Message ID | 20220807021456.9578-6-laurent.pinchart@ideasonboard.com |
---|---|
State | Accepted |
Headers | show |
Series |
|
Related | show |
Was happy to see this change so we could build with just openssl if desired. On Sun, 7 Aug 2022 at 03:15, Laurent Pinchart via libcamera-devel <libcamera-devel@lists.libcamera.org> wrote: > > Support verify IPA signatures with openssl as an alternative to gnutls, > to offer more flexibility in the selection of dependencies. Use gnutls > by default, for no specific reason as both are equally well supported. > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > --- > README.rst | 2 +- > include/libcamera/internal/pub_key.h | 8 +++++-- > src/libcamera/meson.build | 16 +++++++++---- > src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++---- > 4 files changed, 50 insertions(+), 11 deletions(-) > > diff --git a/README.rst b/README.rst > index 3606057ff706..e9dd4207ae55 100644 > --- a/README.rst > +++ b/README.rst > @@ -61,7 +61,7 @@ for the libcamera core: [required] > libyaml-dev python3-yaml python3-ply python3-jinja2 > > for IPA module signing: [recommended] > - libgnutls28-dev openssl > + Either libgnutls28-dev or libssl-dev, openssl > > Without IPA module signing, all IPA modules will be isolated in a > separate process. This adds an unnecessary extra overhead at runtime. > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > index a22ba037cff6..ea7d9af84515 100644 > --- a/include/libcamera/internal/pub_key.h > +++ b/include/libcamera/internal/pub_key.h > @@ -11,7 +11,9 @@ > > #include <libcamera/base/span.h> > > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > +struct rsa_st; > +#elif HAVE_GNUTLS > struct gnutls_pubkey_st; > #endif > > @@ -28,7 +30,9 @@ public: > > private: > bool valid_; > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + struct rsa_st *pubkey_; > +#elif HAVE_GNUTLS > struct gnutls_pubkey_st *pubkey_; > #endif > }; > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > index e144d4f9ae70..ce1f0f2f3ef6 100644 > --- a/src/libcamera/meson.build > +++ b/src/libcamera/meson.build > @@ -65,14 +65,22 @@ subdir('pipeline') > subdir('proxy') > > libdl = cc.find_library('dl') > -libgnutls = dependency('gnutls', required : false) > libudev = dependency('libudev', required : false) > libyaml = dependency('yaml-0.1', required : false) > > -if libgnutls.found() > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > +libcrypto = dependency('gnutls', required : false) > +if libcrypto.found() > config_h.set('HAVE_GNUTLS', 1) > else > - warning('gnutls not found, all IPA modules will be isolated') > + libcrypto = dependency('libcrypto', required : false) > + if libcrypto.found() > + config_h.set('HAVE_CRYPTO', 1) > + endif > +endif > + > +if not libcrypto.found() > + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > endif > > if liblttng.found() > @@ -137,8 +145,8 @@ libcamera_deps = [ > libatomic, > libcamera_base, > libcamera_base_private, > + libcrypto, > libdl, > - libgnutls, > liblttng, > libudev, > libyaml, > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > index b2045a103bc0..723f311b91a2 100644 > --- a/src/libcamera/pub_key.cpp > +++ b/src/libcamera/pub_key.cpp > @@ -7,7 +7,12 @@ > > #include "libcamera/internal/pub_key.h" > > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > +#include <openssl/bio.h> > +#include <openssl/rsa.h> > +#include <openssl/ssl.h> > +#include <openssl/x509.h> > +#elif HAVE_GNUTLS > #include <gnutls/abstract.h> > #endif > > @@ -33,7 +38,14 @@ namespace libcamera { > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > : valid_(false) > { > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + const uint8_t *data = key.data(); > + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); It's failing the build here on Fedora 36 at least: FAILED: src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o ccache c++ -Isrc/libcamera/libcamera.so.0.0.0.p -Isrc/libcamera -I../src/libcamera -Iinclude -I../include -I../subprojects/libyaml/include -Isubprojects/libyaml/__CMake_build/include -I../subprojects/libyaml/__CMake_build/include -Isubprojects/libyaml/__CMake_build -I../subprojects/libyaml/__CMake_build -Isubprojects/libyaml -I../subprojects/libyaml -Iinclude/libcamera -Iinclude/libcamera/ipa -Iinclude/libcamera/internal -Isrc/libcamera/proxy -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wnon-virtual-dtor -Wextra -Werror -std=c++17 -O3 -Wshadow -include /home/curtine/git/libcamera/build/config.h -fPIC -DYAML_DECLARE_STATIC -D_CRT_SECURE_NO_WARNINGS -DLIBCAMERA_BASE_PRIVATE -MD -MQ src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -MF src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o.d -o src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -c ../src/libcamera/pub_key.cpp ../src/libcamera/pub_key.cpp: In constructor ‘libcamera::PubKey::PubKey(libcamera::Span<const unsigned char>)’: ../src/libcamera/pub_key.cpp:43:33: error: ‘RSA* d2i_RSA_PUBKEY(RSA**, const unsigned char**, long int)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 43 | pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from /usr/include/openssl/rsa.h:21, from ../src/libcamera/pub_key.cpp:12: /usr/include/openssl/x509.h:710:1: note: declared here 710 | DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/libcamera/pub_key.cpp: In destructor ‘libcamera::PubKey::~PubKey()’: ../src/libcamera/pub_key.cpp:68:17: error: ‘void RSA_free(RSA*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 68 | RSA_free(pubkey_); | ~~~~~~~~^~~~~~~~~ /usr/include/openssl/rsa.h:293:28: note: declared here 293 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r); | ^~~~~~~~ ../src/libcamera/pub_key.cpp: In member function ‘bool libcamera::PubKey::verify(libcamera::Span<const unsigned char>, libcamera::Span<const unsigned char>) const’: ../src/libcamera/pub_key.cpp:99:20: error: ‘int SHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 99 | SHA256_Init(&ctx); | ~~~~~~~~~~~^~~~~~ In file included from /usr/include/openssl/x509.h:41, from /usr/include/openssl/ssl.h:31, from ../src/libcamera/pub_key.cpp:13: /usr/include/openssl/sha.h:73:27: note: declared here 73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c); | ^~~~~~~~~~~ ../src/libcamera/pub_key.cpp:100:22: error: ‘int SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 100 | SHA256_Update(&ctx, data.data(), data.size()); | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/sha.h:74:27: note: declared here 74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c, | ^~~~~~~~~~~~~ ../src/libcamera/pub_key.cpp:103:21: error: ‘int SHA256_Final(unsigned char*, SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 103 | SHA256_Final(digest, &ctx); | ~~~~~~~~~~~~^~~~~~~~~~~~~~ /usr/include/openssl/sha.h:76:27: note: declared here 76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c); | ^~~~~~~~~~~~ ../src/libcamera/pub_key.cpp:106:29: error: ‘int RSA_verify(int, const unsigned char*, unsigned int, const unsigned char*, unsigned int, RSA*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 106 | int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, | ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 107 | sig.data(), sig.size(), pubkey_); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/openssl/rsa.h:351:27: note: declared here 351 | OSSL_DEPRECATEDIN_3_0 int RSA_verify(int type, const unsigned char *m, | ^~~~~~~~~~ cc1plus: all warnings being treated as errors > + if (!pubkey_) > + return; > + > + valid_ = true; > +#elif HAVE_GNUTLS > int ret = gnutls_pubkey_init(&pubkey_); > if (ret < 0) > return; > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > PubKey::~PubKey() > { > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + RSA_free(pubkey_); > +#elif HAVE_GNUTLS > gnutls_pubkey_deinit(pubkey_); > #endif > } > @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > if (!valid_) > return false; > > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + /* Calculate the SHA256 digest of the data. */ > + SHA256_CTX ctx; > + SHA256_Init(&ctx); > + SHA256_Update(&ctx, data.data(), data.size()); > + > + uint8_t digest[SHA256_DIGEST_LENGTH]; > + SHA256_Final(digest, &ctx); > + > + /* Decrypt the signature and verify it matches the digest. */ > + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, > + sig.data(), sig.size(), pubkey_); > + return ret == 1; > +#elif HAVE_GNUTLS > const gnutls_datum_t gnuTlsData{ > const_cast<unsigned char *>(data.data()), > static_cast<unsigned int>(data.size()) > -- > Regards, > > Laurent Pinchart >
Hi Eric, On Mon, Aug 08, 2022 at 10:09:08AM +0100, Eric Curtin wrote: > Was happy to see this change so we could build with just openssl if desired. > > On Sun, 7 Aug 2022 at 03:15, Laurent Pinchart via libcamera-devel wrote: > > > > Support verify IPA signatures with openssl as an alternative to gnutls, > > to offer more flexibility in the selection of dependencies. Use gnutls > > by default, for no specific reason as both are equally well supported. > > > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > --- > > README.rst | 2 +- > > include/libcamera/internal/pub_key.h | 8 +++++-- > > src/libcamera/meson.build | 16 +++++++++---- > > src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++---- > > 4 files changed, 50 insertions(+), 11 deletions(-) > > > > diff --git a/README.rst b/README.rst > > index 3606057ff706..e9dd4207ae55 100644 > > --- a/README.rst > > +++ b/README.rst > > @@ -61,7 +61,7 @@ for the libcamera core: [required] > > libyaml-dev python3-yaml python3-ply python3-jinja2 > > > > for IPA module signing: [recommended] > > - libgnutls28-dev openssl > > + Either libgnutls28-dev or libssl-dev, openssl > > > > Without IPA module signing, all IPA modules will be isolated in a > > separate process. This adds an unnecessary extra overhead at runtime. > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > > index a22ba037cff6..ea7d9af84515 100644 > > --- a/include/libcamera/internal/pub_key.h > > +++ b/include/libcamera/internal/pub_key.h > > @@ -11,7 +11,9 @@ > > > > #include <libcamera/base/span.h> > > > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > +struct rsa_st; > > +#elif HAVE_GNUTLS > > struct gnutls_pubkey_st; > > #endif > > > > @@ -28,7 +30,9 @@ public: > > > > private: > > bool valid_; > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + struct rsa_st *pubkey_; > > +#elif HAVE_GNUTLS > > struct gnutls_pubkey_st *pubkey_; > > #endif > > }; > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > index e144d4f9ae70..ce1f0f2f3ef6 100644 > > --- a/src/libcamera/meson.build > > +++ b/src/libcamera/meson.build > > @@ -65,14 +65,22 @@ subdir('pipeline') > > subdir('proxy') > > > > libdl = cc.find_library('dl') > > -libgnutls = dependency('gnutls', required : false) > > libudev = dependency('libudev', required : false) > > libyaml = dependency('yaml-0.1', required : false) > > > > -if libgnutls.found() > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > > +libcrypto = dependency('gnutls', required : false) > > +if libcrypto.found() > > config_h.set('HAVE_GNUTLS', 1) > > else > > - warning('gnutls not found, all IPA modules will be isolated') > > + libcrypto = dependency('libcrypto', required : false) > > + if libcrypto.found() > > + config_h.set('HAVE_CRYPTO', 1) > > + endif > > +endif > > + > > +if not libcrypto.found() > > + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > > endif > > > > if liblttng.found() > > @@ -137,8 +145,8 @@ libcamera_deps = [ > > libatomic, > > libcamera_base, > > libcamera_base_private, > > + libcrypto, > > libdl, > > - libgnutls, > > liblttng, > > libudev, > > libyaml, > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > > index b2045a103bc0..723f311b91a2 100644 > > --- a/src/libcamera/pub_key.cpp > > +++ b/src/libcamera/pub_key.cpp > > @@ -7,7 +7,12 @@ > > > > #include "libcamera/internal/pub_key.h" > > > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > +#include <openssl/bio.h> > > +#include <openssl/rsa.h> > > +#include <openssl/ssl.h> > > +#include <openssl/x509.h> > > +#elif HAVE_GNUTLS > > #include <gnutls/abstract.h> > > #endif > > > > @@ -33,7 +38,14 @@ namespace libcamera { > > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > : valid_(false) > > { > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + const uint8_t *data = key.data(); > > + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); > > It's failing the build here on Fedora 36 at least: Aarrghhhh why are there so many versions of the same package ? :-) Thank you for testing, I'll see if I can fix this. > FAILED: src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o > ccache c++ -Isrc/libcamera/libcamera.so.0.0.0.p -Isrc/libcamera > -I../src/libcamera -Iinclude -I../include > -I../subprojects/libyaml/include > -Isubprojects/libyaml/__CMake_build/include > -I../subprojects/libyaml/__CMake_build/include > -Isubprojects/libyaml/__CMake_build > -I../subprojects/libyaml/__CMake_build -Isubprojects/libyaml > -I../subprojects/libyaml -Iinclude/libcamera -Iinclude/libcamera/ipa > -Iinclude/libcamera/internal -Isrc/libcamera/proxy > -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch > -Wnon-virtual-dtor -Wextra -Werror -std=c++17 -O3 -Wshadow -include > /home/curtine/git/libcamera/build/config.h -fPIC -DYAML_DECLARE_STATIC > -D_CRT_SECURE_NO_WARNINGS -DLIBCAMERA_BASE_PRIVATE -MD -MQ > src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -MF > src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o.d -o > src/libcamera/libcamera.so.0.0.0.p/pub_key.cpp.o -c > ../src/libcamera/pub_key.cpp > ../src/libcamera/pub_key.cpp: In constructor > ‘libcamera::PubKey::PubKey(libcamera::Span<const unsigned char>)’: > ../src/libcamera/pub_key.cpp:43:33: error: ‘RSA* d2i_RSA_PUBKEY(RSA**, > const unsigned char**, long int)’ is deprecated: Since OpenSSL 3.0 > [-Werror=deprecated-declarations] > 43 | pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); > | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ > In file included from /usr/include/openssl/rsa.h:21, > from ../src/libcamera/pub_key.cpp:12: > /usr/include/openssl/x509.h:710:1: note: declared here > 710 | DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, > RSA_PUBKEY) > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../src/libcamera/pub_key.cpp: In destructor ‘libcamera::PubKey::~PubKey()’: > ../src/libcamera/pub_key.cpp:68:17: error: ‘void RSA_free(RSA*)’ is > deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] > 68 | RSA_free(pubkey_); > | ~~~~~~~~^~~~~~~~~ > /usr/include/openssl/rsa.h:293:28: note: declared here > 293 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r); > | ^~~~~~~~ > ../src/libcamera/pub_key.cpp: In member function ‘bool > libcamera::PubKey::verify(libcamera::Span<const unsigned char>, > libcamera::Span<const unsigned char>) const’: > ../src/libcamera/pub_key.cpp:99:20: error: ‘int > SHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 > [-Werror=deprecated-declarations] > 99 | SHA256_Init(&ctx); > | ~~~~~~~~~~~^~~~~~ > In file included from /usr/include/openssl/x509.h:41, > from /usr/include/openssl/ssl.h:31, > from ../src/libcamera/pub_key.cpp:13: > /usr/include/openssl/sha.h:73:27: note: declared here > 73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c); > | ^~~~~~~~~~~ > ../src/libcamera/pub_key.cpp:100:22: error: ‘int > SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since > OpenSSL 3.0 [-Werror=deprecated-declarations] > 100 | SHA256_Update(&ctx, data.data(), data.size()); > | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > /usr/include/openssl/sha.h:74:27: note: declared here > 74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c, > | ^~~~~~~~~~~~~ > ../src/libcamera/pub_key.cpp:103:21: error: ‘int SHA256_Final(unsigned > char*, SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 > [-Werror=deprecated-declarations] > 103 | SHA256_Final(digest, &ctx); > | ~~~~~~~~~~~~^~~~~~~~~~~~~~ > /usr/include/openssl/sha.h:76:27: note: declared here > 76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, > SHA256_CTX *c); > | ^~~~~~~~~~~~ > ../src/libcamera/pub_key.cpp:106:29: error: ‘int RSA_verify(int, const > unsigned char*, unsigned int, const unsigned char*, unsigned int, > RSA*)’ is deprecated: Since OpenSSL 3.0 > [-Werror=deprecated-declarations] > 106 | int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, > | ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 107 | sig.data(), sig.size(), pubkey_); > | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > /usr/include/openssl/rsa.h:351:27: note: declared here > 351 | OSSL_DEPRECATEDIN_3_0 int RSA_verify(int type, const unsigned char *m, > | ^~~~~~~~~~ > cc1plus: all warnings being treated as errors > > > + if (!pubkey_) > > + return; > > + > > + valid_ = true; > > +#elif HAVE_GNUTLS > > int ret = gnutls_pubkey_init(&pubkey_); > > if (ret < 0) > > return; > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > PubKey::~PubKey() > > { > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + RSA_free(pubkey_); > > +#elif HAVE_GNUTLS > > gnutls_pubkey_deinit(pubkey_); > > #endif > > } > > @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > > if (!valid_) > > return false; > > > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + /* Calculate the SHA256 digest of the data. */ > > + SHA256_CTX ctx; > > + SHA256_Init(&ctx); > > + SHA256_Update(&ctx, data.data(), data.size()); > > + > > + uint8_t digest[SHA256_DIGEST_LENGTH]; > > + SHA256_Final(digest, &ctx); > > + > > + /* Decrypt the signature and verify it matches the digest. */ > > + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, > > + sig.data(), sig.size(), pubkey_); > > + return ret == 1; > > +#elif HAVE_GNUTLS > > const gnutls_datum_t gnuTlsData{ > > const_cast<unsigned char *>(data.data()), > > static_cast<unsigned int>(data.size())
diff --git a/README.rst b/README.rst index 3606057ff706..e9dd4207ae55 100644 --- a/README.rst +++ b/README.rst @@ -61,7 +61,7 @@ for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 for IPA module signing: [recommended] - libgnutls28-dev openssl + Either libgnutls28-dev or libssl-dev, openssl Without IPA module signing, all IPA modules will be isolated in a separate process. This adds an unnecessary extra overhead at runtime. diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h index a22ba037cff6..ea7d9af84515 100644 --- a/include/libcamera/internal/pub_key.h +++ b/include/libcamera/internal/pub_key.h @@ -11,7 +11,9 @@ #include <libcamera/base/span.h> -#if HAVE_GNUTLS +#if HAVE_CRYPTO +struct rsa_st; +#elif HAVE_GNUTLS struct gnutls_pubkey_st; #endif @@ -28,7 +30,9 @@ public: private: bool valid_; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + struct rsa_st *pubkey_; +#elif HAVE_GNUTLS struct gnutls_pubkey_st *pubkey_; #endif }; diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index e144d4f9ae70..ce1f0f2f3ef6 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,14 +65,22 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = dependency('gnutls', required : false) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) -if libgnutls.found() +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. +libcrypto = dependency('gnutls', required : false) +if libcrypto.found() config_h.set('HAVE_GNUTLS', 1) else - warning('gnutls not found, all IPA modules will be isolated') + libcrypto = dependency('libcrypto', required : false) + if libcrypto.found() + config_h.set('HAVE_CRYPTO', 1) + endif +endif + +if not libcrypto.found() + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') endif if liblttng.found() @@ -137,8 +145,8 @@ libcamera_deps = [ libatomic, libcamera_base, libcamera_base_private, + libcrypto, libdl, - libgnutls, liblttng, libudev, libyaml, diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index b2045a103bc0..723f311b91a2 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -7,7 +7,12 @@ #include "libcamera/internal/pub_key.h" -#if HAVE_GNUTLS +#if HAVE_CRYPTO +#include <openssl/bio.h> +#include <openssl/rsa.h> +#include <openssl/ssl.h> +#include <openssl/x509.h> +#elif HAVE_GNUTLS #include <gnutls/abstract.h> #endif @@ -33,7 +38,14 @@ namespace libcamera { PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) : valid_(false) { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + const uint8_t *data = key.data(); + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); + if (!pubkey_) + return; + + valid_ = true; +#elif HAVE_GNUTLS int ret = gnutls_pubkey_init(&pubkey_); if (ret < 0) return; @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) PubKey::~PubKey() { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + RSA_free(pubkey_); +#elif HAVE_GNUTLS gnutls_pubkey_deinit(pubkey_); #endif } @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, if (!valid_) return false; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + /* Calculate the SHA256 digest of the data. */ + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, data.data(), data.size()); + + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256_Final(digest, &ctx); + + /* Decrypt the signature and verify it matches the digest. */ + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, + sig.data(), sig.size(), pubkey_); + return ret == 1; +#elif HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast<unsigned char *>(data.data()), static_cast<unsigned int>(data.size())
Support verify IPA signatures with openssl as an alternative to gnutls, to offer more flexibility in the selection of dependencies. Use gnutls by default, for no specific reason as both are equally well supported. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> --- README.rst | 2 +- include/libcamera/internal/pub_key.h | 8 +++++-- src/libcamera/meson.build | 16 +++++++++---- src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++---- 4 files changed, 50 insertions(+), 11 deletions(-)