| Message ID | 20220808230833.16275-4-laurent.pinchart@ideasonboard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series |
|
| Related | show |
On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote: > Support verify IPA signatures with openssl as an alternative to gnutls, > to offer more flexibility in the selection of dependencies. Use gnutls > by default, for no specific reason as both are equally well supported. > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > --- > Changes since v1: > > - Don't use functions deprecated in OpenSSL 3.0 > --- > README.rst | 2 +- > include/libcamera/internal/pub_key.h | 8 +++-- > src/libcamera/meson.build | 10 ++++-- > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- > 4 files changed, 57 insertions(+), 10 deletions(-) > > diff --git a/README.rst b/README.rst > index 77374c6a72b1..3bf4685b0e15 100644 > --- a/README.rst > +++ b/README.rst > @@ -61,7 +61,7 @@ for the libcamera core: [required] > libyaml-dev python3-yaml python3-ply python3-jinja2 > > for IPA module signing: [required] > - libgnutls28-dev openssl > + Either libgnutls28-dev or libssl-dev, openssl > > for improved debugging: [optional] > libdw-dev libunwind-dev > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > index a22ba037cff6..8653a912b2d5 100644 > --- a/include/libcamera/internal/pub_key.h > +++ b/include/libcamera/internal/pub_key.h > @@ -11,7 +11,9 @@ > > #include <libcamera/base/span.h> > > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > +struct evp_pkey_st; > +#elif HAVE_GNUTLS > struct gnutls_pubkey_st; > #endif > > @@ -28,7 +30,9 @@ public: > > private: > bool valid_; > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + struct evp_pkey_st *pubkey_; > +#elif HAVE_GNUTLS > struct gnutls_pubkey_st *pubkey_; > #endif > }; > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > index 7cc06de4aedc..401fc498cfbc 100644 > --- a/src/libcamera/meson.build > +++ b/src/libcamera/meson.build > @@ -65,12 +65,16 @@ subdir('pipeline') > subdir('proxy') > > libdl = cc.find_library('dl') > -libgnutls = dependency('gnutls', required : true) > libudev = dependency('libudev', required : false) > libyaml = dependency('yaml-0.1', required : false) > > -if libgnutls.found() > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > +libcrypto = dependency('gnutls2', required : false) This should have been libcrypto = dependency('gnutls', required : false) It was a test left-over, sorry. > +if libcrypto.found() > config_h.set('HAVE_GNUTLS', 1) > +else > + libcrypto = dependency('libcrypto', required : true) > + config_h.set('HAVE_CRYPTO', 1) > endif > > if liblttng.found() > @@ -135,8 +139,8 @@ libcamera_deps = [ > libatomic, > libcamera_base, > libcamera_base_private, > + libcrypto, > libdl, > - libgnutls, > liblttng, > libudev, > libyaml, > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > index b2045a103bc0..64dfa23497c2 100644 > --- a/src/libcamera/pub_key.cpp > +++ b/src/libcamera/pub_key.cpp > @@ -7,7 +7,12 @@ > > #include "libcamera/internal/pub_key.h" > > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > +#include <openssl/evp.h> > +#include <openssl/rsa.h> > +#include <openssl/sha.h> > +#include <openssl/x509.h> > +#elif HAVE_GNUTLS > #include <gnutls/abstract.h> > #endif > > @@ -33,7 +38,14 @@ namespace libcamera { > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > : valid_(false) > { > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + const uint8_t *data = key.data(); > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); > + if (!pubkey_) > + return; > + > + valid_ = true; > +#elif HAVE_GNUTLS > int ret = gnutls_pubkey_init(&pubkey_); > if (ret < 0) > return; > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > PubKey::~PubKey() > { > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + EVP_PKEY_free(pubkey_); > +#elif HAVE_GNUTLS > gnutls_pubkey_deinit(pubkey_); > #endif > } > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > if (!valid_) > return false; > > -#if HAVE_GNUTLS > +#if HAVE_CRYPTO > + /* > + * Create and initialize a public key algorithm context for signature > + * verification. > + */ > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); > + if (!ctx) > + return false; > + > + if (EVP_PKEY_verify_init(ctx) <= 0 || > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { > + EVP_PKEY_CTX_free(ctx); > + return false; > + } > + > + /* Calculate the SHA256 digest of the data. */ > + uint8_t digest[SHA256_DIGEST_LENGTH]; > + SHA256(data.data(), data.size(), digest); > + > + /* Decrypt the signature and verify it matches the digest. */ > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, > + SHA256_DIGEST_LENGTH); > + EVP_PKEY_CTX_free(ctx); > + return ret == 1; > +#elif HAVE_GNUTLS > const gnutls_datum_t gnuTlsData{ > const_cast<unsigned char *>(data.data()), > static_cast<unsigned int>(data.size())
On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel <libcamera-devel@lists.libcamera.org> wrote: > > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote: > > Support verify IPA signatures with openssl as an alternative to gnutls, > > to offer more flexibility in the selection of dependencies. Use gnutls > > by default, for no specific reason as both are equally well supported. > > > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > --- > > Changes since v1: > > > > - Don't use functions deprecated in OpenSSL 3.0 > > --- > > README.rst | 2 +- > > include/libcamera/internal/pub_key.h | 8 +++-- > > src/libcamera/meson.build | 10 ++++-- > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- > > 4 files changed, 57 insertions(+), 10 deletions(-) > > > > diff --git a/README.rst b/README.rst > > index 77374c6a72b1..3bf4685b0e15 100644 > > --- a/README.rst > > +++ b/README.rst > > @@ -61,7 +61,7 @@ for the libcamera core: [required] > > libyaml-dev python3-yaml python3-ply python3-jinja2 > > > > for IPA module signing: [required] > > - libgnutls28-dev openssl > > + Either libgnutls28-dev or libssl-dev, openssl > > > > for improved debugging: [optional] > > libdw-dev libunwind-dev > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > > index a22ba037cff6..8653a912b2d5 100644 > > --- a/include/libcamera/internal/pub_key.h > > +++ b/include/libcamera/internal/pub_key.h > > @@ -11,7 +11,9 @@ > > > > #include <libcamera/base/span.h> > > > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > +struct evp_pkey_st; > > +#elif HAVE_GNUTLS > > struct gnutls_pubkey_st; > > #endif > > > > @@ -28,7 +30,9 @@ public: > > > > private: > > bool valid_; > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + struct evp_pkey_st *pubkey_; > > +#elif HAVE_GNUTLS > > struct gnutls_pubkey_st *pubkey_; > > #endif > > }; > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > index 7cc06de4aedc..401fc498cfbc 100644 > > --- a/src/libcamera/meson.build > > +++ b/src/libcamera/meson.build > > @@ -65,12 +65,16 @@ subdir('pipeline') > > subdir('proxy') > > > > libdl = cc.find_library('dl') > > -libgnutls = dependency('gnutls', required : true) > > libudev = dependency('libudev', required : false) > > libyaml = dependency('yaml-0.1', required : false) > > > > -if libgnutls.found() > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > > +libcrypto = dependency('gnutls2', required : false) > > This should have been > > libcrypto = dependency('gnutls', required : false) > With this change: Reviewed-by: Eric Curtin <ecurtin@redhat.com> > It was a test left-over, sorry. > > > +if libcrypto.found() > > config_h.set('HAVE_GNUTLS', 1) > > +else > > + libcrypto = dependency('libcrypto', required : true) > > + config_h.set('HAVE_CRYPTO', 1) > > endif > > > > if liblttng.found() > > @@ -135,8 +139,8 @@ libcamera_deps = [ > > libatomic, > > libcamera_base, > > libcamera_base_private, > > + libcrypto, > > libdl, > > - libgnutls, > > liblttng, > > libudev, > > libyaml, > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > > index b2045a103bc0..64dfa23497c2 100644 > > --- a/src/libcamera/pub_key.cpp > > +++ b/src/libcamera/pub_key.cpp > > @@ -7,7 +7,12 @@ > > > > #include "libcamera/internal/pub_key.h" > > > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > +#include <openssl/evp.h> > > +#include <openssl/rsa.h> > > +#include <openssl/sha.h> > > +#include <openssl/x509.h> > > +#elif HAVE_GNUTLS > > #include <gnutls/abstract.h> > > #endif > > > > @@ -33,7 +38,14 @@ namespace libcamera { > > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > : valid_(false) > > { > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + const uint8_t *data = key.data(); > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); > > + if (!pubkey_) > > + return; > > + > > + valid_ = true; > > +#elif HAVE_GNUTLS > > int ret = gnutls_pubkey_init(&pubkey_); > > if (ret < 0) > > return; > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > PubKey::~PubKey() > > { > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + EVP_PKEY_free(pubkey_); > > +#elif HAVE_GNUTLS > > gnutls_pubkey_deinit(pubkey_); > > #endif > > } > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > > if (!valid_) > > return false; > > > > -#if HAVE_GNUTLS > > +#if HAVE_CRYPTO > > + /* > > + * Create and initialize a public key algorithm context for signature > > + * verification. > > + */ > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); > > + if (!ctx) > > + return false; > > + > > + if (EVP_PKEY_verify_init(ctx) <= 0 || > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { > > + EVP_PKEY_CTX_free(ctx); > > + return false; > > + } > > + > > + /* Calculate the SHA256 digest of the data. */ > > + uint8_t digest[SHA256_DIGEST_LENGTH]; > > + SHA256(data.data(), data.size(), digest); > > + > > + /* Decrypt the signature and verify it matches the digest. */ > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, > > + SHA256_DIGEST_LENGTH); > > + EVP_PKEY_CTX_free(ctx); > > + return ret == 1; > > +#elif HAVE_GNUTLS > > const gnutls_datum_t gnuTlsData{ > > const_cast<unsigned char *>(data.data()), > > static_cast<unsigned int>(data.size()) > > -- > Regards, > > Laurent Pinchart >
Quoting Eric Curtin via libcamera-devel (2022-08-09 11:46:09) > On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel > <libcamera-devel@lists.libcamera.org> wrote: > > > > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote: > > > Support verify IPA signatures with openssl as an alternative to gnutls, > > > to offer more flexibility in the selection of dependencies. Use gnutls > > > by default, for no specific reason as both are equally well supported. > > > > > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > > --- > > > Changes since v1: > > > > > > - Don't use functions deprecated in OpenSSL 3.0 > > > --- > > > README.rst | 2 +- > > > include/libcamera/internal/pub_key.h | 8 +++-- > > > src/libcamera/meson.build | 10 ++++-- > > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- > > > 4 files changed, 57 insertions(+), 10 deletions(-) > > > > > > diff --git a/README.rst b/README.rst > > > index 77374c6a72b1..3bf4685b0e15 100644 > > > --- a/README.rst > > > +++ b/README.rst > > > @@ -61,7 +61,7 @@ for the libcamera core: [required] > > > libyaml-dev python3-yaml python3-ply python3-jinja2 > > > > > > for IPA module signing: [required] > > > - libgnutls28-dev openssl > > > + Either libgnutls28-dev or libssl-dev, openssl > > > > > > for improved debugging: [optional] > > > libdw-dev libunwind-dev > > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > > > index a22ba037cff6..8653a912b2d5 100644 > > > --- a/include/libcamera/internal/pub_key.h > > > +++ b/include/libcamera/internal/pub_key.h > > > @@ -11,7 +11,9 @@ > > > > > > #include <libcamera/base/span.h> > > > > > > -#if HAVE_GNUTLS > > > +#if HAVE_CRYPTO > > > +struct evp_pkey_st; > > > +#elif HAVE_GNUTLS > > > struct gnutls_pubkey_st; > > > #endif > > > > > > @@ -28,7 +30,9 @@ public: > > > > > > private: > > > bool valid_; > > > -#if HAVE_GNUTLS > > > +#if HAVE_CRYPTO > > > + struct evp_pkey_st *pubkey_; > > > +#elif HAVE_GNUTLS > > > struct gnutls_pubkey_st *pubkey_; > > > #endif > > > }; > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > > index 7cc06de4aedc..401fc498cfbc 100644 > > > --- a/src/libcamera/meson.build > > > +++ b/src/libcamera/meson.build > > > @@ -65,12 +65,16 @@ subdir('pipeline') > > > subdir('proxy') > > > > > > libdl = cc.find_library('dl') > > > -libgnutls = dependency('gnutls', required : true) > > > libudev = dependency('libudev', required : false) > > > libyaml = dependency('yaml-0.1', required : false) > > > > > > -if libgnutls.found() > > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > > > +libcrypto = dependency('gnutls2', required : false) > > > > This should have been > > > > libcrypto = dependency('gnutls', required : false) I'm a bit bemused by this, as gnutls != libcrypto? But I see it's just to be able to reference a single dep variable. > > > > With this change: > > Reviewed-by: Eric Curtin <ecurtin@redhat.com> > > > It was a test left-over, sorry. > > > > > +if libcrypto.found() > > > config_h.set('HAVE_GNUTLS', 1) > > > +else > > > + libcrypto = dependency('libcrypto', required : true) > > > + config_h.set('HAVE_CRYPTO', 1) and at this point, libcrypto is either of gnutls, or libcrypto. I don't have anything much better to offer as an alternative so lets carry on. Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com> > > > endif > > > > > > if liblttng.found() > > > @@ -135,8 +139,8 @@ libcamera_deps = [ > > > libatomic, > > > libcamera_base, > > > libcamera_base_private, > > > + libcrypto, > > > libdl, > > > - libgnutls, > > > liblttng, > > > libudev, > > > libyaml, > > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > > > index b2045a103bc0..64dfa23497c2 100644 > > > --- a/src/libcamera/pub_key.cpp > > > +++ b/src/libcamera/pub_key.cpp > > > @@ -7,7 +7,12 @@ > > > > > > #include "libcamera/internal/pub_key.h" > > > > > > -#if HAVE_GNUTLS > > > +#if HAVE_CRYPTO > > > +#include <openssl/evp.h> > > > +#include <openssl/rsa.h> > > > +#include <openssl/sha.h> > > > +#include <openssl/x509.h> > > > +#elif HAVE_GNUTLS > > > #include <gnutls/abstract.h> > > > #endif > > > > > > @@ -33,7 +38,14 @@ namespace libcamera { > > > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > : valid_(false) > > > { > > > -#if HAVE_GNUTLS > > > +#if HAVE_CRYPTO > > > + const uint8_t *data = key.data(); > > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); > > > + if (!pubkey_) > > > + return; > > > + > > > + valid_ = true; > > > +#elif HAVE_GNUTLS > > > int ret = gnutls_pubkey_init(&pubkey_); > > > if (ret < 0) > > > return; > > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > > > PubKey::~PubKey() > > > { > > > -#if HAVE_GNUTLS > > > +#if HAVE_CRYPTO > > > + EVP_PKEY_free(pubkey_); > > > +#elif HAVE_GNUTLS > > > gnutls_pubkey_deinit(pubkey_); > > > #endif > > > } > > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > > > if (!valid_) > > > return false; > > > > > > -#if HAVE_GNUTLS > > > +#if HAVE_CRYPTO > > > + /* > > > + * Create and initialize a public key algorithm context for signature > > > + * verification. > > > + */ > > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); > > > + if (!ctx) > > > + return false; > > > + > > > + if (EVP_PKEY_verify_init(ctx) <= 0 || > > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || > > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { > > > + EVP_PKEY_CTX_free(ctx); > > > + return false; > > > + } > > > + > > > + /* Calculate the SHA256 digest of the data. */ > > > + uint8_t digest[SHA256_DIGEST_LENGTH]; > > > + SHA256(data.data(), data.size(), digest); > > > + > > > + /* Decrypt the signature and verify it matches the digest. */ > > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, > > > + SHA256_DIGEST_LENGTH); > > > + EVP_PKEY_CTX_free(ctx); > > > + return ret == 1; > > > +#elif HAVE_GNUTLS > > > const gnutls_datum_t gnuTlsData{ > > > const_cast<unsigned char *>(data.data()), > > > static_cast<unsigned int>(data.size()) > > > > -- > > Regards, > > > > Laurent Pinchart > > >
On Tue, 9 Aug 2022 at 13:24, Kieran Bingham <kieran.bingham@ideasonboard.com> wrote: > > Quoting Eric Curtin via libcamera-devel (2022-08-09 11:46:09) > > On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel > > <libcamera-devel@lists.libcamera.org> wrote: > > > > > > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote: > > > > Support verify IPA signatures with openssl as an alternative to gnutls, > > > > to offer more flexibility in the selection of dependencies. Use gnutls > > > > by default, for no specific reason as both are equally well supported. > > > > > > > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > > > --- > > > > Changes since v1: > > > > > > > > - Don't use functions deprecated in OpenSSL 3.0 > > > > --- > > > > README.rst | 2 +- > > > > include/libcamera/internal/pub_key.h | 8 +++-- > > > > src/libcamera/meson.build | 10 ++++-- > > > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- > > > > 4 files changed, 57 insertions(+), 10 deletions(-) > > > > > > > > diff --git a/README.rst b/README.rst > > > > index 77374c6a72b1..3bf4685b0e15 100644 > > > > --- a/README.rst > > > > +++ b/README.rst > > > > @@ -61,7 +61,7 @@ for the libcamera core: [required] > > > > libyaml-dev python3-yaml python3-ply python3-jinja2 > > > > > > > > for IPA module signing: [required] > > > > - libgnutls28-dev openssl > > > > + Either libgnutls28-dev or libssl-dev, openssl > > > > > > > > for improved debugging: [optional] > > > > libdw-dev libunwind-dev > > > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > > > > index a22ba037cff6..8653a912b2d5 100644 > > > > --- a/include/libcamera/internal/pub_key.h > > > > +++ b/include/libcamera/internal/pub_key.h > > > > @@ -11,7 +11,9 @@ > > > > > > > > #include <libcamera/base/span.h> > > > > > > > > -#if HAVE_GNUTLS > > > > +#if HAVE_CRYPTO > > > > +struct evp_pkey_st; > > > > +#elif HAVE_GNUTLS > > > > struct gnutls_pubkey_st; > > > > #endif > > > > > > > > @@ -28,7 +30,9 @@ public: > > > > > > > > private: > > > > bool valid_; > > > > -#if HAVE_GNUTLS > > > > +#if HAVE_CRYPTO > > > > + struct evp_pkey_st *pubkey_; > > > > +#elif HAVE_GNUTLS > > > > struct gnutls_pubkey_st *pubkey_; > > > > #endif > > > > }; > > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > > > index 7cc06de4aedc..401fc498cfbc 100644 > > > > --- a/src/libcamera/meson.build > > > > +++ b/src/libcamera/meson.build > > > > @@ -65,12 +65,16 @@ subdir('pipeline') > > > > subdir('proxy') > > > > > > > > libdl = cc.find_library('dl') > > > > -libgnutls = dependency('gnutls', required : true) > > > > libudev = dependency('libudev', required : false) > > > > libyaml = dependency('yaml-0.1', required : false) > > > > > > > > -if libgnutls.found() > > > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > > > > +libcrypto = dependency('gnutls2', required : false) > > > > > > This should have been > > > > > > libcrypto = dependency('gnutls', required : false) > > I'm a bit bemused by this, as gnutls != libcrypto? I was briefly bemused as when I saw libcrypto here, I normally automatically assume the openssl one because that's what it's called. But they are both cryptographic libraries so I get the context here. > > But I see it's just to be able to reference a single dep variable. > > > > > > > > > With this change: > > > > Reviewed-by: Eric Curtin <ecurtin@redhat.com> > > > > > It was a test left-over, sorry. > > > > > > > +if libcrypto.found() > > > > config_h.set('HAVE_GNUTLS', 1) > > > > +else > > > > + libcrypto = dependency('libcrypto', required : true) > > > > + config_h.set('HAVE_CRYPTO', 1) > > and at this point, libcrypto is either of gnutls, or libcrypto. > > I don't have anything much better to offer as an alternative so lets > carry on. > > > Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com> > > > > > endif > > > > > > > > if liblttng.found() > > > > @@ -135,8 +139,8 @@ libcamera_deps = [ > > > > libatomic, > > > > libcamera_base, > > > > libcamera_base_private, > > > > + libcrypto, > > > > libdl, > > > > - libgnutls, > > > > liblttng, > > > > libudev, > > > > libyaml, > > > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > > > > index b2045a103bc0..64dfa23497c2 100644 > > > > --- a/src/libcamera/pub_key.cpp > > > > +++ b/src/libcamera/pub_key.cpp > > > > @@ -7,7 +7,12 @@ > > > > > > > > #include "libcamera/internal/pub_key.h" > > > > > > > > -#if HAVE_GNUTLS > > > > +#if HAVE_CRYPTO > > > > +#include <openssl/evp.h> > > > > +#include <openssl/rsa.h> > > > > +#include <openssl/sha.h> > > > > +#include <openssl/x509.h> > > > > +#elif HAVE_GNUTLS > > > > #include <gnutls/abstract.h> > > > > #endif > > > > > > > > @@ -33,7 +38,14 @@ namespace libcamera { > > > > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > : valid_(false) > > > > { > > > > -#if HAVE_GNUTLS > > > > +#if HAVE_CRYPTO > > > > + const uint8_t *data = key.data(); > > > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); > > > > + if (!pubkey_) > > > > + return; > > > > + > > > > + valid_ = true; > > > > +#elif HAVE_GNUTLS > > > > int ret = gnutls_pubkey_init(&pubkey_); > > > > if (ret < 0) > > > > return; > > > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > > > > > PubKey::~PubKey() > > > > { > > > > -#if HAVE_GNUTLS > > > > +#if HAVE_CRYPTO > > > > + EVP_PKEY_free(pubkey_); > > > > +#elif HAVE_GNUTLS > > > > gnutls_pubkey_deinit(pubkey_); > > > > #endif > > > > } > > > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > > > > if (!valid_) > > > > return false; > > > > > > > > -#if HAVE_GNUTLS > > > > +#if HAVE_CRYPTO > > > > + /* > > > > + * Create and initialize a public key algorithm context for signature > > > > + * verification. > > > > + */ > > > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); > > > > + if (!ctx) > > > > + return false; > > > > + > > > > + if (EVP_PKEY_verify_init(ctx) <= 0 || > > > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || > > > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { > > > > + EVP_PKEY_CTX_free(ctx); > > > > + return false; > > > > + } > > > > + > > > > + /* Calculate the SHA256 digest of the data. */ > > > > + uint8_t digest[SHA256_DIGEST_LENGTH]; > > > > + SHA256(data.data(), data.size(), digest); > > > > + > > > > + /* Decrypt the signature and verify it matches the digest. */ > > > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, > > > > + SHA256_DIGEST_LENGTH); > > > > + EVP_PKEY_CTX_free(ctx); > > > > + return ret == 1; > > > > +#elif HAVE_GNUTLS > > > > const gnutls_datum_t gnuTlsData{ > > > > const_cast<unsigned char *>(data.data()), > > > > static_cast<unsigned int>(data.size()) > > > > > > -- > > > Regards, > > > > > > Laurent Pinchart > > > > > >
On Tue, Aug 09, 2022 at 01:37:51PM +0100, Eric Curtin wrote: > On Tue, 9 Aug 2022 at 13:24, Kieran Bingham wrote: > > Quoting Eric Curtin via libcamera-devel (2022-08-09 11:46:09) > > > On Tue, 9 Aug 2022 at 00:18, Laurent Pinchart via libcamera-devel wrote: > > > > On Tue, Aug 09, 2022 at 02:08:32AM +0300, Laurent Pinchart via libcamera-devel wrote: > > > > > Support verify IPA signatures with openssl as an alternative to gnutls, > > > > > to offer more flexibility in the selection of dependencies. Use gnutls > > > > > by default, for no specific reason as both are equally well supported. > > > > > > > > > > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > > > > --- > > > > > Changes since v1: > > > > > > > > > > - Don't use functions deprecated in OpenSSL 3.0 > > > > > --- > > > > > README.rst | 2 +- > > > > > include/libcamera/internal/pub_key.h | 8 +++-- > > > > > src/libcamera/meson.build | 10 ++++-- > > > > > src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- > > > > > 4 files changed, 57 insertions(+), 10 deletions(-) > > > > > > > > > > diff --git a/README.rst b/README.rst > > > > > index 77374c6a72b1..3bf4685b0e15 100644 > > > > > --- a/README.rst > > > > > +++ b/README.rst > > > > > @@ -61,7 +61,7 @@ for the libcamera core: [required] > > > > > libyaml-dev python3-yaml python3-ply python3-jinja2 > > > > > > > > > > for IPA module signing: [required] > > > > > - libgnutls28-dev openssl > > > > > + Either libgnutls28-dev or libssl-dev, openssl > > > > > > > > > > for improved debugging: [optional] > > > > > libdw-dev libunwind-dev > > > > > diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h > > > > > index a22ba037cff6..8653a912b2d5 100644 > > > > > --- a/include/libcamera/internal/pub_key.h > > > > > +++ b/include/libcamera/internal/pub_key.h > > > > > @@ -11,7 +11,9 @@ > > > > > > > > > > #include <libcamera/base/span.h> > > > > > > > > > > -#if HAVE_GNUTLS > > > > > +#if HAVE_CRYPTO > > > > > +struct evp_pkey_st; > > > > > +#elif HAVE_GNUTLS > > > > > struct gnutls_pubkey_st; > > > > > #endif > > > > > > > > > > @@ -28,7 +30,9 @@ public: > > > > > > > > > > private: > > > > > bool valid_; > > > > > -#if HAVE_GNUTLS > > > > > +#if HAVE_CRYPTO > > > > > + struct evp_pkey_st *pubkey_; > > > > > +#elif HAVE_GNUTLS > > > > > struct gnutls_pubkey_st *pubkey_; > > > > > #endif > > > > > }; > > > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > > > > index 7cc06de4aedc..401fc498cfbc 100644 > > > > > --- a/src/libcamera/meson.build > > > > > +++ b/src/libcamera/meson.build > > > > > @@ -65,12 +65,16 @@ subdir('pipeline') > > > > > subdir('proxy') > > > > > > > > > > libdl = cc.find_library('dl') > > > > > -libgnutls = dependency('gnutls', required : true) > > > > > libudev = dependency('libudev', required : false) > > > > > libyaml = dependency('yaml-0.1', required : false) > > > > > > > > > > -if libgnutls.found() > > > > > +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. > > > > > +libcrypto = dependency('gnutls2', required : false) > > > > > > > > This should have been > > > > > > > > libcrypto = dependency('gnutls', required : false) > > > > I'm a bit bemused by this, as gnutls != libcrypto? > > I was briefly bemused as when I saw libcrypto here, I normally > automatically assume the openssl one because that's what it's called. > But they are both cryptographic libraries so I get the context here. That's the idea, yes. It was too late in the night to think of a better name, so I decided to see if someone could think of a better alternative name during review :-) Let's keep it as-is for now, we can address that later if needed. > > But I see it's just to be able to reference a single dep variable. > > > > > With this change: > > > > > > Reviewed-by: Eric Curtin <ecurtin@redhat.com> > > > > > > > It was a test left-over, sorry. > > > > > > > > > +if libcrypto.found() > > > > > config_h.set('HAVE_GNUTLS', 1) > > > > > +else > > > > > + libcrypto = dependency('libcrypto', required : true) > > > > > + config_h.set('HAVE_CRYPTO', 1) > > > > and at this point, libcrypto is either of gnutls, or libcrypto. > > > > I don't have anything much better to offer as an alternative so lets > > carry on. > > > > Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com> > > > > > > > endif > > > > > > > > > > if liblttng.found() > > > > > @@ -135,8 +139,8 @@ libcamera_deps = [ > > > > > libatomic, > > > > > libcamera_base, > > > > > libcamera_base_private, > > > > > + libcrypto, > > > > > libdl, > > > > > - libgnutls, > > > > > liblttng, > > > > > libudev, > > > > > libyaml, > > > > > diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp > > > > > index b2045a103bc0..64dfa23497c2 100644 > > > > > --- a/src/libcamera/pub_key.cpp > > > > > +++ b/src/libcamera/pub_key.cpp > > > > > @@ -7,7 +7,12 @@ > > > > > > > > > > #include "libcamera/internal/pub_key.h" > > > > > > > > > > -#if HAVE_GNUTLS > > > > > +#if HAVE_CRYPTO > > > > > +#include <openssl/evp.h> > > > > > +#include <openssl/rsa.h> > > > > > +#include <openssl/sha.h> > > > > > +#include <openssl/x509.h> > > > > > +#elif HAVE_GNUTLS > > > > > #include <gnutls/abstract.h> > > > > > #endif > > > > > > > > > > @@ -33,7 +38,14 @@ namespace libcamera { > > > > > PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > > : valid_(false) > > > > > { > > > > > -#if HAVE_GNUTLS > > > > > +#if HAVE_CRYPTO > > > > > + const uint8_t *data = key.data(); > > > > > + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); > > > > > + if (!pubkey_) > > > > > + return; > > > > > + > > > > > + valid_ = true; > > > > > +#elif HAVE_GNUTLS > > > > > int ret = gnutls_pubkey_init(&pubkey_); > > > > > if (ret < 0) > > > > > return; > > > > > @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) > > > > > > > > > > PubKey::~PubKey() > > > > > { > > > > > -#if HAVE_GNUTLS > > > > > +#if HAVE_CRYPTO > > > > > + EVP_PKEY_free(pubkey_); > > > > > +#elif HAVE_GNUTLS > > > > > gnutls_pubkey_deinit(pubkey_); > > > > > #endif > > > > > } > > > > > @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, > > > > > if (!valid_) > > > > > return false; > > > > > > > > > > -#if HAVE_GNUTLS > > > > > +#if HAVE_CRYPTO > > > > > + /* > > > > > + * Create and initialize a public key algorithm context for signature > > > > > + * verification. > > > > > + */ > > > > > + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); > > > > > + if (!ctx) > > > > > + return false; > > > > > + > > > > > + if (EVP_PKEY_verify_init(ctx) <= 0 || > > > > > + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || > > > > > + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { > > > > > + EVP_PKEY_CTX_free(ctx); > > > > > + return false; > > > > > + } > > > > > + > > > > > + /* Calculate the SHA256 digest of the data. */ > > > > > + uint8_t digest[SHA256_DIGEST_LENGTH]; > > > > > + SHA256(data.data(), data.size(), digest); > > > > > + > > > > > + /* Decrypt the signature and verify it matches the digest. */ > > > > > + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, > > > > > + SHA256_DIGEST_LENGTH); > > > > > + EVP_PKEY_CTX_free(ctx); > > > > > + return ret == 1; > > > > > +#elif HAVE_GNUTLS > > > > > const gnutls_datum_t gnuTlsData{ > > > > > const_cast<unsigned char *>(data.data()), > > > > > static_cast<unsigned int>(data.size())
diff --git a/README.rst b/README.rst index 77374c6a72b1..3bf4685b0e15 100644 --- a/README.rst +++ b/README.rst @@ -61,7 +61,7 @@ for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 for IPA module signing: [required] - libgnutls28-dev openssl + Either libgnutls28-dev or libssl-dev, openssl for improved debugging: [optional] libdw-dev libunwind-dev diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h index a22ba037cff6..8653a912b2d5 100644 --- a/include/libcamera/internal/pub_key.h +++ b/include/libcamera/internal/pub_key.h @@ -11,7 +11,9 @@ #include <libcamera/base/span.h> -#if HAVE_GNUTLS +#if HAVE_CRYPTO +struct evp_pkey_st; +#elif HAVE_GNUTLS struct gnutls_pubkey_st; #endif @@ -28,7 +30,9 @@ public: private: bool valid_; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + struct evp_pkey_st *pubkey_; +#elif HAVE_GNUTLS struct gnutls_pubkey_st *pubkey_; #endif }; diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index 7cc06de4aedc..401fc498cfbc 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,12 +65,16 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = dependency('gnutls', required : true) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) -if libgnutls.found() +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. +libcrypto = dependency('gnutls2', required : false) +if libcrypto.found() config_h.set('HAVE_GNUTLS', 1) +else + libcrypto = dependency('libcrypto', required : true) + config_h.set('HAVE_CRYPTO', 1) endif if liblttng.found() @@ -135,8 +139,8 @@ libcamera_deps = [ libatomic, libcamera_base, libcamera_base_private, + libcrypto, libdl, - libgnutls, liblttng, libudev, libyaml, diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index b2045a103bc0..64dfa23497c2 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -7,7 +7,12 @@ #include "libcamera/internal/pub_key.h" -#if HAVE_GNUTLS +#if HAVE_CRYPTO +#include <openssl/evp.h> +#include <openssl/rsa.h> +#include <openssl/sha.h> +#include <openssl/x509.h> +#elif HAVE_GNUTLS #include <gnutls/abstract.h> #endif @@ -33,7 +38,14 @@ namespace libcamera { PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) : valid_(false) { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + const uint8_t *data = key.data(); + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); + if (!pubkey_) + return; + + valid_ = true; +#elif HAVE_GNUTLS int ret = gnutls_pubkey_init(&pubkey_); if (ret < 0) return; @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key) PubKey::~PubKey() { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + EVP_PKEY_free(pubkey_); +#elif HAVE_GNUTLS gnutls_pubkey_deinit(pubkey_); #endif } @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data, if (!valid_) return false; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + /* + * Create and initialize a public key algorithm context for signature + * verification. + */ + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); + if (!ctx) + return false; + + if (EVP_PKEY_verify_init(ctx) <= 0 || + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { + EVP_PKEY_CTX_free(ctx); + return false; + } + + /* Calculate the SHA256 digest of the data. */ + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256(data.data(), data.size(), digest); + + /* Decrypt the signature and verify it matches the digest. */ + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, + SHA256_DIGEST_LENGTH); + EVP_PKEY_CTX_free(ctx); + return ret == 1; +#elif HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast<unsigned char *>(data.data()), static_cast<unsigned int>(data.size())
Support verify IPA signatures with openssl as an alternative to gnutls, to offer more flexibility in the selection of dependencies. Use gnutls by default, for no specific reason as both are equally well supported. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> --- Changes since v1: - Don't use functions deprecated in OpenSSL 3.0 --- README.rst | 2 +- include/libcamera/internal/pub_key.h | 8 +++-- src/libcamera/meson.build | 10 ++++-- src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- 4 files changed, 57 insertions(+), 10 deletions(-)