From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 61ACF46364
	for <public@inbox.dpdk.org>; Fri,  7 Mar 2025 13:25:46 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 577CC4029E;
	Fri,  7 Mar 2025 13:25:46 +0100 (CET)
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54]) by mails.dpdk.org (Postfix) with ESMTP id 3619F40E43
 for <stable@dpdk.org>; Fri,  7 Mar 2025 13:25:44 +0100 (CET)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-43bdc607c3fso10847035e9.3
 for <stable@dpdk.org>; Fri, 07 Mar 2025 04:25:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1741350344; x=1741955144; darn=dpdk.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=0R1YuHJsHvCmu9DVFh7En7jEHvgeqLVrhr01USnynbs=;
 b=eK6UpCFEUe/2dB5vu32+WPid9cLZKG7HyPs7gLbdWDx1ukrvkSrVvYROLGs9If6JOA
 wUgTCAj4qgBN/TBoNaXsb7rcV2oijsIzsgRiXUQw4ja4cO/fvfXVv92kqk5GLq0gfW7F
 H/TXtR1y3InAtIW3fniDbfud0a0d5+S2SS/JcikAKTVkB5QFiI4he72UmBk+A3Rrcjl8
 eDDpsOOicUsFzqYj/aV+PIPPfLXCNONRyomFBcbVJUQtBM4sngwPJvFMJiCiMe9c++Xv
 ss6PRFXtR2ShZQcTCA5m7uHVoUSM6xgW+yXr2LztKWWA1tx7HuPZpbjDDttwpAHZsNOR
 78rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1741350344; x=1741955144;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=0R1YuHJsHvCmu9DVFh7En7jEHvgeqLVrhr01USnynbs=;
 b=gkYzTtWwVcD1UzKSeOIsklVd/sxoWx8TQZ0bvH4nm5JIjH0r010Ym1fd6DwNrWFyw3
 mNnsChxv/qgHJQxyfRcHjA3Mv7IVHaF8sEvJI+fuVGtKgVvfeUm/yVI+DSwmf5sdrnzx
 qPHBBwhQXowpnTm6nokNNPAdjWXubFwM4qJDp6GAFd/VG9LXpllVVvHn5jKn1ohz3tyn
 8cRpoS1vbTrrXRDT/a4wldxiAYErUzcdvbQ6ctUBZWTqmNnW4Frf/rNKKjl3WYYlaUNn
 3aT3oB5LneIquzPCQRqMABiN7CIEXbqwxiuGNHQ5Na5vShKEUe25WzjrrZujzLynsDqJ
 MhUg==
X-Forwarded-Encrypted: i=1;
 AJvYcCURxQA2qBSGH0qnYTK77aPOyhlD/lR7wyiVAY36qnBESb7e/7FK2UPQKC271d5CaJZiB8X+P9c=@dpdk.org
X-Gm-Message-State: AOJu0Yxhwm2jGqOZItmA9OZInmJSRMOz/r7WXIo6/43uPvP71goYrbPx
 y2OQ7xcRCNWKp58yaK2gooQw9WoDzrdgZ57RWC6GnlvJTeIN5hVI+Iqd1ys9
X-Gm-Gg: ASbGncvzruh6qVyYqNETtIA+v3ht3jFrjjVnKuj/omEDw5yjOhXMmg5Ob3T5pf/35GC
 I5tvrWLr60jSaT+pT99yV6oiJgKbK2hNjhZ5s1X6f9OeJn/fFsXXIyeOtRqxPGkLlqb06Dn/uOm
 9M2iSRO2yJPwy0wv/5buVxzqQa7QYRItxq8PCASPTPfvX2x9l8mokZauvaOoltLlizLGVfLlcpL
 0qacxhlf/K3Fwe6oGZfL1tfL6B+nqta5+jFgxCGGJ397F0qz32Js0RTIrX3FGFdL5uVxYB2x1eg
 ntG4LvPLc8OTqTacOmRnf4vtPx8ocnBF3EaZx3i9grmPcXufi0o=
X-Google-Smtp-Source: AGHT+IHlzy+Un5JWnUUsRoYawdZ1X17SttffhLWXRhuAmHtEMJuUo6hoiOKUWUYbvtGDOkZfpPn2wg==
X-Received: by 2002:a05:600c:4750:b0:439:8a8c:d3e1 with SMTP id
 5b1f17b1804b1-43c64ad06aemr20350825e9.22.1741350343575; 
 Fri, 07 Mar 2025 04:25:43 -0800 (PST)
Received: from localhost ([2a01:4b00:d036:ae00:ff31:f049:bd38:f7cf])
 by smtp.gmail.com with UTF8SMTPSA id
 5b1f17b1804b1-43bdd8c28f5sm49878145e9.9.2025.03.07.04.25.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 07 Mar 2025 04:25:43 -0800 (PST)
From: luca.boccassi@gmail.com
To: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Cc: Akhil Goyal <gakhil@marvell.com>,
	dpdk stable <stable@dpdk.org>
Subject: patch 'crypto/openssl: validate incorrect RSA signature' has been
 queued to stable release 22.11.8
Date: Fri,  7 Mar 2025 12:24:23 +0000
Message-ID: <20250307122431.1415551-24-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.47.2
In-Reply-To: <20250307122431.1415551-1-luca.boccassi@gmail.com>
References: <20250217170456.1068278-79-luca.boccassi@gmail.com>
 <20250307122431.1415551-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

Hi,

FYI, your patch has been queued to stable release 22.11.8

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/09/25. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/c174c2bdcbe73b47a291a6145806c0bfdd534d4d

Thanks.

Luca Boccassi

---
>From c174c2bdcbe73b47a291a6145806c0bfdd534d4d Mon Sep 17 00:00:00 2001
From: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Date: Sun, 23 Feb 2025 11:34:04 +0530
Subject: [PATCH] crypto/openssl: validate incorrect RSA signature

[ upstream commit 6c209dd8785f34bfdc99b869c14e063d084508c2 ]

Return correct error status when incorrect signature is
used in RSA verify op.

Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 679a7bbeb6..01a7e5e30b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2805,9 +2805,15 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
 			goto err_rsa;
 		}
 
-		if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+		ret = EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
 				op->rsa.sign.data,
-				op->rsa.sign.length) <= 0) {
+				op->rsa.sign.length);
+		if (ret <= 0) {
+			/* OpenSSL RSA verification returns one on
+			 * successful verification, otherwise 0. Hence,
+			 * this enqueue operation should succeed even if
+			 * invalid signature has been requested in verify.
+			 */
 			OPENSSL_free(tmp);
 			goto err_rsa;
 		}
-- 
2.47.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2025-03-07 12:23:38.889368579 +0000
+++ 0024-crypto-openssl-validate-incorrect-RSA-signature.patch	2025-03-07 12:23:38.026838877 +0000
@@ -1 +1 @@
-From 6c209dd8785f34bfdc99b869c14e063d084508c2 Mon Sep 17 00:00:00 2001
+From c174c2bdcbe73b47a291a6145806c0bfdd534d4d Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 6c209dd8785f34bfdc99b869c14e063d084508c2 ]
+
@@ -10 +11,0 @@
-Cc: stable@dpdk.org
@@ -19 +20 @@
-index b090611bd0..5bfad92b7c 100644
+index 679a7bbeb6..01a7e5e30b 100644
@@ -22 +23 @@
-@@ -2803,9 +2803,15 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+@@ -2805,9 +2805,15 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,