diff options
author | Ross Burton <ross@burtonini.com> | 2021-12-01 10:27:43 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-12-03 23:37:16 +0000 |
commit | 1121148f1302e14319c0f516c222671c0480e492 (patch) | |
tree | ad5de48f05a0d4cf8a682d08bd599cf821a076d8 | |
parent | 0000a5cae308b7d42b36d4032ae3c463f8f8fef1 (diff) | |
download | poky-1121148f1302e14319c0f516c222671c0480e492.tar.gz |
openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
Backport a patch from upstream. Specifically, this fixes signature
validation in trusted-firmware-a with OpenSSL 3.
(From OE-Core rev: ac670fd4f543f439efdea26e813a4b5121161289)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 108 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.0.0.bb | 1 |
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch new file mode 100644 index 0000000000..b85a3ad7d2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default | ||
2 | context (required when backporting, not needed with 3.0.1). | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
6 | |||
7 | From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001 | ||
8 | From: Tom Cosgrove <tom.cosgrove@arm.com> | ||
9 | Date: Thu, 25 Nov 2021 15:49:26 +0000 | ||
10 | Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value | ||
11 | |||
12 | When an integer value was specified, it was not being passed back via | ||
13 | the orig_p2 weirdness. | ||
14 | |||
15 | Regression test included. | ||
16 | |||
17 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
18 | Reviewed-by: Paul Dale <pauli@openssl.org> | ||
19 | (Merged from https://github.com/openssl/openssl/pull/17136) | ||
20 | --- | ||
21 | crypto/evp/ctrl_params_translate.c | 12 +++++++----- | ||
22 | test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++ | ||
23 | 2 files changed, 37 insertions(+), 5 deletions(-) | ||
24 | |||
25 | diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c | ||
26 | index 88945e13e6..6638209a8d 100644 | ||
27 | --- a/crypto/evp/ctrl_params_translate.c | ||
28 | +++ b/crypto/evp/ctrl_params_translate.c | ||
29 | @@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state, | ||
30 | if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) | ||
31 | || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { | ||
32 | size_t i; | ||
33 | + int val; | ||
34 | |||
35 | for (i = 0; i < OSSL_NELEM(str_value_map); i++) { | ||
36 | if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) | ||
37 | break; | ||
38 | } | ||
39 | - if (i == OSSL_NELEM(str_value_map)) { | ||
40 | - ctx->p1 = atoi(ctx->p2); | ||
41 | - } else if (state == POST_CTRL_TO_PARAMS) { | ||
42 | + | ||
43 | + val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2) | ||
44 | + : (int)str_value_map[i].id; | ||
45 | + if (state == POST_CTRL_TO_PARAMS) { | ||
46 | /* | ||
47 | * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further | ||
48 | * up | ||
49 | */ | ||
50 | - *(int *)ctx->orig_p2 = str_value_map[i].id; | ||
51 | + *(int *)ctx->orig_p2 = val; | ||
52 | } else { | ||
53 | - ctx->p1 = (int)str_value_map[i].id; | ||
54 | + ctx->p1 = val; | ||
55 | } | ||
56 | ctx->p2 = NULL; | ||
57 | } | ||
58 | diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c | ||
59 | index 83f8902d24..9ad37a2bce 100644 | ||
60 | --- a/test/evp_extra_test.c | ||
61 | +++ b/test/evp_extra_test.c | ||
62 | @@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) | ||
63 | return ret; | ||
64 | } | ||
65 | |||
66 | +static int test_EVP_rsa_pss_set_saltlen(void) | ||
67 | +{ | ||
68 | + int ret = 0; | ||
69 | + EVP_PKEY *pkey = NULL; | ||
70 | + EVP_PKEY_CTX *pkey_ctx = NULL; | ||
71 | + EVP_MD *sha256 = NULL; | ||
72 | + EVP_MD_CTX *sha256_ctx = NULL; | ||
73 | + int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */ | ||
74 | + const int test_value = 32; | ||
75 | + | ||
76 | + if (nullprov != NULL) | ||
77 | + return TEST_skip("Test does not support a non-default library context"); | ||
78 | + | ||
79 | + ret = TEST_ptr(pkey = load_example_rsa_key()) | ||
80 | + && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL)) | ||
81 | + && TEST_ptr(sha256_ctx = EVP_MD_CTX_new()) | ||
82 | + && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey)) | ||
83 | + && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)) | ||
84 | + && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value)) | ||
85 | + && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen)) | ||
86 | + && TEST_int_eq(saltlen, test_value); | ||
87 | + | ||
88 | + EVP_MD_CTX_free(sha256_ctx); | ||
89 | + EVP_PKEY_free(pkey); | ||
90 | + EVP_MD_free(sha256); | ||
91 | + | ||
92 | + return ret; | ||
93 | +} | ||
94 | + | ||
95 | static int success = 1; | ||
96 | static void md_names(const char *name, void *vctx) | ||
97 | { | ||
98 | @@ -3966,6 +3995,7 @@ int setup_tests(void) | ||
99 | ADD_ALL_TESTS(test_evp_iv_des, 6); | ||
100 | #endif | ||
101 | ADD_TEST(test_EVP_rsa_pss_with_keygen_bits); | ||
102 | + ADD_TEST(test_EVP_rsa_pss_set_saltlen); | ||
103 | #ifndef OPENSSL_NO_EC | ||
104 | ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids)); | ||
105 | #endif | ||
106 | -- | ||
107 | 2.25.1 | ||
108 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb index 8852a51ca8..4b1ae71a85 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb | |||
@@ -13,6 +13,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
13 | file://afalg.patch \ | 13 | file://afalg.patch \ |
14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ |
15 | file://armv8-32bit.patch \ | 15 | file://armv8-32bit.patch \ |
16 | file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | SRC_URI:append:class-nativesdk = " \ | 19 | SRC_URI:append:class-nativesdk = " \ |