G42lKkCcMJ3UyWZ0Q==","X-Received":["by 2002:a0c:b2d0:0:b0:473:2c19:f1ee with SMTP id\n\td16-20020a0cb2d0000000b004732c19f1eemr20040702qvf.130.1660048687607; \n\tTue, 09 Aug 2022 05:38:07 -0700 (PDT)","by 2002:a0c:b2d0:0:b0:473:2c19:f1ee with SMTP id\n\td16-20020a0cb2d0000000b004732c19f1eemr20040675qvf.130.1660048687330;\n\tTue, 09 Aug 2022 05:38:07 -0700 (PDT)"],"X-Google-Smtp-Source":"AA6agR61olzpUo3xmROD/zmh8zAGRWUtEukaIjyLNuOsuLcgMUkI3BWbbOcgievBdcZ90IZgLJAT9zxw6sk7pnGUkyw=","MIME-Version":"1.0","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-4-laurent.pinchart@ideasonboard.com>\n\t\n\t\n\t<166004786460.2190824.2855285903774591269@Monstersaurus>","In-Reply-To":"<166004786460.2190824.2855285903774591269@Monstersaurus>","Date":"Tue, 9 Aug 2022 13:37:51 +0100","Message-ID":"","To":"Kieran Bingham ","X-Mimecast-Spam-Score":"0","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain; charset=\"UTF-8\"","Subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Eric Curtin via libcamera-devel ","Reply-To":"Eric Curtin ","Cc":"Eric Curtin via libcamera-devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":24474,"web_url":"https://patchwork.libcamera.org/comment/24474/","msgid":"","date":"2022-08-09T13:05:45","subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"On Tue, Aug 09, 2022 at 01:37:51PM +0100, Eric Curtin wrote:\n> On Tue, 9 Aug 2022 at 13:24, Kieran Bingham wrote:\n> > Quoting Eric Curtin via libcamera-devel (2022-08-09 11:46:09)\n> > > On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel wrote:\n> > > > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote:\n> > > > > Support verify IPA signatures with openssl as an alternative to gnutls,\n> > > > > to offer more flexibility in the selection of dependencies. Use gnutls\n> > > > > by default, for no specific reason as both are equally well supported.\n> > > > >\n> > > > > Signed-off-by: Laurent Pinchart \n> > > > > ---\n> > > > > Changes since v1:\n> > > > >\n> > > > > - Don't use functions deprecated in OpenSSL 3.0\n> > > > > ---\n> > > > > README.rst | 2 +-\n> > > > > include/libcamera/internal/pub_key.h | 8 +++--\n> > > > > src/libcamera/meson.build | 10 ++++--\n> > > > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++---\n> > > > > 4 files changed, 57 insertions(+), 10 deletions(-)\n> > > > >\n> > > > > diff --git a/README.rst b/README.rst\n> > > > > index 77374c6a72b1..3bf4685b0e15 100644\n> > > > > --- a/README.rst\n> > > > > +++ b/README.rst\n> > > > > @@ -61,7 +61,7 @@ for the libcamera core: [required]\n> > > > > libyaml-dev python3-yaml python3-ply python3-jinja2\n> > > > >\n> > > > > for IPA module signing: [required]\n> > > > > - libgnutls28-dev openssl\n> > > > > + Either libgnutls28-dev or libssl-dev, openssl\n> > > > >\n> > > > > for improved debugging: [optional]\n> > > > > libdw-dev libunwind-dev\n> > > > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h\n> > > > > index a22ba037cff6..8653a912b2d5 100644\n> > > > > --- a/include/libcamera/internal/pub_key.h\n> > > > > +++ b/include/libcamera/internal/pub_key.h\n> > > > > @@ -11,7 +11,9 @@\n> > > > >\n> > > > > #include \n> > > > >\n> > > > > -#if HAVE_GNUTLS\n> > > > > +#if HAVE_CRYPTO\n> > > > > +struct evp_pkey_st;\n> > > > > +#elif HAVE_GNUTLS\n> > > > > struct gnutls_pubkey_st;\n> > > > > #endif\n> > > > >\n> > > > > @@ -28,7 +30,9 @@ public:\n> > > > >\n> > > > > private:\n> > > > > bool valid_;\n> > > > > -#if HAVE_GNUTLS\n> > > > > +#if HAVE_CRYPTO\n> > > > > + struct evp_pkey_st *pubkey_;\n> > > > > +#elif HAVE_GNUTLS\n> > > > > struct gnutls_pubkey_st *pubkey_;\n> > > > > #endif\n> > > > > };\n> > > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> > > > > index 7cc06de4aedc..401fc498cfbc 100644\n> > > > > --- a/src/libcamera/meson.build\n> > > > > +++ b/src/libcamera/meson.build\n> > > > > @@ -65,12 +65,16 @@ subdir('pipeline')\n> > > > > subdir('proxy')\n> > > > >\n> > > > > libdl = cc.find_library('dl')\n> > > > > -libgnutls = dependency('gnutls', required : true)\n> > > > > libudev = dependency('libudev', required : false)\n> > > > > libyaml = dependency('yaml-0.1', required : false)\n> > > > >\n> > > > > -if libgnutls.found()\n> > > > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> > > > > +libcrypto = dependency('gnutls2', required : false)\n> > > >\n> > > > This should have been\n> > > >\n> > > > libcrypto = dependency('gnutls', required : false)\n> >\n> > I'm a bit bemused by this, as gnutls != libcrypto?\n> \n> I was briefly bemused as when I saw libcrypto here, I normally\n> automatically assume the openssl one because that's what it's called.\n> But they are both cryptographic libraries so I get the context here.\n\nThat's the idea, yes. It was too late in the night to think of a better\nname, so I decided to see if someone could think of a better alternative\nname during review :-) Let's keep it as-is for now, we can address that\nlater if needed.\n\n> > But I see it's just to be able to reference a single dep variable.\n> >\n> > > With this change:\n> > >\n> > > Reviewed-by: Eric Curtin \n> > >\n> > > > It was a test left-over, sorry.\n> > > >\n> > > > > +if libcrypto.found()\n> > > > > config_h.set('HAVE_GNUTLS', 1)\n> > > > > +else\n> > > > > + libcrypto = dependency('libcrypto', required : true)\n> > > > > + config_h.set('HAVE_CRYPTO', 1)\n> >\n> > and at this point, libcrypto is either of gnutls, or libcrypto.\n> >\n> > I don't have anything much better to offer as an alternative so lets\n> > carry on.\n> >\n> > Reviewed-by: Kieran Bingham \n> >\n> > > > > endif\n> > > > >\n> > > > > if liblttng.found()\n> > > > > @@ -135,8 +139,8 @@ libcamera_deps = [\n> > > > > libatomic,\n> > > > > libcamera_base,\n> > > > > libcamera_base_private,\n> > > > > + libcrypto,\n> > > > > libdl,\n> > > > > - libgnutls,\n> > > > > liblttng,\n> > > > > libudev,\n> > > > > libyaml,\n> > > > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> > > > > index b2045a103bc0..64dfa23497c2 100644\n> > > > > --- a/src/libcamera/pub_key.cpp\n> > > > > +++ b/src/libcamera/pub_key.cpp\n> > > > > @@ -7,7 +7,12 @@\n> > > > >\n> > > > > #include \"libcamera/internal/pub_key.h\"\n> > > > >\n> > > > > -#if HAVE_GNUTLS\n> > > > > +#if HAVE_CRYPTO\n> > > > > +#include \n> > > > > +#include \n> > > > > +#include \n> > > > > +#include \n> > > > > +#elif HAVE_GNUTLS\n> > > > > #include \n> > > > > #endif\n> > > > >\n> > > > > @@ -33,7 +38,14 @@ namespace libcamera {\n> > > > > PubKey::PubKey([[maybe_unused]] Span key)\n> > > > > : valid_(false)\n> > > > > {\n> > > > > -#if HAVE_GNUTLS\n> > > > > +#if HAVE_CRYPTO\n> > > > > + const uint8_t *data = key.data();\n> > > > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size());\n> > > > > + if (!pubkey_)\n> > > > > + return;\n> > > > > +\n> > > > > + valid_ = true;\n> > > > > +#elif HAVE_GNUTLS\n> > > > > int ret = gnutls_pubkey_init(&pubkey_);\n> > > > > if (ret < 0)\n> > > > > return;\n> > > > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key)\n> > > > >\n> > > > > PubKey::~PubKey()\n> > > > > {\n> > > > > -#if HAVE_GNUTLS\n> > > > > +#if HAVE_CRYPTO\n> > > > > + EVP_PKEY_free(pubkey_);\n> > > > > +#elif HAVE_GNUTLS\n> > > > > gnutls_pubkey_deinit(pubkey_);\n> > > > > #endif\n> > > > > }\n> > > > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span data,\n> > > > > if (!valid_)\n> > > > > return false;\n> > > > >\n> > > > > -#if HAVE_GNUTLS\n> > > > > +#if HAVE_CRYPTO\n> > > > > + /*\n> > > > > + * Create and initialize a public key algorithm context for signature\n> > > > > + * verification.\n> > > > > + */\n> > > > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr);\n> > > > > + if (!ctx)\n> > > > > + return false;\n> > > > > +\n> > > > > + if (EVP_PKEY_verify_init(ctx) <= 0 ||\n> > > > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 ||\n> > > > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {\n> > > > > + EVP_PKEY_CTX_free(ctx);\n> > > > > + return false;\n> > > > > + }\n> > > > > +\n> > > > > + /* Calculate the SHA256 digest of the data. */\n> > > > > + uint8_t digest[SHA256_DIGEST_LENGTH];\n> > > > > + SHA256(data.data(), data.size(), digest);\n> > > > > +\n> > > > > + /* Decrypt the signature and verify it matches the digest. */\n> > > > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest,\n> > > > > + SHA256_DIGEST_LENGTH);\n> > > > > + EVP_PKEY_CTX_free(ctx);\n> > > > > + return ret == 1;\n> > > > > +#elif HAVE_GNUTLS\n> > > > > const gnutls_datum_t gnuTlsData{\n> > > > > const_cast(data.data()),\n> > > > > static_cast(data.size())","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 438DCBE173\n\tfor ;\n\tTue, 9 Aug 2022 13:05:59 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 97A516332B;\n\tTue, 9 Aug 2022 15:05:58 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id CAA9D61FAA\n\tfor ;\n\tTue, 9 Aug 2022 15:05:56 +0200 (CEST)","from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 39CF7481;\n\tTue, 9 Aug 2022 15:05:56 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660050358;\n\tbh=00/4bJGRjAuLhMNIsRTIzyVvL3+6FPQvC3E8NGLiplE=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=17/7xF4tU6J5m/mbRuMZehvdniKC1zAnRzvZXORqyaQRbg2zaRYvNzlmV7cGyoIZk\n\tqhKv9fStmc7pFbBReZLZ41RDSGUL0054lEtEXpI3q9A1Ckuwwd+voyYpAe9S0Xbv4d\n\tz0sSvm3jQxXNoEiBEbNrEeT6uIeKFQfw+lmM0OyMDKHiQaL5q1qi/1Kr2imIhCq6q7\n\tjkfHhSYd0tbqdrQ2T/UZF6dojztj1Y1b4Vp3sOB4cqhpgTxBlZ8Qtn3NY1I2jWK+rS\n\tpBKd5MAS0fwSmytcmXRE3hYaUsCdmIlSJz3TGVUpT9+GpMpj0SfgV+gpMhltXbtLCf\n\tNZSvgVYcMmgiQ==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1660050356;\n\tbh=00/4bJGRjAuLhMNIsRTIzyVvL3+6FPQvC3E8NGLiplE=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=GqcuTCAiozekd07YsZLKcTUO/DXHtB3dVPcY0CjKpoejV5kMrclplmxr0iDUZn2hK\n\tP0asDanAT3h/qb4LzgM2XdyOsvIIKeW9TmzzEyxwJO+AfRhk2feg1Wsb3KXZck4cls\n\trsBUhzsabLSWUojd3Ofi5VGlBPMzintatZBY4hLY="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"GqcuTCAi\"; dkim-atps=neutral","Date":"Tue, 9 Aug 2022 16:05:45 +0300","To":"Eric Curtin ","Message-ID":"","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-4-laurent.pinchart@ideasonboard.com>\n\t\n\t\n\t<166004786460.2190824.2855285903774591269@Monstersaurus>\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"","Subject":"Re: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support\n\topenssl as an alternative to gnutls","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Laurent Pinchart via libcamera-devel\n\t","Reply-To":"Laurent Pinchart ","Cc":"Eric Curtin via libcamera-devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]