From fe1606e0138cdfd460a21cd3d5ac2a81884ee288 Mon Sep 17 00:00:00 2001 From: Akash Saxena Date: Thu, 25 Oct 2018 10:00:56 +0000 Subject: [PATCH] crypto/openssl: fix RSA verify operation In lib cryptodev, RSA verify operation inputs plain message text and corresponding signature and expected to return RTE_CRYPTO_OP_STATUS_SUCCESS/FAILURE on a signature match/mismatch. Current OpenSSL PMD RSA verify implementation overrides application passed sign input by decrypted output which isn't expected. This patch addresses this issue in OpenSSL PMD. Now, OpenSSL PMD use tmp buffer to pass to OpenSSL sign API and memcmp output with original plain text to verify signature match. Set op->status = RTE_CRYPTO_OP_STATUS_ERROR on signature mismatch. Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations") Cc: stable@dpdk.org Signed-off-by: Ayuj Verma Signed-off-by: Akash Saxena Signed-off-by: Shally Verma Acked-by: Akhil Goyal --- drivers/crypto/openssl/rte_openssl_pmd.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 003116dccc..11ea0d1900 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -1843,6 +1843,9 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, struct rte_crypto_asym_op *op = cop->asym; RSA *rsa = sess->u.r.rsa; uint32_t pad = (op->rsa.pad); + uint8_t *tmp; + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; switch (pad) { case RTE_CRYPTO_RSA_PKCS1_V1_5_BT0: @@ -1895,9 +1898,15 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, break; case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + break; + } ret = RSA_public_decrypt(op->rsa.sign.length, op->rsa.sign.data, - op->rsa.sign.data, + tmp, rsa, pad); @@ -1905,13 +1914,12 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, "Length of public_decrypt %d " "length of message %zd\n", ret, op->rsa.message.length); - - if (memcmp(op->rsa.sign.data, op->rsa.message.data, - op->rsa.message.length)) { - OPENSSL_LOG(ERR, - "RSA sign Verification failed"); - return -1; + if ((ret <= 0) || (memcmp(tmp, op->rsa.message.data, + op->rsa.message.length))) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; } + rte_free(tmp); break; default: -- 2.20.1