From patchwork Sun Aug 7 02:14:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17003 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 0ED9DC3275 for ; Sun, 7 Aug 2022 02:15:16 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id CB20963339; Sun, 7 Aug 2022 04:15:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1659838515; bh=NQ40KL5ezQj70dfWmfSu3R7EhQSSDX7qm+FRJ6vTIBg=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=wCIUV+Fq5Ih/zti0+KNjPCvssak43lcLNGyLjfxLdm8JBxfJTvKiS5q8VJWY/mcAj jj8mwVsJvaDpBV+HlcebRwIx4EOVHNyBAo6GkWkc1ARvrf2j7ke7EdCcYw/+yjEtym 7FY513t87t34/Zf0Y0tgtSivNhm0kcImcaGHT4RY+7mhb17/Xidc3wS9ew7/PojLue v7SdOqXS3pUpsxVz3WxZ+aOyDMA3DtzwmDAkJqewZpxKmtVrbsNr8ilTd6Zz/F1oAC IuxNmRz7lVIP06bLzkG+qFwXrYFJBnjKb73jn/WFhgZvyaLZgiiL7fOpbGYq4Exy7y neH29U6lANgUQ== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 5BB5663330 for ; Sun, 7 Aug 2022 04:15:12 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="E/qzqoZT"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id E8864749 for ; Sun, 7 Aug 2022 04:15:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1659838512; bh=NQ40KL5ezQj70dfWmfSu3R7EhQSSDX7qm+FRJ6vTIBg=; h=From:To:Subject:Date:In-Reply-To:References:From; b=E/qzqoZTNnbR+vQLUW432SXgA0um/HvtBmyLwl/tAlW5KQzBbvEzXIoljJVT41mxZ GbWYf1jesqJnTMq4hTwtjB9vROk1Vq/6GOd6YniJe2hEsTLuJ84ivpZvcSheOX/ex0 MZF7B3vZDUxN6ajBqV+G0MIflvVbYjARDZMH01KU= To: libcamera-devel@lists.libcamera.org Date: Sun, 7 Aug 2022 05:14:56 +0300 Message-Id: <20220807021456.9578-6-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> References: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support openssl as an alternative to gnutls X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Support verify IPA signatures with openssl as an alternative to gnutls, to offer more flexibility in the selection of dependencies. Use gnutls by default, for no specific reason as both are equally well supported. Signed-off-by: Laurent Pinchart --- README.rst | 2 +- include/libcamera/internal/pub_key.h | 8 +++++-- src/libcamera/meson.build | 16 +++++++++---- src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++---- 4 files changed, 50 insertions(+), 11 deletions(-) diff --git a/README.rst b/README.rst index 3606057ff706..e9dd4207ae55 100644 --- a/README.rst +++ b/README.rst @@ -61,7 +61,7 @@ for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 for IPA module signing: [recommended] - libgnutls28-dev openssl + Either libgnutls28-dev or libssl-dev, openssl Without IPA module signing, all IPA modules will be isolated in a separate process. This adds an unnecessary extra overhead at runtime. diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h index a22ba037cff6..ea7d9af84515 100644 --- a/include/libcamera/internal/pub_key.h +++ b/include/libcamera/internal/pub_key.h @@ -11,7 +11,9 @@ #include -#if HAVE_GNUTLS +#if HAVE_CRYPTO +struct rsa_st; +#elif HAVE_GNUTLS struct gnutls_pubkey_st; #endif @@ -28,7 +30,9 @@ public: private: bool valid_; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + struct rsa_st *pubkey_; +#elif HAVE_GNUTLS struct gnutls_pubkey_st *pubkey_; #endif }; diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index e144d4f9ae70..ce1f0f2f3ef6 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,14 +65,22 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = dependency('gnutls', required : false) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) -if libgnutls.found() +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. +libcrypto = dependency('gnutls', required : false) +if libcrypto.found() config_h.set('HAVE_GNUTLS', 1) else - warning('gnutls not found, all IPA modules will be isolated') + libcrypto = dependency('libcrypto', required : false) + if libcrypto.found() + config_h.set('HAVE_CRYPTO', 1) + endif +endif + +if not libcrypto.found() + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') endif if liblttng.found() @@ -137,8 +145,8 @@ libcamera_deps = [ libatomic, libcamera_base, libcamera_base_private, + libcrypto, libdl, - libgnutls, liblttng, libudev, libyaml, diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index b2045a103bc0..723f311b91a2 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -7,7 +7,12 @@ #include "libcamera/internal/pub_key.h" -#if HAVE_GNUTLS +#if HAVE_CRYPTO +#include +#include +#include +#include +#elif HAVE_GNUTLS #include #endif @@ -33,7 +38,14 @@ namespace libcamera { PubKey::PubKey([[maybe_unused]] Span key) : valid_(false) { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + const uint8_t *data = key.data(); + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); + if (!pubkey_) + return; + + valid_ = true; +#elif HAVE_GNUTLS int ret = gnutls_pubkey_init(&pubkey_); if (ret < 0) return; @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key) PubKey::~PubKey() { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + RSA_free(pubkey_); +#elif HAVE_GNUTLS gnutls_pubkey_deinit(pubkey_); #endif } @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span data, if (!valid_) return false; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + /* Calculate the SHA256 digest of the data. */ + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, data.data(), data.size()); + + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256_Final(digest, &ctx); + + /* Decrypt the signature and verify it matches the digest. */ + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, + sig.data(), sig.size(), pubkey_); + return ret == 1; +#elif HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast(data.data()), static_cast(data.size())