Bug 141526

Summary: OpenSSL PadLock support needs update
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Forgotten User mbQyAD5r4K <forgotten_mbQyAD5r4K>
Component: BasesystemAssignee: Peter Poeml <poeml>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: novell
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: http://www.logix.cz/michal/devel/padlock
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User mbQyAD5r4K 2006-01-05 01:57:35 UTC 
Hi,

I have run into severe problems with VIA PadLock-enabled OpenSSL from OpenSUSE 10.0 on my DualCPU VIA board. After some investigation I have found that you're still shipping OpenSSL with a too old PadLock patch. Could you please update the package to the latest ones found on http://www.logix.cz/michal/devel/padlock

After I rebuilt the OpenSSL with these patches everything works fine for me.

Thanks!
Comment 1 Peter Poeml 2006-02-13 12:32:35 UTC 
Michal, would the newer padlock version fix the problem reported in bug
141526? Is that the same issue as you encountered?
Comment 2 Forgotten User mbQyAD5r4K 2006-02-13 20:38:12 UTC 
Err ... _this_ is bug 141526 ;-)
Comment 3 Peter Poeml 2006-02-14 09:30:22 UTC 
Sorry.. I meant bug 114671 :-)
Comment 4 Forgotten User mbQyAD5r4K 2006-02-14 10:19:03 UTC 
Quite likely. The old patch is known to fail in some circumstances, e.g. when the same EVP_CIPHER_CTX is reused for both encryption and decryption. These problems are very hard to debug as they are bound to timing and context switches - attach a debugger or recompile w/o -O2 and they're gone.

I strongly recommend updating the PadLock patch in 10.0 openssl and release it as an online update. The patch is 100% backward compatible (except for the bugs :) and won't change anything for non-epia users.
Comment 5 Forgotten User mbQyAD5r4K 2006-02-14 10:20:50 UTC 
Back to ASSIGNED
Comment 6 Peter Poeml 2006-02-23 04:05:20 UTC 
Harald, given the positive feedback in bug 114671 I want to update
openssl in 10.0. Can you approve the fix? It has zero effect on boards
without the VIA crypto hardware, therefore it is not risky.
Comment 7 Andreas Jaeger 2006-02-23 15:30:56 UTC 
Peter, you have to ask me!

Ok, approved: Maintenance-Tracker-3657
Comment 8 Peter Poeml 2006-02-23 16:00:24 UTC 
Harald, technically this update is only needed on 10.0-i386, neither on
ppc nor x86_64. Is it okay with the patchinfo process to restrict
DISTRIBUTION like that? (I guess so, but asking to make sure)
Comment 9 Peter Poeml 2006-02-23 16:14:55 UTC 
Harald says that 10.0-i386 is sufficient.
Comment 10 Peter Poeml 2006-02-23 16:17:56 UTC 
*** Bug 114671 has been marked as a duplicate of this bug. ***
Comment 11 Anja Stock 2006-02-27 11:54:24 UTC 
released