When given a source length 0 for CCM, the encryption and decryption functions did not call the EVP_ENCRYPTUPDATE/EVP_DECRYPTUPDATE functions with a src and dst, causing some FIPS validation failures for testcases with PLen=0: process_openssl_auth_encryption_ccm() line 1131: Process openssl auth encryption ccm failed Fixes: 1a4998dc4d94 ("crypto/openssl: support AES-CCM") Cc: pablo.de.lara.guarch@intel.com Cc: stable@dpdk.org Signed-off-by: Ciara Power <ciara.power@intel.com> --- drivers/crypto/openssl/rte_openssl_pmd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 47004337d5..37b969b916 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -1114,7 +1114,7 @@ process_openssl_auth_encryption_ccm(struct rte_mbuf *mbuf_src, int offset, if (EVP_EncryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0) goto process_auth_encryption_ccm_err; - if (srclen > 0) + if (srclen >= 0) if (process_openssl_encryption_update(mbuf_src, offset, &dst, srclen, ctx, 0)) goto process_auth_encryption_ccm_err; @@ -1197,7 +1197,7 @@ process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset, if (EVP_DecryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0) goto process_auth_decryption_ccm_err; - if (srclen > 0) + if (srclen >= 0) if (process_openssl_decryption_update(mbuf_src, offset, &dst, srclen, ctx, 0)) return -EFAULT; -- 2.25.1
> -----Original Message-----
> From: Power, Ciara <ciara.power@intel.com>
> Sent: Monday, August 23, 2021 1:47 PM
> To: dev@dpdk.org
> Cc: stable@dpdk.org; Zhang, Roy Fan <roy.fan.zhang@intel.com>; Power,
> Ciara <ciara.power@intel.com>; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>; Doherty, Declan
> <declan.doherty@intel.com>
> Subject: [PATCH] crypto/openssl: fix CCM processing 0 length source
>
> When given a source length 0 for CCM, the encryption and decryption
> functions did not call the EVP_ENCRYPTUPDATE/EVP_DECRYPTUPDATE
> functions
> with a src and dst, causing some FIPS validation failures for testcases
> with PLen=0:
>
> process_openssl_auth_encryption_ccm() line 1131:
> Process openssl auth encryption ccm failed
>
> Fixes: 1a4998dc4d94 ("crypto/openssl: support AES-CCM")
> Cc: pablo.de.lara.guarch@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Ciara Power <ciara.power@intel.com>
> ---
> drivers/crypto/openssl/rte_openssl_pmd.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 47004337d5..37b969b916 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -1114,7 +1114,7 @@ process_openssl_auth_encryption_ccm(struct
> rte_mbuf *mbuf_src, int offset,
> if (EVP_EncryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <=
> 0)
> goto process_auth_encryption_ccm_err;
>
> - if (srclen > 0)
> + if (srclen >= 0)
> if (process_openssl_encryption_update(mbuf_src, offset,
> &dst,
> srclen, ctx, 0))
> goto process_auth_encryption_ccm_err;
> @@ -1197,7 +1197,7 @@ process_openssl_auth_decryption_ccm(struct
> rte_mbuf *mbuf_src, int offset,
> if (EVP_DecryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <=
> 0)
> goto process_auth_decryption_ccm_err;
>
> - if (srclen > 0)
> + if (srclen >= 0)
> if (process_openssl_decryption_update(mbuf_src, offset,
> &dst,
> srclen, ctx, 0))
> return -EFAULT;
> --
> 2.25.1
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
> > > > When given a source length 0 for CCM, the encryption and decryption > > functions did not call the EVP_ENCRYPTUPDATE/EVP_DECRYPTUPDATE > > functions > > with a src and dst, causing some FIPS validation failures for testcases > > with PLen=0: > > > > process_openssl_auth_encryption_ccm() line 1131: > > Process openssl auth encryption ccm failed > > > > Fixes: 1a4998dc4d94 ("crypto/openssl: support AES-CCM") > > Cc: pablo.de.lara.guarch@intel.com > > Cc: stable@dpdk.org > > > > Signed-off-by: Ciara Power <ciara.power@intel.com> > Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Applied to dpdk-next-crypto Thanks.