[libcamera-devel] [PATCH] libcamera: pub_key: Support GNUTLS < v3
Laurent Pinchart
laurent.pinchart at ideasonboard.com
Mon Nov 9 12:36:09 CET 2020
Hi Kieran,
Thank you for the patch.
On Mon, Nov 09, 2020 at 10:51:59AM +0000, Kieran Bingham wrote:
> It has been reported that SailfishOS is packaged with an older GnuTLS
> library. Supporting GnuTLS < 3 appears to be trivial, but comes at the
> cost of using a #define to switch.
>
> Use a #define block to support older GnuTLS installations.
>
> Reported-by: Simon Schmeisser <mail_to_wrt at gmx.de>
> Suggested-by: Matti Lehtimaki <matti.lehtimaki at gmail.com>
> Signed-off-by: Kieran Bingham <kieran.bingham at ideasonboard.com>
> ---
> src/libcamera/pub_key.cpp | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> This was reported at [0], with a fix proposed at [1]
>
> [0] https://github.com/sailfish-on-dontbeevil/droid-config-pinephone/issues/55
> [1] https://git.sailfishos.org/mal/libcamera/blob/master/rpm/gnutls2.patch
>
> Alternatively we could just /require/ GnuTLS >= 3... but this seems
> fairly cheap.
It is. However, the latest version of gnutls 2.x appears to be 2.12.24,
released 4 years ago. For a crypto library, this seems a very big
security risk. Do we want to enable that ?
On a side note, I've been considering moving from gnutls to libnettle,
which is the library that gnutls uses as its crypto backend. -ENOTIME so
far.
> This patch is a simplified version of [1] (No need to check if we're
> __cplusplus, in a cpp file, but I haven't seen that this is needed
> either).
>
> I'd like to see Tested-by: tags on this before integration, as I have no
> way to verify it.
>
> diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp
> index 9bb08fda34af..857c395373ea 100644
> --- a/src/libcamera/pub_key.cpp
> +++ b/src/libcamera/pub_key.cpp
> @@ -8,7 +8,9 @@
> #include "libcamera/internal/pub_key.h"
>
> #if HAVE_GNUTLS
> +extern "C" {
> #include <gnutls/abstract.h>
> +}
> #endif
>
> /**
> @@ -87,8 +89,13 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,
> static_cast<unsigned int>(sig.size())
> };
>
> +#if GNUTLS_VERSION_MAJOR >= 3
> int ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_RSA_SHA256, 0,
> &gnuTlsData, &gnuTlsSig);
> +#else
> + int ret = gnutls_pubkey_verify_data(pubkey_, 0, &gnuTlsData, &gnuTlsSig);
> +#endif
> +
> return ret >= 0;
> #else
> return false;
--
Regards,
Laurent Pinchart
More information about the libcamera-devel
mailing list