* [PATCH] openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
@ 2021-11-25 11:10 Ross Burton
2021-11-26 8:12 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 3+ messages in thread
From: Ross Burton @ 2021-11-25 11:10 UTC (permalink / raw)
To: openembedded-core
Backport a patch submitted upstream. Specifically, this fixes signature
validation in trusted-firmware-a with OpenSSL 3.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
...-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 89 +++++++++++++++++++
.../openssl/openssl_3.0.0.bb | 1 +
2 files changed, 90 insertions(+)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
new file mode 100644
index 0000000000..5c76485b5f
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
@@ -0,0 +1,89 @@
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/17136]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 425191c295ada8510b0ee87d292ef18b7a45d062 Mon Sep 17 00:00:00 2001
+From: Tom Cosgrove <tom.cosgrove@arm.com>
+Date: Thu, 25 Nov 2021 10:17:15 +0000
+Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
+
+When an integer value was specified, it was not being passed back via
+the orig_p2 weirdness.
+
+Regression test included.
+---
+ crypto/evp/ctrl_params_translate.c | 10 +++++-----
+ test/evp_extra_test.c | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 5 deletions(-)
+
+diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
+index d17017a78e81..99aaf6c09d8e 100644
+--- a/crypto/evp/ctrl_params_translate.c
++++ b/crypto/evp/ctrl_params_translate.c
+@@ -1384,16 +1384,16 @@ static int fix_rsa_pss_saltlen(enum state state,
+ if (strcmp(ctx->p2, str_value_map[i].ptr) == 0)
+ break;
+ }
+- if (i == OSSL_NELEM(str_value_map)) {
+- ctx->p1 = atoi(ctx->p2);
+- } else if (state == POST_CTRL_TO_PARAMS) {
++ int val = (i == OSSL_NELEM(str_value_map)) ? atoi(ctx->p2) :
++ (int)str_value_map[i].id;
++ if (state == POST_CTRL_TO_PARAMS) {
+ /*
+ * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further
+ * up
+ */
+- *(int *)ctx->orig_p2 = str_value_map[i].id;
++ *(int *)ctx->orig_p2 = val;
+ } else {
+- ctx->p1 = (int)str_value_map[i].id;
++ ctx->p1 = val;
+ }
+ ctx->p2 = NULL;
+ }
+diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
+index df97f448ab3a..27795b77c8c8 100644
+--- a/test/evp_extra_test.c
++++ b/test/evp_extra_test.c
+@@ -3186,6 +3186,33 @@ static int test_EVP_rsa_pss_with_keygen_bits(void)
+ return ret;
+ }
+
++static int test_EVP_rsa_pss_set_saltlen(void)
++{
++ int ret = 0;
++ EVP_PKEY *pkey = NULL;
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ EVP_MD *sha256 = NULL;
++ EVP_MD_CTX *sha256_ctx = NULL;
++ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */
++ const int test_value = 32;
++
++ ret = TEST_ptr(pkey = load_example_rsa_key())
++ && TEST_ptr(pkey_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL))
++ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
++ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
++ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey))
++ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
++ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value))
++ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
++ && TEST_int_eq(saltlen, test_value);
++
++ EVP_PKEY_CTX_free(pkey_ctx);
++ EVP_PKEY_free(pkey);
++ EVP_MD_free(sha256);
++
++ return ret;
++}
++
+ static int success = 1;
+ static void md_names(const char *name, void *vctx)
+ {
+@@ -4245,6 +4272,7 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_evp_iv_des, 6);
+ #endif
+ ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
++ ADD_TEST(test_EVP_rsa_pss_set_saltlen);
+ #ifndef OPENSSL_NO_EC
+ ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
+ #endif
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
index 8852a51ca8..4b1ae71a85 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://afalg.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
file://armv8-32bit.patch \
+ file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \
"
SRC_URI:append:class-nativesdk = " \
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
2021-11-25 11:10 [PATCH] openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value Ross Burton
@ 2021-11-26 8:12 ` Richard Purdie
0 siblings, 0 replies; 3+ messages in thread
From: Richard Purdie @ 2021-11-26 8:12 UTC (permalink / raw)
To: Ross Burton, openembedded-core
On Thu, 2021-11-25 at 11:10 +0000, Ross Burton wrote:
> Backport a patch submitted upstream. Specifically, this fixes signature
> validation in trusted-firmware-a with OpenSSL 3.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
> ...-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 89 +++++++++++++++++++
> .../openssl/openssl_3.0.0.bb | 1 +
> 2 files changed, 90 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
> new file mode 100644
> index 0000000000..5c76485b5f
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
> @@ -0,0 +1,89 @@
> +Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/17136]
> +Signed-off-by: Ross Burton <ross.burton@arm.com>
> +
> +From 425191c295ada8510b0ee87d292ef18b7a45d062 Mon Sep 17 00:00:00 2001
> +From: Tom Cosgrove <tom.cosgrove@arm.com>
> +Date: Thu, 25 Nov 2021 10:17:15 +0000
> +Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
> +
> +When an integer value was specified, it was not being passed back via
> +the orig_p2 weirdness.
> +
> +Regression test included.
> +---
> + crypto/evp/ctrl_params_translate.c | 10 +++++-----
> + test/evp_extra_test.c | 28 ++++++++++++++++++++++++++++
> + 2 files changed, 33 insertions(+), 5 deletions(-)
> +
I suspect this may be from this patch:
https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/2586
https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/2865
Cheers,
Richard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
@ 2021-12-01 10:27 Ross Burton
0 siblings, 0 replies; 3+ messages in thread
From: Ross Burton @ 2021-12-01 10:27 UTC (permalink / raw)
To: openembedded-core
Backport a patch from upstream. Specifically, this fixes signature
validation in trusted-firmware-a with OpenSSL 3.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
...-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 108 ++++++++++++++++++
.../openssl/openssl_3.0.0.bb | 1 +
2 files changed, 109 insertions(+)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
new file mode 100644
index 0000000000..b85a3ad7d2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
@@ -0,0 +1,108 @@
+Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default
+context (required when backporting, not needed with 3.0.1).
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001
+From: Tom Cosgrove <tom.cosgrove@arm.com>
+Date: Thu, 25 Nov 2021 15:49:26 +0000
+Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
+
+When an integer value was specified, it was not being passed back via
+the orig_p2 weirdness.
+
+Regression test included.
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/17136)
+---
+ crypto/evp/ctrl_params_translate.c | 12 +++++++-----
+ test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
+index 88945e13e6..6638209a8d 100644
+--- a/crypto/evp/ctrl_params_translate.c
++++ b/crypto/evp/ctrl_params_translate.c
+@@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state,
+ if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL)
+ || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) {
+ size_t i;
++ int val;
+
+ for (i = 0; i < OSSL_NELEM(str_value_map); i++) {
+ if (strcmp(ctx->p2, str_value_map[i].ptr) == 0)
+ break;
+ }
+- if (i == OSSL_NELEM(str_value_map)) {
+- ctx->p1 = atoi(ctx->p2);
+- } else if (state == POST_CTRL_TO_PARAMS) {
++
++ val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2)
++ : (int)str_value_map[i].id;
++ if (state == POST_CTRL_TO_PARAMS) {
+ /*
+ * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further
+ * up
+ */
+- *(int *)ctx->orig_p2 = str_value_map[i].id;
++ *(int *)ctx->orig_p2 = val;
+ } else {
+- ctx->p1 = (int)str_value_map[i].id;
++ ctx->p1 = val;
+ }
+ ctx->p2 = NULL;
+ }
+diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
+index 83f8902d24..9ad37a2bce 100644
+--- a/test/evp_extra_test.c
++++ b/test/evp_extra_test.c
+@@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void)
+ return ret;
+ }
+
++static int test_EVP_rsa_pss_set_saltlen(void)
++{
++ int ret = 0;
++ EVP_PKEY *pkey = NULL;
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ EVP_MD *sha256 = NULL;
++ EVP_MD_CTX *sha256_ctx = NULL;
++ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */
++ const int test_value = 32;
++
++ if (nullprov != NULL)
++ return TEST_skip("Test does not support a non-default library context");
++
++ ret = TEST_ptr(pkey = load_example_rsa_key())
++ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
++ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
++ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey))
++ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
++ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value))
++ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
++ && TEST_int_eq(saltlen, test_value);
++
++ EVP_MD_CTX_free(sha256_ctx);
++ EVP_PKEY_free(pkey);
++ EVP_MD_free(sha256);
++
++ return ret;
++}
++
+ static int success = 1;
+ static void md_names(const char *name, void *vctx)
+ {
+@@ -3966,6 +3995,7 @@ int setup_tests(void)
+ ADD_ALL_TESTS(test_evp_iv_des, 6);
+ #endif
+ ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
++ ADD_TEST(test_EVP_rsa_pss_set_saltlen);
+ #ifndef OPENSSL_NO_EC
+ ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
+ #endif
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
index 8852a51ca8..4b1ae71a85 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://afalg.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
file://armv8-32bit.patch \
+ file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \
"
SRC_URI:append:class-nativesdk = " \
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-01 10:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-25 11:10 [PATCH] openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value Ross Burton
2021-11-26 8:12 ` [OE-core] " Richard Purdie
2021-12-01 10:27 Ross Burton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.