summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross@burtonini.com>2021-12-01 10:27:43 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-12-03 23:37:16 +0000
commit1121148f1302e14319c0f516c222671c0480e492 (patch)
treead5de48f05a0d4cf8a682d08bd599cf821a076d8
parent0000a5cae308b7d42b36d4032ae3c463f8f8fef1 (diff)
downloadpoky-1121148f1302e14319c0f516c222671c0480e492.tar.gz
openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
Backport a patch from upstream. Specifically, this fixes signature validation in trusted-firmware-a with OpenSSL 3. (From OE-Core rev: ac670fd4f543f439efdea26e813a4b5121161289) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch108
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.0.0.bb1
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
new file mode 100644
index 0000000000..b85a3ad7d2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
@@ -0,0 +1,108 @@
1Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default
2context (required when backporting, not needed with 3.0.1).
3
4Upstream-Status: Backport
5Signed-off-by: Ross Burton <ross.burton@arm.com>
6
7From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001
8From: Tom Cosgrove <tom.cosgrove@arm.com>
9Date: Thu, 25 Nov 2021 15:49:26 +0000
10Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
11
12When an integer value was specified, it was not being passed back via
13the orig_p2 weirdness.
14
15Regression test included.
16
17Reviewed-by: Tomas Mraz <tomas@openssl.org>
18Reviewed-by: Paul Dale <pauli@openssl.org>
19(Merged from https://github.com/openssl/openssl/pull/17136)
20---
21 crypto/evp/ctrl_params_translate.c | 12 +++++++-----
22 test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++
23 2 files changed, 37 insertions(+), 5 deletions(-)
24
25diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
26index 88945e13e6..6638209a8d 100644
27--- a/crypto/evp/ctrl_params_translate.c
28+++ b/crypto/evp/ctrl_params_translate.c
29@@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state,
30 if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL)
31 || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) {
32 size_t i;
33+ int val;
34
35 for (i = 0; i < OSSL_NELEM(str_value_map); i++) {
36 if (strcmp(ctx->p2, str_value_map[i].ptr) == 0)
37 break;
38 }
39- if (i == OSSL_NELEM(str_value_map)) {
40- ctx->p1 = atoi(ctx->p2);
41- } else if (state == POST_CTRL_TO_PARAMS) {
42+
43+ val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2)
44+ : (int)str_value_map[i].id;
45+ if (state == POST_CTRL_TO_PARAMS) {
46 /*
47 * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further
48 * up
49 */
50- *(int *)ctx->orig_p2 = str_value_map[i].id;
51+ *(int *)ctx->orig_p2 = val;
52 } else {
53- ctx->p1 = (int)str_value_map[i].id;
54+ ctx->p1 = val;
55 }
56 ctx->p2 = NULL;
57 }
58diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
59index 83f8902d24..9ad37a2bce 100644
60--- a/test/evp_extra_test.c
61+++ b/test/evp_extra_test.c
62@@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void)
63 return ret;
64 }
65
66+static int test_EVP_rsa_pss_set_saltlen(void)
67+{
68+ int ret = 0;
69+ EVP_PKEY *pkey = NULL;
70+ EVP_PKEY_CTX *pkey_ctx = NULL;
71+ EVP_MD *sha256 = NULL;
72+ EVP_MD_CTX *sha256_ctx = NULL;
73+ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */
74+ const int test_value = 32;
75+
76+ if (nullprov != NULL)
77+ return TEST_skip("Test does not support a non-default library context");
78+
79+ ret = TEST_ptr(pkey = load_example_rsa_key())
80+ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
81+ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
82+ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey))
83+ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
84+ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value))
85+ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
86+ && TEST_int_eq(saltlen, test_value);
87+
88+ EVP_MD_CTX_free(sha256_ctx);
89+ EVP_PKEY_free(pkey);
90+ EVP_MD_free(sha256);
91+
92+ return ret;
93+}
94+
95 static int success = 1;
96 static void md_names(const char *name, void *vctx)
97 {
98@@ -3966,6 +3995,7 @@ int setup_tests(void)
99 ADD_ALL_TESTS(test_evp_iv_des, 6);
100 #endif
101 ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
102+ ADD_TEST(test_EVP_rsa_pss_set_saltlen);
103 #ifndef OPENSSL_NO_EC
104 ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
105 #endif
106--
1072.25.1
108
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
index 8852a51ca8..4b1ae71a85 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
13 file://afalg.patch \ 13 file://afalg.patch \
14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 14 file://0001-Configure-do-not-tweak-mips-cflags.patch \
15 file://armv8-32bit.patch \ 15 file://armv8-32bit.patch \
16 file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \
16 " 17 "
17 18
18SRC_URI:append:class-nativesdk = " \ 19SRC_URI:append:class-nativesdk = " \