[PATCH 1/1] lib/ecdsa: Fix LibreSSL before v2.7.0

Alex G. mr.nuke.me at gmail.com
Thu Jul 29 17:48:30 CEST 2021


Hi Artem

On 7/29/21 9:52 AM, Artem Panfilov wrote:
> On 29.07.2021 15:59, Tom Rini wrote:
>> Well yes, this is part of the question now, is there enough interest in
>> the old version to bother with?  The other part of the question is
>> what's being built now that wasn't being built before, and is that a bug
>> or a feature (a less CONFIG-dependent set of tools is good for generic
>> distributions).
> 
> OK, if someone else will report the same issue after u-boot release,
> then it should be fixed. Currently, I am okay with my local fix
> by disabling the CONFIG_TOOLS_LIBCRYPTO option.

ECDSA signing was not verified against a libcrypto that old. Given that 
signatures are non-deterministic, I doubt we could have a CI test that 
says old-libcrypto, known block must equal known signature.

When we added ECDSA, there was not a need to consider old libcrypto 
versions, but I also did not pay attention to the #ifdefs in the much 
older RSA path. I'm sorry that you had to go through the frustrations of 
getting a patch rejected which does something the codebase already does.

I am going to take a look at cleaning up the RSA path. There's no point 
in maintaining backwards compatibility if we're not doing it across the 
board.

Alex



More information about the U-Boot mailing list