[{"id":3679910,"web_url":"http://patchwork.ozlabs.org/comment/3679910/","msgid":"","list_archive_url":null,"date":"2026-04-21T14:26:21","subject":"Re: [swupdate] [PATCH 1/2] fix(openssl): correctly handle failure of\n EVP_DigestFinal","submitter":{"id":86869,"url":"http://patchwork.ozlabs.org/api/people/86869/","name":"Stefano Babic","email":"stefano.babic@swupdate.org"},"content":"Hi Felix,\n\nOn 4/21/26 16:10, 'Storm, Christian' via swupdate wrote:\n> From: Felix Moessbauer \n> \n> The EVP_DigestFinal_ex function returns 1 on success, 0 on failure.\n> However, the caller expects < 0 as failure, success otherwise. By that,\n> failures in the HASH_final function are silently ignored.\n> \n> This currently cannot be exploited, as the md_len != SHA256_HASH_LENGTH\n> in cpio_utils.c catches this (the md_len stays at the initial value of\n> 0). We fix it by explicitly comparing the result of EVP_DigestFinal_ex\n> against the expected values.\n> \n> Fixes: d38d5359 (\"Prepare to use multiple crypto engines\")\n> Signed-off-by: Felix Moessbauer \n> ---\n> crypto/swupdate_HASH_openssl.c | 4 +++-\n> 1 file changed, 3 insertions(+), 1 deletion(-)\n> \n> diff --git a/crypto/swupdate_HASH_openssl.c b/crypto/swupdate_HASH_openssl.c\n> index 9820b9c5..32fe8047 100644\n> --- a/crypto/swupdate_HASH_openssl.c\n> +++ b/crypto/swupdate_HASH_openssl.c\n> @@ -87,8 +87,10 @@ static int openssl_HASH_final(void *ctx, unsigned char *md_value,\n> if (!dgst)\n> return -EFAULT;\n> \n> - return EVP_DigestFinal_ex (dgst->ctx, md_value, md_len);\n> + if (EVP_DigestFinal_ex (dgst->ctx, md_value, md_len) != 1)\n> + return -EIO;\n> \n\nThis is the digest implementation for openSSL, and then I look at the \nEVP_DigestFinal_ex function \n(https://github.com/openssl/openssl/blob/master/crypto/evp/digest.c), \nthis returns 0 in case of error - so ok, I see that an error is ignored. \nBut why do we have to compare with \"1\" ? I do not see this in openSSL code.\n\nStefano\n\n> + return 0;\n> }\n> \n> static void openssl_HASH_cleanup(void *ctx)","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=googlegroups.com header.i=@googlegroups.com\n header.a=rsa-sha256 header.s=20251104 header.b=ezleDKt6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com\n (client-ip=2a00:1450:4864:20::13c; helo=mail-lf1-x13c.google.com;\n envelope-from=swupdate+bncbd2zdgn6sekrbemst3hqmgqe4mi34yq@googlegroups.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from mail-lf1-x13c.google.com (mail-lf1-x13c.google.com\n [IPv6:2a00:1450:4864:20::13c])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0Pmr1H6sz1yCv\n\tfor ; Wed, 22 Apr 2026 00:26:36 +1000 (AEST)","by mail-lf1-x13c.google.com with SMTP id\n 2adb3069b0e04-5a277331b57sf3338637e87.1\n for ;\n Tue, 21 Apr 2026 07:26:35 -0700 (PDT)","by 2002:a05:6512:63d2:10b0:5a3:ff88:1c5e with SMTP id\n 2adb3069b0e04-5a40e467930ls1226058e87.1.-pod-prod-03-eu; Tue, 21 Apr 2026\n 07:26:23 -0700 (PDT)","from mout.kundenserver.de (mout.kundenserver.de. [217.72.192.75])\n by gmr-mx.google.com with ESMTPS id\n 2adb3069b0e04-5a4187dcf74si245062e87.7.2026.04.21.07.26.22\n for \n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 21 Apr 2026 07:26:22 -0700 (PDT)","from client.hidden.invalid by mrelayeu.kundenserver.de (mreue109\n [212.227.17.181]) with ESMTPSA (Nemesis) id 1M3DBb-1wG0rj1JaH-007rIt; Tue, 21\n Apr 2026 16:26:22 +0200"],"ARC-Seal":["i=2; a=rsa-sha256; t=1776781588; cv=pass;\n d=google.com; s=arc-20240605;\n b=E6cNz8HKOPxh9ZqOZnrlKV4nV6gC2FDF5ODHRlR41RBEZyB7sK9vFEABf9uyxmpLEU\n gaH906GgFl1MaONhNrAFZQ1c3bUf25CCP7C1yK0QrWmqjSHIQVGvcSiabgmxuoeqqL3O\n 9+ByoKTiOMXdngDIlbP8sOY4bOcxt/ouFC25UnMgWkeJ+QO/sDRpTEjLOT0rif3xOmc7\n p7Wkk5vLoyK1c4g3J3KhNXfiEbv7GIdNhjnr6jUVDpBjTtt3eRtyGrVzotz1zFh4K+pT\n Ro5HHEbtfaWW/RqS6cvqtzq5wD/0k+6oM5S3X36e2WBBL7fAxZgBDsm4ExsGIE1DJwfZ\n OZlQ==","i=1; a=rsa-sha256; t=1776781583; cv=none;\n d=google.com; s=arc-20240605;\n b=Ub/rtphSrDnnZp0G/hXIQrQiHx/Q+JuSvM2gT4W+cX+gMKxQIIAjtXXy/skU2TLoS2\n xXUqwxAoaQF4rOsEZX9odacm8rg1iUHijx7PeBIMcbUwfT4zHXgDC1DaGXnxP8khoVio\n 9AeHZG325JdcGpWUeVHDLCfGrC7qCto7IkbEC4fuBTU+DIsbIUkPfBI+syZOwuBV/I42\n HaWTQJ+lZ2dzQfjvRCTs+4/TOXdr7g2WmpPXrs5SNGaVlGOVxTEIlFRB9NkReXBw5Om5\n IYqGt3UTM+zzjg0eE4tZYMdARulUDOGfGfCU8ZC1DUgETvIDGUSdFVQRRnVLajiArMXy\n GIeQ=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n :list-id:mailing-list:precedence:ui-outboundreport\n :content-transfer-encoding:in-reply-to:from:content-language\n :references:cc:to:subject:user-agent:mime-version:date:message-id\n :sender:dkim-signature;\n bh=erihyQZCcOfpxqf/ThlxKEEUBW9wBDa9wzoZ1Rvi4yA=;\n fh=FtF+pLCq0/LjKMJXLqc0bvgZlA5VZi4/JTVZosEb6Zg=;\n b=FWycwHFlyaF1ZUAZZfFiieWzmDeyrwcHP9NEc5PhM8iuwlZlWnl9CL2K2Efwkw3oNK\n cvQMT4K8LNaQZIvUFIMQr06YWV0XVAtaSWxSBeIDbfNJCHux5AhrFjZLlpPRdHN8pogw\n t6/ecoYMEJxAVB7LHTDyoYPV6ybR5xVnoPU4dmCJkbH+LXk/tmWS99wd1Ojk0EtNJ55o\n UQQ3bRNO+bE0L2xuRQB0bEw2ClmQjFTCbzF8xmm3TyDVKMDEC9za4V0kGpSfQrk9OwiL\n NGWU+SShPP/OUmRIvPWTRd9EpIh9n6Kr/zes/b8guqvBXh+Q0Tbh2CCEUlDrc8YrFdVo\n 9CKg==;\n darn=patchwork.ozlabs.org","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=ui-outboundreport:content-transfer-encoding:in-reply-to:from\n :content-language:references:cc:to:subject:user-agent:mime-version\n :date:message-id:dkim-signature;\n bh=OT1xz+D13YfbFibIqMlHwOBCnf8nUBP66FGwWI2Pb+Y=;\n fh=jVhCEMILIPQu855m+iubP4yxiepa1Q40P9Vwe9Vio/s=;\n b=SyuoQt02K3QngclCcJWHX5hBMvRMs5R7ELHa0X7zszy8bYQs48IyLMB4FKh3PiRIe1\n oaOeO4voSg3XfpcOtP97S8Rssn91XxQThc6AZd9+A8YTbnWY6AgcFZaMfVvk6vgVehGU\n PFi/cF5jE+Eiu2b9TcTv9/m1jE3scz2nmiK1iZJP0Fk9v3POCt0obW/tJ/yB/GwE5xfF\n j6z737CkzbNrFpzKHaGRreAcstJ+kZ9M1rjKRseYmU+4eehXZ+u0ViQM+NJduYQVWg1k\n 6FRC8ESFgCFj6fZPGYoODB6P6UFl6UPLi/sJ7rtG3xGY67J+IHZkxTxmnQJ4RPf6Ik3F\n s+DQ==;\n dara=google.com"],"ARC-Authentication-Results":["i=2; gmr-mx.google.com;\n dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=\"i0/IZh4f\";\n spf=pass (google.com: domain of stefano.babic@swupdate.org designates\n 217.72.192.75 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org;\n dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org","i=1; gmr-mx.google.com;\n dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=\"i0/IZh4f\";\n spf=pass (google.com: domain of stefano.babic@swupdate.org designates\n 217.72.192.75 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org;\n dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=googlegroups.com; s=20251104; t=1776781588; x=1777386388;\n darn=patchwork.ozlabs.org;\n h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n :list-id:mailing-list:precedence:x-original-authentication-results\n :x-original-sender:ui-outboundreport:content-transfer-encoding\n :in-reply-to:from:content-language:references:cc:to:subject\n :user-agent:mime-version:date:message-id:sender:from:to:cc:subject\n :date:message-id:reply-to;\n bh=erihyQZCcOfpxqf/ThlxKEEUBW9wBDa9wzoZ1Rvi4yA=;\n b=ezleDKt69TLfNsN4U2MCNGZPM9trl1XLF5Uc2wqZqI5bGZjCsG6jrBhaduEJhEvfNB\n IbBKtg2xzTYxhd3uQEJzhtC67VCU9iFWz+9+Ly2jqQ/gibXYxtRM4D0uxXxDwiQeryfG\n zrElY0jnFHK7Dtbabeb1qp/hDTpQdazFw7kjHs0xzAr0sRRkvsk5PSGJKH8H0a0teLQ7\n K1JBePgZBlnRE+RAe1lQX5Y4zzdFEMioHk2STuCvT6VUJ/Yc+aT8QSQg4TIfus7zHWUx\n YDA0U1w9O54sDThygWyQxdVFi2pp86jncTSp/lV60ye3oNQD3wap3z5SM/QBkhV6Vy8g\n 8wMw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776781588; x=1777386388;\n h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n :x-spam-checked-in-group:list-id:mailing-list:precedence\n :x-original-authentication-results:x-original-sender\n :ui-outboundreport:content-transfer-encoding:in-reply-to:from\n :content-language:references:cc:to:subject:user-agent:mime-version\n :date:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc\n :subject:date:message-id:reply-to;\n bh=erihyQZCcOfpxqf/ThlxKEEUBW9wBDa9wzoZ1Rvi4yA=;\n b=C3TigAQ34NGWnrpySGK9lNviOg1ixeY6FigHU1M7lIF3yFvRRXaPwW7+lyT60eJHVc\n 94cl55aFif8oYNaD+uKQCw6X+PcxAEQRhkBVM98rokA1VRbZZWa9xz73zUCzSOoG/vhY\n L1k/sgI6A3gG7JUsM+TL4JubShyPoijUmRhDduaM3kS/puV7MmRuvvcCskeeDigDIaMc\n /V7r5jS0EH4eXfcLDglMzLlRSEpjFtv0pHarG+FGfHt2V3NwSIw6p/dvDAzdQpgtoKZn\n ItZPpHJPHBenK0TLIfaUOydpQf2idbHuyHhGBbL4X1Rsl64uZ00zXkPHJeZ3POS4HFwC\n dopg==","Sender":"swupdate@googlegroups.com","X-Forwarded-Encrypted":["i=2;\n AFNElJ+GoMLihIQ+bAUxTUType3hwgdDFUNFWC0xM7emcbiqbOic8IkmzVQv2UncshdJitnDmGf7H8qcvQ==@patchwork.ozlabs.org","i=2;\n AFNElJ/dkRbSkszslUQXfJ7sgPIJaU48tAs6snrtX3HTBF1RoEhSKVqatqrdhExnGRK6RmxFKy2jDoKk7A==@googlegroups.com"],"X-Gm-Message-State":"AOJu0YwkKxg4g3W/HIXsVE8PCF1v07avcODux77L5n2eBWBNyHI68+gP\n\ts6WOdDL/4xX36kYitmXEGiLwaqzE9a18SDHUws/0PWwJvTK3ZahJQ5fO","X-Received":["by 2002:a05:6512:a84:b0:5a4:d8:ce6e with SMTP id\n 2adb3069b0e04-5a4172e9ffemr5664919e87.41.1776781587740;\n Tue, 21 Apr 2026 07:26:27 -0700 (PDT)","by 2002:a05:6512:138e:b0:5a3:d1d9:6080 with SMTP id\n 2adb3069b0e04-5a4172e275amr5661548e87.29.1776781583290;\n Tue, 21 Apr 2026 07:26:23 -0700 (PDT)"],"X-BeenThere":"swupdate@googlegroups.com;\n h=\"AYAyTiI+MdhxS4xvchy7eR87mvtEDOBcTT3iVF4DyoATLWibuw==\"","Received-SPF":"pass (google.com: domain of stefano.babic@swupdate.org\n designates 217.72.192.75 as permitted sender) client-ip=217.72.192.75;","X-UI-Sender-Class":"55c96926-9e95-11ee-ae09-1f7a4046a0f6","Message-ID":"","Date":"Tue, 21 Apr 2026 16:26:21 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [swupdate] [PATCH 1/2] fix(openssl): correctly handle failure of\n EVP_DigestFinal","To":"\"Storm, Christian\" ,\n swupdate ","Cc":"\"MOESSBAUER, Felix\" ,\n \"Gylstorff, Quirin\" ","References":"<0EC9AC91-BD5E-4565-A6EF-EE468E4D304E@siemens.com>\n <89927E47-3CB5-45C7-BF47-323103C4EAED@siemens.com>","Content-Language":"en-US","From":"Stefano Babic ","In-Reply-To":"<89927E47-3CB5-45C7-BF47-323103C4EAED@siemens.com>","Content-Type":"text/plain; charset=\"UTF-8\"; format=flowed","Content-Transfer-Encoding":"quoted-printable","X-Provags-ID":"V03:K1:SBkwE5SG6YXRWcbD77aSm4NvbsV9Br+Y0ACBlisIX8kgjyaFeGS\n TAiQVlkl0hXI/mIAD806OpBqTorV/3kKh0gAT7x+ncTmb2TaXCe3hcD75SRIMgO2zTwMvHV\n 4oYIUWIsTk0sTGBH2Radl+94vuNY1LG74rl93bw2UXaSA2TI5s6/jNrrwfWbwR7sjOKsySP\n IbZ4QxXMRQb3HRu5ElFpQ==","X-Spam-Flag":"NO","UI-OutboundReport":"notjunk:1;M01:P0:USwOeoRQIlE=;1yGgJFhGDe2ZKzVjw24PcNsRfQz\n g99AbfD/LDTbEorW9RjgNAaEH0SWiAxCiEK4MWQ1BpwQsHK7LK/QlKT65NIAua4v4utDjo5rK\n vtrL2cPlfFjuCer14QpSvpb1kmqY/AhDWbIStt2bATTYjFxns/ARnCrA5+0SLrauU9ye9vbUz\n YjKbDNwcUiC5VRWih/FkysH6o08rUm/ObNU9fHW+AGVkPFMbUPJhN6muW3KHZaADxowTGZFNa\n T9ZwRN/3nYHiD1Ir0eGa7mxesHaarw1pKiroPDoX7RUaAJZ0HgDbGn0Qqvkfv7w/2Nxkvnx8i\n wGr9a4XPVHEK6Xps3eSqhS2S0msla69loDOIkJ3q2ydYTOqu6bNWYEH3H3+IDV+WbV4XSAc+Q\n lME83Np+Jtx4efjDCcwIKJnbJ1lSmntly+1zK4brF43P4du0+2u9HlTlRIVcMnvX75MJPkPKY\n C2Ku2dSoPQo4X8Au7WAXmFB26eZyxYN8d1uGiBkycjnWWX21jFoJ2PQ/XNQMrfOoOFZjt8QzV\n Z2cGd+fUL84caJqaEFcjsIomAabJ2oGdvJ43uHq06xT9avXU0vudP21ylIZWtvmxJiY5ugdtm\n aPyjYcogHVVRApfB+0JkPXHNuccT797BJigElRH39u/wdkioDQTODIQ2Vt8vL7XkOHgzDDH2b\n xNj5rnfwy8rhQkbLJ8HjDtV4eihO60e24chThOju2d5bx/acWS9AAhlOjTlfnuqhw+ttaEpY4\n Seqljl+UJVqw5uPxPSr93jH62jCAAEdvAUAaureuLJg4rp1jrNR9dlMuQ8MuC5VhcYwcLuziW\n VJ6hwHBapXaq2JdtwEA9QxtO7P/ngfCtFT1JTMbMbuU+X2ZOcDpkToRlOt4kBK5HjZRyQDV0x\n 7wZ7SQPMtvd6xFbF7gUyHJiFjCiny3XG2f6X1h1UdmDrC5eIm4rEAa1PGe3KmD7hx6miVYPVb\n 9Fc4TuxcAXh9iOzutmQ47P6ke9YbFmW5Fq2jj67wTg1UQ4695b7cd9p/z6jb0IXaCnm+Aa6Gm\n xevQtfAHlxYFXqgbKME7rEUGe8kt1QfdqqPR6mwEtqSwHQbmjMO1vzMIf0IhZjI3HXHMOTGPv\n +T5EED9mOWfVI/dd0Me1ze/Mwjlp9HpLkC4oN5+qhUn+/nnlPKxCZgIAkoRPIF+eYgi65WCZv\n E2OkqQ396/xA0Tnr2/oJ3Vs+kDLbCELMYMsuLQdDAd+kW/GO3k+IPYLN/JAfI5MsS3Xo89mDT\n jVeu94VrwzXBYCMNf1/YNc6iEZwF2ktJ3IV4K41ZxUYUyWcP9+mLF8vFFM9DvLSW9/DAqAOYf\n xGQ1RF1OmhQSwBeSVa6vbng+8NC3P1rudOVSjVDOj880Cwf6mfNwWEflpRlJ/X8I4hjOWoflD\n GPF77ksXjg8KpJJfd2qRG3kXcjHXj5IEgJqrTt+swMBdbmSGjNN7VDC5LYelnN7ircJzybpgq\n eg+BoShoGlGDOnwUc1amQyDxi+6giHvrKe1DkW1znvFLri5Yk3rGCLqKv9Ti9QpFbMesgefOF\n 8Udo0kD5J+HDw9wkyz2erXmOur1S0rj8i00SQFgMODevxrtpypeWM1TA8EI0MkWs5fp/Nx+Ou\n v47ilIOEb8BXG43NLQqnsvS3OEvHXBvMkcnIhZAi36oc4lQz+u6qZzIm9QqveR6ZLBogZJTy9\n hYRRvzM10/hRx2Zi/MjVNKnBpp88LbzwO8d9A63qZtPOStRRf0KzFq+ErN9eWEM64DBpwSheF\n dQ64uiT9U98aI0IgLRmZcwjdkif5Fcu0bctqemuibS1FpD5zy5sydK+PrFhsRGk6vq0i2Tapi\n eJcA3q3z8tTWNr1Eg3qB2go7D4POoVB1LtwR+SACAR9PpMVNgdY8pOWOu3T1ExJ54Jost2Mpt\n yFnVFR7Exhznh6j4aLlIn0gli3jnhwMhwoUdfoVCsW7RGo6StSYfrS2Ftd0WTMwhBkW9jAYPK\n NDepzfgp7H8hg8rUJv+UELZoBvo/WueDyZhuqTuPiOh1xswbl0GR/Xjetn5K7P9l8GLk76fNX\n ynbePSha93diIp75aVYwlW+0TX0Krgrn4Zq03m/DtdpD20Zd8mNld+Pqb+oL5Pg==","X-Original-Sender":"stefano.babic@swupdate.org","X-Original-Authentication-Results":"gmr-mx.google.com; dkim=pass\n header.i=@swupdate.org header.s=s1-ionos header.b=\"i0/IZh4f\"; spf=pass\n (google.com: domain of stefano.babic@swupdate.org designates 217.72.192.75 as\n permitted sender) smtp.mailfrom=stefano.babic@swupdate.org; dmarc=pass\n (p=NONE sp=NONE dis=NONE) header.from=swupdate.org","Precedence":"list","Mailing-list":"list swupdate@googlegroups.com;\n contact swupdate+owners@googlegroups.com","List-ID":"","X-Spam-Checked-In-Group":"swupdate@googlegroups.com","X-Google-Group-Id":"605343134186","List-Post":",\n ","List-Help":",\n ","List-Archive":",\n ","List-Unsubscribe":"\n ,\n "}}]