* [v2 1/2] crypto/openssl: validate incorrect signature in verify op
[not found] <20250221170908.1613-1-gmuthukrishn@marvell.com>
@ 2025-02-23 6:04 ` Gowrishankar Muthukrishnan
0 siblings, 0 replies; only message in thread
From: Gowrishankar Muthukrishnan @ 2025-02-23 6:04 UTC (permalink / raw)
To: dev, Kai Ji, Fan Zhang, Akhil Goyal
Cc: anoobj, Gowrishankar Muthukrishnan, stable
Return correct error status when incorrect signature is
used in RSA verify op.
Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")
Cc: stable@dpdk.org
Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
v2:
- clubbed with test patch
---
drivers/crypto/openssl/rte_openssl_pmd.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index b090611bd0..5bfad92b7c 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2803,9 +2803,15 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
goto err_rsa;
}
- if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ ret = EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
op->rsa.sign.data,
- op->rsa.sign.length) <= 0) {
+ op->rsa.sign.length);
+ if (ret <= 0) {
+ /* OpenSSL RSA verification returns one on
+ * successful verification, otherwise 0. Hence,
+ * this enqueue operation should succeed even if
+ * invalid signature has been requested in verify.
+ */
OPENSSL_free(tmp);
goto err_rsa;
}
--
2.25.1
^ permalink raw reply [flat|nested] only message in thread