forked from mindspore-Ecosystem/mindspore
Patch CVE-2021-3711 and CVE-2021-3712 for openssl
This commit is contained in:
parent
0b6ecd5b4c
commit
546f90ca6d
|
@ -5,13 +5,23 @@ else()
|
|||
set(REQ_URL "https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_1_1_1k.tar.gz")
|
||||
set(MD5 "bdd51a68ad74618dd2519da8e0bcc759")
|
||||
endif()
|
||||
|
||||
if(BUILD_LITE)
|
||||
set(OPENSSL_PATCH_ROOT ${TOP_DIR}/third_party/patch/openssl)
|
||||
else()
|
||||
set(OPENSSL_PATCH_ROOT ${CMAKE_SOURCE_DIR}/third_party/patch/openssl)
|
||||
endif()
|
||||
|
||||
if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
|
||||
mindspore_add_pkg(openssl
|
||||
VER 1.1.1k
|
||||
LIBS ssl crypto
|
||||
URL ${REQ_URL}
|
||||
MD5 ${MD5}
|
||||
CONFIGURE_COMMAND ./config no-zlib no-shared)
|
||||
CONFIGURE_COMMAND ./config no-zlib no-shared
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
|
||||
)
|
||||
include_directories(${openssl_INC})
|
||||
add_library(mindspore::ssl ALIAS openssl::ssl)
|
||||
add_library(mindspore::crypto ALIAS openssl::crypto)
|
||||
|
|
|
@ -446,6 +446,7 @@ if(MSLITE_ENABLE_CONVERTER)
|
|||
include(${TOP_DIR}/cmake/external_libs/eigen.cmake)
|
||||
include(${TOP_DIR}/cmake/external_libs/protobuf.cmake)
|
||||
if(MSLITE_ENABLE_MODEL_ENCRYPTION)
|
||||
find_package(Patch)
|
||||
include(${TOP_DIR}/cmake/external_libs/openssl.cmake)
|
||||
endif()
|
||||
add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/tools/converter)
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
|
||||
index ef505f6441..1188abfc6b 100644
|
||||
--- a/crypto/sm2/sm2_crypt.c
|
||||
+++ b/crypto/sm2/sm2_crypt.c
|
||||
@@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group)
|
||||
return field_size;
|
||||
}
|
||||
|
||||
-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
|
||||
- size_t *pt_size)
|
||||
+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size)
|
||||
{
|
||||
- const size_t field_size = ec_field_size(EC_KEY_get0_group(key));
|
||||
- const int md_size = EVP_MD_size(digest);
|
||||
- size_t overhead;
|
||||
+ struct SM2_Ciphertext_st *sm2_ctext = NULL;
|
||||
|
||||
- if (md_size < 0) {
|
||||
- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST);
|
||||
- return 0;
|
||||
- }
|
||||
- if (field_size == 0) {
|
||||
- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD);
|
||||
- return 0;
|
||||
- }
|
||||
+ sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size);
|
||||
|
||||
- overhead = 10 + 2 * field_size + (size_t)md_size;
|
||||
- if (msg_len <= overhead) {
|
||||
+ if (sm2_ctext == NULL) {
|
||||
SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING);
|
||||
return 0;
|
||||
}
|
||||
|
||||
- *pt_size = msg_len - overhead;
|
||||
+ *pt_size = sm2_ctext->C2->length;
|
||||
+ SM2_Ciphertext_free(sm2_ctext);
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
|
||||
index b42a14c32f..27025fbf3a 100644
|
||||
--- a/crypto/sm2/sm2_pmeth.c
|
||||
+++ b/crypto/sm2/sm2_pmeth.c
|
||||
@@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx,
|
||||
const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
|
||||
|
||||
if (out == NULL) {
|
||||
- if (!sm2_plaintext_size(ec, md, inlen, outlen))
|
||||
+ if (!sm2_plaintext_size(in, inlen, outlen))
|
||||
return -1;
|
||||
else
|
||||
return 1;
|
||||
diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h
|
||||
index 76ee80baff..50851a83ce 100644
|
||||
--- a/include/crypto/sm2.h
|
||||
+++ b/include/crypto/sm2.h
|
||||
@@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen,
|
||||
int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
|
||||
size_t *ct_size);
|
||||
|
||||
-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
|
||||
- size_t *pt_size);
|
||||
+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size);
|
||||
|
||||
int sm2_encrypt(const EC_KEY *key,
|
||||
const EVP_MD *digest,
|
||||
diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
|
||||
index 2bb73947ff..41827bb82f 100644
|
||||
--- a/test/sm2_internal_test.c
|
||||
+++ b/test/sm2_internal_test.c
|
||||
@@ -185,7 +185,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
|
||||
if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len))
|
||||
goto done;
|
||||
|
||||
- if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len))
|
||||
+ if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len))
|
||||
|| !TEST_int_eq(ptext_len, msg_len))
|
||||
goto done;
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
|
||||
index 7b7c75ce84..e497a25909 100644
|
||||
--- a/crypto/ec/ec_asn1.c
|
||||
+++ b/crypto/ec/ec_asn1.c
|
||||
@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
|
||||
ret->seed_len = params->curve->seed->length;
|
||||
}
|
||||
|
||||
- if (!params->order || !params->base || !params->base->data) {
|
||||
+ if (params->order == NULL
|
||||
+ || params->base == NULL
|
||||
+ || params->base->data == NULL
|
||||
+ || params->base->length == 0) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
Loading…
Reference in New Issue