[PATCH 0/2] Align return values across crypto backends
39 views
Skip to first unread message
Storm, Christian
Apr 21, 2026, 10:03:52 AMApr 21
to swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
This series aligns and documents the expected return values across
all crypto backends. It further fixes a bug due to inconsistent
caller and callee semantics. Please review CAREFULLY!
Best regards,
Felix Moessbauer
Siemens AG
[ Sent by Christian Storm <christi...@siemens.com> ]
Felix Moessbauer (2):
fix(openssl): correctly handle failure of EVP_DigestFinal
refactor(mbedtls): align HASH_final return values across
implementations
crypto/swupdate_HASH_mbedtls.c | 2 +-
crypto/swupdate_HASH_openssl.c | 4 +++-
include/swupdate_crypto.h | 4 ++++
3 files changed, 8 insertions(+), 2 deletions(-)
--
2.53.0
all crypto backends. It further fixes a bug due to inconsistent
caller and callee semantics. Please review CAREFULLY!
Best regards,
Felix Moessbauer
Siemens AG
[ Sent by Christian Storm <christi...@siemens.com> ]
Felix Moessbauer (2):
fix(openssl): correctly handle failure of EVP_DigestFinal
refactor(mbedtls): align HASH_final return values across
implementations
crypto/swupdate_HASH_mbedtls.c | 2 +-
crypto/swupdate_HASH_openssl.c | 4 +++-
include/swupdate_crypto.h | 4 ++++
3 files changed, 8 insertions(+), 2 deletions(-)
--
2.53.0
Storm, Christian
Apr 21, 2026, 10:05:52 AMApr 21
to swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
From: Felix Moessbauer <felix.mo...@siemens.com>
The EVP_DigestFinal_ex function returns 1 on success, 0 on failure.
However, the caller expects < 0 as failure, success otherwise. By that,
failures in the HASH_final function are silently ignored.
This currently cannot be exploited, as the md_len != SHA256_HASH_LENGTH
in cpio_utils.c catches this (the md_len stays at the initial value of
0). We fix it by explicitly comparing the result of EVP_DigestFinal_ex
against the expected values.
Fixes: d38d5359 ("Prepare to use multiple crypto engines")
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
crypto/swupdate_HASH_openssl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/swupdate_HASH_openssl.c b/crypto/swupdate_HASH_openssl.c
index 9820b9c5..32fe8047 100644
--- a/crypto/swupdate_HASH_openssl.c
+++ b/crypto/swupdate_HASH_openssl.c
@@ -87,8 +87,10 @@ static int openssl_HASH_final(void *ctx, unsigned char *md_value,
if (!dgst)
return -EFAULT;
- return EVP_DigestFinal_ex (dgst->ctx, md_value, md_len);
+ if (EVP_DigestFinal_ex (dgst->ctx, md_value, md_len) != 1)
+ return -EIO;
+ return 0;
}
static void openssl_HASH_cleanup(void *ctx)
--
2.53.0
The EVP_DigestFinal_ex function returns 1 on success, 0 on failure.
However, the caller expects < 0 as failure, success otherwise. By that,
failures in the HASH_final function are silently ignored.
This currently cannot be exploited, as the md_len != SHA256_HASH_LENGTH
in cpio_utils.c catches this (the md_len stays at the initial value of
0). We fix it by explicitly comparing the result of EVP_DigestFinal_ex
against the expected values.
Fixes: d38d5359 ("Prepare to use multiple crypto engines")
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
crypto/swupdate_HASH_openssl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/swupdate_HASH_openssl.c b/crypto/swupdate_HASH_openssl.c
index 9820b9c5..32fe8047 100644
--- a/crypto/swupdate_HASH_openssl.c
+++ b/crypto/swupdate_HASH_openssl.c
@@ -87,8 +87,10 @@ static int openssl_HASH_final(void *ctx, unsigned char *md_value,
if (!dgst)
return -EFAULT;
- return EVP_DigestFinal_ex (dgst->ctx, md_value, md_len);
+ if (EVP_DigestFinal_ex (dgst->ctx, md_value, md_len) != 1)
+ return -EIO;
+ return 0;
}
static void openssl_HASH_cleanup(void *ctx)
--
2.53.0
Storm, Christian
Apr 21, 2026, 10:07:37 AMApr 21
to swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
From: Felix Moessbauer <felix.mo...@siemens.com>
The HASH_final implementations are expected to return 0 on success and a
negative value on error. While the mbedtls_HASH_final correctly
implements this interface, it still is better to align the return codes
across the backends - what we do in this commit.
While doing so, we also document the expected return values of the
crypto backends.
crypto/swupdate_HASH_mbedtls.c | 2 +-
include/swupdate_crypto.h | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/crypto/swupdate_HASH_mbedtls.c b/crypto/swupdate_HASH_mbedtls.c
index 4165b940..9005256b 100644
--- a/crypto/swupdate_HASH_mbedtls.c
+++ b/crypto/swupdate_HASH_mbedtls.c
@@ -99,7 +99,7 @@ static int mbedtls_HASH_final(void *ctx, unsigned char *md_value,
*md_len = mbedtls_md_get_size(dgst->mbedtls_md_context.md_info);
#endif
}
- return 1;
+ return 0;
}
diff --git a/include/swupdate_crypto.h b/include/swupdate_crypto.h
index aa9da964..0e579dfb 100644
--- a/include/swupdate_crypto.h
+++ b/include/swupdate_crypto.h
@@ -46,6 +46,10 @@ typedef struct {
void (*DECRYPT_cleanup)(void *ctx);
} swupdate_decrypt_lib;
+/*
+ * Return:
+ * 0 on success, < 0 on error
+ */
typedef struct {
void *(*HASH_init)(const char *SHAlength);
int (*HASH_update)(void *ctx, const unsigned char *buf, size_t len);
--
2.53.0
The HASH_final implementations are expected to return 0 on success and a
negative value on error. While the mbedtls_HASH_final correctly
implements this interface, it still is better to align the return codes
across the backends - what we do in this commit.
While doing so, we also document the expected return values of the
crypto backends.
crypto/swupdate_HASH_mbedtls.c | 2 +-
include/swupdate_crypto.h | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/crypto/swupdate_HASH_mbedtls.c b/crypto/swupdate_HASH_mbedtls.c
index 4165b940..9005256b 100644
--- a/crypto/swupdate_HASH_mbedtls.c
+++ b/crypto/swupdate_HASH_mbedtls.c
@@ -99,7 +99,7 @@ static int mbedtls_HASH_final(void *ctx, unsigned char *md_value,
*md_len = mbedtls_md_get_size(dgst->mbedtls_md_context.md_info);
#endif
}
- return 1;
+ return 0;
}
diff --git a/include/swupdate_crypto.h b/include/swupdate_crypto.h
index aa9da964..0e579dfb 100644
--- a/include/swupdate_crypto.h
+++ b/include/swupdate_crypto.h
@@ -46,6 +46,10 @@ typedef struct {
void (*DECRYPT_cleanup)(void *ctx);
} swupdate_decrypt_lib;
+/*
+ * Return:
+ * 0 on success, < 0 on error
+ */
typedef struct {
void *(*HASH_init)(const char *SHAlength);
int (*HASH_update)(void *ctx, const unsigned char *buf, size_t len);
--
2.53.0
Storm, Christian
Apr 21, 2026, 10:09:25 AMApr 21
to swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
Storm, Christian
Apr 21, 2026, 10:10:33 AMApr 21
to swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
From: Felix Moessbauer <felix.mo...@siemens.com>
The EVP_DigestFinal_ex function returns 1 on success, 0 on failure.
However, the caller expects < 0 as failure, success otherwise. By that,
failures in the HASH_final function are silently ignored.
This currently cannot be exploited, as the md_len != SHA256_HASH_LENGTH
in cpio_utils.c catches this (the md_len stays at the initial value of
0). We fix it by explicitly comparing the result of EVP_DigestFinal_ex
against the expected values.
Fixes: d38d5359 ("Prepare to use multiple crypto engines")
The EVP_DigestFinal_ex function returns 1 on success, 0 on failure.
However, the caller expects < 0 as failure, success otherwise. By that,
failures in the HASH_final function are silently ignored.
This currently cannot be exploited, as the md_len != SHA256_HASH_LENGTH
in cpio_utils.c catches this (the md_len stays at the initial value of
0). We fix it by explicitly comparing the result of EVP_DigestFinal_ex
against the expected values.
Fixes: d38d5359 ("Prepare to use multiple crypto engines")
Storm, Christian
Apr 21, 2026, 10:12:15 AMApr 21
to swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
From: Felix Moessbauer <felix.mo...@siemens.com>
The HASH_final implementations are expected to return 0 on success and a
negative value on error. While the mbedtls_HASH_final correctly
implements this interface, it still is better to align the return codes
across the backends - what we do in this commit.
While doing so, we also document the expected return values of the
crypto backends.
The HASH_final implementations are expected to return 0 on success and a
negative value on error. While the mbedtls_HASH_final correctly
implements this interface, it still is better to align the return codes
across the backends - what we do in this commit.
While doing so, we also document the expected return values of the
crypto backends.
Stefano Babic
Apr 21, 2026, 10:26:27 AMApr 21
to Storm, Christian, swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
Hi Felix,
This is the digest implementation for openSSL, and then I look at the
EVP_DigestFinal_ex function
(https://github.com/openssl/openssl/blob/master/crypto/evp/digest.c),
this returns 0 in case of error - so ok, I see that an error is ignored.
But why do we have to compare with "1" ? I do not see this in openSSL code.
Stefano
> + return 0;
> }
>
> static void openssl_HASH_cleanup(void *ctx)
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
EVP_DigestFinal_ex function
(https://github.com/openssl/openssl/blob/master/crypto/evp/digest.c),
this returns 0 in case of error - so ok, I see that an error is ignored.
But why do we have to compare with "1" ? I do not see this in openSSL code.
Stefano
> + return 0;
> }
>
> static void openssl_HASH_cleanup(void *ctx)
--
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
Stefano Babic
Apr 21, 2026, 10:27:52 AMApr 21
to Storm, Christian, swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
Stefano Babic
May 26, 2026, 6:32:39 AMMay 26
to Storm, Christian, swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
had to change myself the code.
Best regards,
Stefano
Stefano Babic
May 26, 2026, 6:37:45 AMMay 26
to Storm, Christian, swupdate, MOESSBAUER, Felix, Gylstorff, Quirin
Stefano Babic
May 26, 2026, 8:06:23 AMMay 26
to MOESSBAUER, Felix, Storm, Christian, swupdate, Gylstorff, Quirin
Hi Felix,
On 5/26/26 13:45, MOESSBAUER, Felix wrote:
> Thanks, but that's strange. On my side the patch mail applies cleanly,
> and I'm sending patches to MLs on a daily basis without any complaints
> (yet).
>
> Well... the patch was re-sent by Christian as my mails are not accepted
> on this ML.
You need to be registered to ML to be able to send patches. This was
introduced after the ML was over-flooded when ML was open to everybody.
However, ML is hosted by Google, and Google requires to have a gmail
account or a gmail account to associate. So nothing is free.
I was also thinking about to host myself the ML and I have already
prepared the server, but if users are happy with current setup, I won't
change.
> Maybe that's the culprit.
Yes, it is, all patches sent by Christian are malformed.
Best regards,
Stefano
>
> Felix
On 5/26/26 13:45, MOESSBAUER, Felix wrote:
> and I'm sending patches to MLs on a daily basis without any complaints
> (yet).
>
> Well... the patch was re-sent by Christian as my mails are not accepted
> on this ML.
You need to be registered to ML to be able to send patches. This was
introduced after the ML was over-flooded when ML was open to everybody.
However, ML is hosted by Google, and Google requires to have a gmail
account or a gmail account to associate. So nothing is free.
I was also thinking about to host myself the ML and I have already
prepared the server, but if users are happy with current setup, I won't
change.
> Maybe that's the culprit.
Yes, it is, all patches sent by Christian are malformed.
Best regards,
Stefano
>
> Felix
Storm, Christian
Jun 9, 2026, 11:24:15 AMJun 9
to swupdate
Hi,
>>> Applied, but patch resulted malformed (probabkly due the mailer) and I
>>> had to change myself the code.
>> Thanks, but that's strange. On my side the patch mail applies cleanly,
>> and I'm sending patches to MLs on a daily basis without any complaints
>> (yet).
>> Well... the patch was re-sent by Christian as my mails are not accepted
>> on this ML.
>
> You need to be registered to ML to be able to send patches. This was introduced after the ML was over-flooded when ML was open to everybody.
>
> However, ML is hosted by Google, and Google requires to have a gmail account or a gmail account to associate. So nothing is free.
>
> I was also thinking about to host myself the ML and I have already prepared the server, but if users are happy with current setup, I won't change.
>
>> Maybe that's the culprit.
>
> Yes, it is, all patches sent by Christian are malformed.
I'm sorry for the inconvenience! We seem to have some serious issues with our Mailer since (some) patches internally passed to me do also not apply cleanly, seemingly randomly...
Again, sorry for the inconvenience and efforts caused on your side!
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, FT RPD CED
Friedrich-Ludwig-Bauer-Str. 3, 85748 Garching, Germany
>>> Applied, but patch resulted malformed (probabkly due the mailer) and I
>>> had to change myself the code.
>> Thanks, but that's strange. On my side the patch mail applies cleanly,
>> and I'm sending patches to MLs on a daily basis without any complaints
>> (yet).
>> Well... the patch was re-sent by Christian as my mails are not accepted
>> on this ML.
>
> You need to be registered to ML to be able to send patches. This was introduced after the ML was over-flooded when ML was open to everybody.
>
> However, ML is hosted by Google, and Google requires to have a gmail account or a gmail account to associate. So nothing is free.
>
> I was also thinking about to host myself the ML and I have already prepared the server, but if users are happy with current setup, I won't change.
>
>> Maybe that's the culprit.
>
> Yes, it is, all patches sent by Christian are malformed.
Again, sorry for the inconvenience and efforts caused on your side!
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, FT RPD CED
Friedrich-Ludwig-Bauer-Str. 3, 85748 Garching, Germany
Reply all
Reply to author
Forward
0 new messages