Make openssl speed test signatures without errors
Patch backported from https://github.com/openssl/openssl/pull/28224. Resolves: RHEL-95182
This commit is contained in:
Pavol Žáčik
parent
28538f622d
commit
10f6d8e74b
176
0056-Speed-test-signatures-without-errors.patch
Normal file
176
0056-Speed-test-signatures-without-errors.patch
Normal file
@ -0,0 +1,176 @@
|
||||
From 0db63fff91327d06502027441104665f462be922 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
|
||||
Date: Mon, 11 Aug 2025 12:02:03 +0200
|
||||
Subject: [PATCH 1/2] apps/speed.c: Disable testing of composite signature
|
||||
algorithms
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Creating public key context from name would always fail
|
||||
for composite signature algorithms (such as RSA-SHA256)
|
||||
because the public key algorithm name (e.g., RSA) does
|
||||
not match the name of the composite algorithm.
|
||||
|
||||
Relates to #27855.
|
||||
|
||||
Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
|
||||
---
|
||||
apps/speed.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/apps/speed.c b/apps/speed.c
|
||||
index 2c3ec37d1239e..a6d239c8cda81 100644
|
||||
--- a/apps/speed.c
|
||||
+++ b/apps/speed.c
|
||||
@@ -2281,9 +2281,11 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
#endif /* OPENSSL_NO_DSA */
|
||||
/* skipping these algs as tested elsewhere - and b/o setup is a pain */
|
||||
- else if (strcmp(sig_name, "ED25519") &&
|
||||
- strcmp(sig_name, "ED448") &&
|
||||
- strcmp(sig_name, "ECDSA") &&
|
||||
+ else if (strncmp(sig_name, "RSA", 3) &&
|
||||
+ strncmp(sig_name, "DSA", 3) &&
|
||||
+ strncmp(sig_name, "ED25519", 7) &&
|
||||
+ strncmp(sig_name, "ED448", 5) &&
|
||||
+ strncmp(sig_name, "ECDSA", 5) &&
|
||||
strcmp(sig_name, "HMAC") &&
|
||||
strcmp(sig_name, "SIPHASH") &&
|
||||
strcmp(sig_name, "POLY1305") &&
|
||||
|
||||
From 30d98de47c63ca84df41ee57f9d230b2f56bf9ef Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
|
||||
Date: Mon, 11 Aug 2025 12:19:59 +0200
|
||||
Subject: [PATCH 2/2] apps/speed.c: Support more signature algorithms
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
|
||||
via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
|
||||
before reporting an error.
|
||||
|
||||
Fixes #27108.
|
||||
|
||||
Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
|
||||
---
|
||||
apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
|
||||
1 file changed, 53 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/apps/speed.c b/apps/speed.c
|
||||
index a6d239c8cda81..059183ddc77d3 100644
|
||||
--- a/apps/speed.c
|
||||
+++ b/apps/speed.c
|
||||
@@ -4254,6 +4254,7 @@ int speed_main(int argc, char **argv)
|
||||
EVP_PKEY_CTX *sig_gen_ctx = NULL;
|
||||
EVP_PKEY_CTX *sig_sign_ctx = NULL;
|
||||
EVP_PKEY_CTX *sig_verify_ctx = NULL;
|
||||
+ EVP_SIGNATURE *alg = NULL;
|
||||
unsigned char md[SHA256_DIGEST_LENGTH];
|
||||
unsigned char *sig;
|
||||
char sfx[MAX_ALGNAME_SUFFIX];
|
||||
@@ -4314,21 +4315,48 @@ int speed_main(int argc, char **argv)
|
||||
sig_name);
|
||||
goto sig_err_break;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Try explicitly fetching the signature algoritm implementation to
|
||||
+ * use in case the algorithm does not support EVP_PKEY_sign_init
|
||||
+ */
|
||||
+ ERR_set_mark();
|
||||
+ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
|
||||
+ ERR_pop_to_mark();
|
||||
+
|
||||
/* Now prepare signature data structs */
|
||||
sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
|
||||
pkey,
|
||||
app_get0_propq());
|
||||
- if (sig_sign_ctx == NULL
|
||||
- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
|
||||
- || (use_params == 1
|
||||
- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
|
||||
- RSA_PKCS1_PADDING) <= 0))
|
||||
- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
|
||||
- md, md_len) <= 0) {
|
||||
- BIO_printf(bio_err,
|
||||
- "Error while initializing signing data structs for %s.\n",
|
||||
- sig_name);
|
||||
- goto sig_err_break;
|
||||
+ if (sig_sign_ctx == NULL) {
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Error while initializing signing ctx for %s.\n",
|
||||
+ sig_name);
|
||||
+ goto sig_err_break;
|
||||
+ }
|
||||
+ ERR_set_mark();
|
||||
+ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
|
||||
+ && (alg == NULL
|
||||
+ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
|
||||
+ ERR_clear_last_mark();
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Error while initializing signing data structs for %s.\n",
|
||||
+ sig_name);
|
||||
+ goto sig_err_break;
|
||||
+ }
|
||||
+ ERR_pop_to_mark();
|
||||
+ if (use_params == 1 &&
|
||||
+ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Error while initializing padding for %s.\n",
|
||||
+ sig_name);
|
||||
+ goto sig_err_break;
|
||||
+ }
|
||||
+ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Error while obtaining signature bufffer length for %s.\n",
|
||||
+ sig_name);
|
||||
+ goto sig_err_break;
|
||||
}
|
||||
sig = app_malloc(sig_len = max_sig_len, "signature buffer");
|
||||
if (sig == NULL) {
|
||||
@@ -4344,16 +4372,23 @@ int speed_main(int argc, char **argv)
|
||||
sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
|
||||
pkey,
|
||||
app_get0_propq());
|
||||
- if (sig_verify_ctx == NULL
|
||||
- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
|
||||
- || (use_params == 1
|
||||
- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
|
||||
- RSA_PKCS1_PADDING) <= 0))) {
|
||||
+ if (sig_verify_ctx == NULL) {
|
||||
+ BIO_printf(bio_err,
|
||||
+ "Error while initializing verify ctx for %s.\n",
|
||||
+ sig_name);
|
||||
+ goto sig_err_break;
|
||||
+ }
|
||||
+ ERR_set_mark();
|
||||
+ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
|
||||
+ && (alg == NULL
|
||||
+ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
|
||||
+ ERR_clear_last_mark();
|
||||
BIO_printf(bio_err,
|
||||
"Error while initializing verify data structs for %s.\n",
|
||||
sig_name);
|
||||
goto sig_err_break;
|
||||
}
|
||||
+ ERR_pop_to_mark();
|
||||
if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
|
||||
BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
|
||||
goto sig_err_break;
|
||||
@@ -4369,12 +4404,14 @@ int speed_main(int argc, char **argv)
|
||||
loopargs[i].sig_act_sig_len[testnum] = sig_len;
|
||||
loopargs[i].sig_sig[testnum] = sig;
|
||||
EVP_PKEY_free(pkey);
|
||||
+ EVP_SIGNATURE_free(alg);
|
||||
pkey = NULL;
|
||||
continue;
|
||||
|
||||
sig_err_break:
|
||||
dofail();
|
||||
EVP_PKEY_free(pkey);
|
||||
+ EVP_SIGNATURE_free(alg);
|
||||
op_count = 1;
|
||||
sig_checks = 0;
|
||||
break;
|
||||
@ -97,6 +97,7 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
|
||||
%endif
|
||||
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
|
||||
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
|
||||
Patch0056: 0056-Speed-test-signatures-without-errors.patch
|
||||
|
||||
License: Apache-2.0
|
||||
URL: http://www.openssl.org/
|
||||
|
||||
Loading…
Reference in New Issue
Block a user