[dpdk-stable] patch 'crypto/openssl: fix RSA verify operation' has been queued to stable release 18.08.1

Kevin Traynor ktraynor at redhat.com
Fri Nov 23 11:26:26 CET 2018 

Hi,

FYI, your patch has been queued to stable release 18.08.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/29/18. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the patch applied
to the branch. If the code is different (ie: not only metadata diffs), due for example to
a change in context or macro names, please double check it.

Thanks.

Kevin Traynor

---
>From 412c098e517c9f4cfe8a70457b9d32e28d81be65 Mon Sep 17 00:00:00 2001
From: Akash Saxena <akash.saxena at caviumnetworks.com>
Date: Thu, 25 Oct 2018 10:00:56 +0000
Subject: [PATCH] crypto/openssl: fix RSA verify operation

[ upstream commit fe1606e0138cdfd460a21cd3d5ac2a81884ee288 ]

In lib cryptodev, RSA verify operation inputs plain message text and
corresponding signature and expected to return
RTE_CRYPTO_OP_STATUS_SUCCESS/FAILURE on a signature match/mismatch.
Current OpenSSL PMD RSA verify implementation overrides application passed
sign input by decrypted output which isn't expected.

This patch addresses this issue in OpenSSL PMD. Now, OpenSSL PMD use
tmp buffer to pass to OpenSSL sign API and memcmp output with
original plain text to verify signature match.
Set op->status = RTE_CRYPTO_OP_STATUS_ERROR on signature mismatch.

Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")

Signed-off-by: Ayuj Verma <ayuj.verma at caviumnetworks.com>
Signed-off-by: Akash Saxena <akash.saxena at caviumnetworks.com>
Signed-off-by: Shally Verma <shally.verma at caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal at nxp.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 7d263aba3..e0fbbab84 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1843,4 +1843,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
 	RSA *rsa = sess->u.r.rsa;
 	uint32_t pad = (op->rsa.pad);
+	uint8_t *tmp;
+
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
 
 	switch (pad) {
@@ -1895,7 +1898,13 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
 
 	case RTE_CRYPTO_ASYM_OP_VERIFY:
+		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+		if (tmp == NULL) {
+			OPENSSL_LOG(ERR, "Memory allocation failed");
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+			break;
+		}
 		ret = RSA_public_decrypt(op->rsa.sign.length,
 				op->rsa.sign.data,
-				op->rsa.sign.data,
+				tmp,
 				rsa,
 				pad);
@@ -1905,11 +1914,10 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
 				"length of message %zd\n",
 				ret, op->rsa.message.length);
-
-		if (memcmp(op->rsa.sign.data, op->rsa.message.data,
-					op->rsa.message.length)) {
-			OPENSSL_LOG(ERR,
-					"RSA sign Verification failed");
-			return -1;
+		if ((ret <= 0) || (memcmp(tmp, op->rsa.message.data,
+				op->rsa.message.length))) {
+			OPENSSL_LOG(ERR, "RSA sign Verification failed");
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
 		}
+		rte_free(tmp);
 		break;
 
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2018-11-23 10:22:54.830115159 +0000
+++ 0022-crypto-openssl-fix-RSA-verify-operation.patch	2018-11-23 10:22:54.000000000 +0000
@@ -1,8 +1,10 @@
-From fe1606e0138cdfd460a21cd3d5ac2a81884ee288 Mon Sep 17 00:00:00 2001
+From 412c098e517c9f4cfe8a70457b9d32e28d81be65 Mon Sep 17 00:00:00 2001
 From: Akash Saxena <akash.saxena at caviumnetworks.com>
 Date: Thu, 25 Oct 2018 10:00:56 +0000
 Subject: [PATCH] crypto/openssl: fix RSA verify operation
 
+[ upstream commit fe1606e0138cdfd460a21cd3d5ac2a81884ee288 ]
+
 In lib cryptodev, RSA verify operation inputs plain message text and
 corresponding signature and expected to return
 RTE_CRYPTO_OP_STATUS_SUCCESS/FAILURE on a signature match/mismatch.
@@ -15,7 +17,6 @@
 Set op->status = RTE_CRYPTO_OP_STATUS_ERROR on signature mismatch.
 
 Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")
-Cc: stable at dpdk.org
 
 Signed-off-by: Ayuj Verma <ayuj.verma at caviumnetworks.com>
 Signed-off-by: Akash Saxena <akash.saxena at caviumnetworks.com>
@@ -26,10 +27,10 @@
  1 file changed, 15 insertions(+), 7 deletions(-)
 
 diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
-index 003116dcc..11ea0d190 100644
+index 7d263aba3..e0fbbab84 100644
 --- a/drivers/crypto/openssl/rte_openssl_pmd.c
 +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
-@@ -1844,4 +1844,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
+@@ -1843,4 +1843,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
  	RSA *rsa = sess->u.r.rsa;
  	uint32_t pad = (op->rsa.pad);
 +	uint8_t *tmp;
@@ -37,7 +38,7 @@
 +	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
  
  	switch (pad) {
-@@ -1896,7 +1899,13 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
+@@ -1895,7 +1898,13 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
  
  	case RTE_CRYPTO_ASYM_OP_VERIFY:
 +		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
@@ -52,7 +53,7 @@
 +				tmp,
  				rsa,
  				pad);
-@@ -1906,11 +1915,10 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
+@@ -1905,11 +1914,10 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
  				"length of message %zd\n",
  				ret, op->rsa.message.length);
 -

More information about the stable mailing list