________________________________ From: Gowrishankar Muthukrishnan Sent: Sunday, February 16, 2025 14:28 To: dev@dpdk.org; Akhil Goyal; Ji, Kai; Fan Zhang Cc: anoobj@marvell.com; Gowrishankar Muthukrishnan; stable@dpdk.org Subject: [PATCH] crypto/openssl: validate incorrect signature in verify op Return correct error status when incorrect signature is used in RSA verify op. Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API") Cc: stable@dpdk.org Signed-off-by: Gowrishankar Muthukrishnan --- drivers/crypto/openssl/rte_openssl_pmd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index b090611bd0..239688ed47 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2710,6 +2710,8 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop, return ret; } + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + [Kai] I dont see any status need to be change between L.2694 to here, unless I missing anyhere. switch (op->rsa.op_type) { case RTE_CRYPTO_ASYM_OP_ENCRYPT: if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) @@ -2807,6 +2809,7 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop, op->rsa.sign.data, op->rsa.sign.length) <= 0) { OPENSSL_free(tmp); + ret = 0; [Kai] Please add some comments why ret need to return 0 goto err_rsa; } -- 2.25.1