[v2 1/2] crypto/openssl: validate incorrect signature in verify op

Gowrishankar Muthukrishnan gmuthukrishn at marvell.com
Sun Feb 23 07:04:04 CET 2025

Previous message (by thread): [v4 3/5] examples/vhost_crypto: fix user callbacks
Next message (by thread): [PATCH v10 0/2] Fix use after free, and refactor af_xdp_tx_zc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Return correct error status when incorrect signature is
used in RSA verify op.

Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")
Cc: stable at dpdk.org

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn at marvell.com>
---
v2:
 - clubbed with test patch
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index b090611bd0..5bfad92b7c 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2803,9 +2803,15 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
 			goto err_rsa;
 		}
 
-		if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+		ret = EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
 				op->rsa.sign.data,
-				op->rsa.sign.length) <= 0) {
+				op->rsa.sign.length);
+		if (ret <= 0) {
+			/* OpenSSL RSA verification returns one on
+			 * successful verification, otherwise 0. Hence,
+			 * this enqueue operation should succeed even if
+			 * invalid signature has been requested in verify.
+			 */
 			OPENSSL_free(tmp);
 			goto err_rsa;
 		}
-- 
2.25.1

Previous message (by thread): [v4 3/5] examples/vhost_crypto: fix user callbacks
Next message (by thread): [PATCH v10 0/2] Fix use after free, and refactor af_xdp_tx_zc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list