From 3fe3778b0bcd7cae6fa08cdfbd9a540b11fdc5a1 Mon Sep 17 00:00:00 2001 From: emmmmtang Date: Mon, 21 Mar 2022 20:30:11 +0800 Subject: [PATCH] fix openssl cve-2022-0778 --- cmake/external_libs/openssl.cmake | 6 ++- third_party/patch/openssl/CVE-2022-0778.patch | 49 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 third_party/patch/openssl/CVE-2022-0778.patch diff --git a/cmake/external_libs/openssl.cmake b/cmake/external_libs/openssl.cmake index 644284936c9..b807fe73357 100644 --- a/cmake/external_libs/openssl.cmake +++ b/cmake/external_libs/openssl.cmake @@ -28,6 +28,7 @@ if(BUILD_LITE) CONFIGURE_COMMAND ./Configure android-arm64 -D__ANDROID_API__=29 no-zlib PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch ) elseif(PLATFORM_ARM32 AND ANDROID_NDK_TOOLCHAIN_INCLUDED) set(ANDROID_NDK_ROOT $ENV{ANDROID_NDK}) @@ -43,6 +44,7 @@ if(BUILD_LITE) CONFIGURE_COMMAND ./Configure android-arm -D__ANDROID_API__=19 no-zlib PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch ) elseif(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR APPLE) mindspore_add_pkg(openssl @@ -53,6 +55,7 @@ if(BUILD_LITE) CONFIGURE_COMMAND ./config no-zlib PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch ) else() MESSAGE(FATAL_ERROR "openssl does not support compilation for the current environment.") @@ -71,9 +74,10 @@ else() CONFIGURE_COMMAND ./config no-zlib no-shared PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch ) include_directories(${openssl_INC}) add_library(mindspore::ssl ALIAS openssl::ssl) add_library(mindspore::crypto ALIAS openssl::crypto) endif() -endif() +endif() \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-0778.patch b/third_party/patch/openssl/CVE-2022-0778.patch new file mode 100644 index 00000000000..e384dac255e --- /dev/null +++ b/third_party/patch/openssl/CVE-2022-0778.patch @@ -0,0 +1,49 @@ +diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c +index 1723d5ded5..53b0f55985 100644 +--- a/crypto/bn/bn_sqrt.c ++++ b/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ \ No newline at end of file