From 29c6397ba2a995c70448df79a3c8e5d124e29c3e Mon Sep 17 00:00:00 2001 From: zhunaipan Date: Wed, 27 Jul 2022 19:20:04 +0800 Subject: [PATCH] =?UTF-8?q?add=20patches=20for=20fixing=20openssl=20CVEs?= =?UTF-8?q?=20=09=E4=BF=AE=E6=94=B9=EF=BC=9A=20=20=20=20=20cmake/external?= =?UTF-8?q?=5Flibs/openssl.cmake=20=09=E6=96=B0=E6=96=87=E4=BB=B6=EF=BC=9A?= =?UTF-8?q?=20=20=20third=5Fparty/patch/openssl/CVE-2021-4160.patch=20=09?= =?UTF-8?q?=E6=96=B0=E6=96=87=E4=BB=B6=EF=BC=9A=20=20=20third=5Fparty/patc?= =?UTF-8?q?h/openssl/CVE-2022-1292.patch=20=09=E6=96=B0=E6=96=87=E4=BB=B6?= =?UTF-8?q?=EF=BC=9A=20=20=20third=5Fparty/patch/openssl/CVE-2022-2068.pat?= =?UTF-8?q?ch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cmake/external_libs/openssl.cmake | 12 + third_party/patch/openssl/CVE-2021-4160.patch | 78 ++++++ third_party/patch/openssl/CVE-2022-1292.patch | 58 +++++ third_party/patch/openssl/CVE-2022-2068.patch | 241 ++++++++++++++++++ 4 files changed, 389 insertions(+) create mode 100644 third_party/patch/openssl/CVE-2021-4160.patch create mode 100644 third_party/patch/openssl/CVE-2022-1292.patch create mode 100644 third_party/patch/openssl/CVE-2022-2068.patch diff --git a/cmake/external_libs/openssl.cmake b/cmake/external_libs/openssl.cmake index dad9f12fdb9..447c35377df 100644 --- a/cmake/external_libs/openssl.cmake +++ b/cmake/external_libs/openssl.cmake @@ -28,7 +28,10 @@ if(BUILD_LITE) CONFIGURE_COMMAND ./Configure android-arm64 -D__ANDROID_API__=29 no-zlib PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch ) elseif(PLATFORM_ARM32 AND ANDROID_NDK_TOOLCHAIN_INCLUDED) @@ -46,7 +49,10 @@ if(BUILD_LITE) CONFIGURE_COMMAND ./Configure android-arm -D__ANDROID_API__=19 no-zlib PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch ) elseif(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR APPLE) @@ -59,7 +65,10 @@ if(BUILD_LITE) CONFIGURE_COMMAND ./config no-zlib no-shared PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch ) else() @@ -79,7 +88,10 @@ else() CONFIGURE_COMMAND ./config no-zlib no-shared PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch + PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch ) include_directories(${openssl_INC}) diff --git a/third_party/patch/openssl/CVE-2021-4160.patch b/third_party/patch/openssl/CVE-2021-4160.patch new file mode 100644 index 00000000000..c5773f5b9f1 --- /dev/null +++ b/third_party/patch/openssl/CVE-2021-4160.patch @@ -0,0 +1,78 @@ +diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl +index 95cb227dc5..91b7aac6e7 100644 +--- a/crypto/bn/asm/mips.pl ++++ b/crypto/bn/asm/mips.pl +@@ -1986,6 +1986,8 @@ $code.=<<___; + sltu $at,$c_2,$t_1 + $ADDU $c_3,$t_2,$at + $ST $c_2,$BNSZ($a0) ++ sltu $at,$c_3,$t_2 ++ $ADDU $c_1,$at + mflo ($t_1,$a_2,$a_0) + mfhi ($t_2,$a_2,$a_0) + ___ +@@ -2196,6 +2198,8 @@ $code.=<<___; + sltu $at,$c_2,$t_1 + $ADDU $c_3,$t_2,$at + $ST $c_2,$BNSZ($a0) ++ sltu $at,$c_3,$t_2 ++ $ADDU $c_1,$at + mflo ($t_1,$a_2,$a_0) + mfhi ($t_2,$a_2,$a_0) + ___ +diff --git a/test/bntest.c b/test/bntest.c +index 87e5c4065b..fa9fc07cef 100644 +--- a/test/bntest.c ++++ b/test/bntest.c +@@ -630,6 +630,51 @@ static int test_modexp_mont5(void) + if (!TEST_BN_eq(c, d)) + goto err; + ++ /* ++ * Regression test for overflow bug in bn_sqr_comba4/8 for ++ * mips-linux-gnu and mipsel-linux-gnu 32bit targets. ++ */ ++ { ++ static const char *ehex[] = { ++ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", ++ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", ++ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", ++ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", ++ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", ++ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", ++ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", ++ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", ++ NULL}; ++ static const char *phex[] = { ++ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", ++ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", ++ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", ++ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", ++ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", ++ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", ++ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", ++ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", ++ NULL}; ++ static const char *mhex[] = { ++ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", ++ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", ++ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", ++ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", ++ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", ++ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", ++ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", ++ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", ++ NULL}; ++ ++ if (!TEST_true(parse_bigBN(&e, ehex)) ++ || !TEST_true(parse_bigBN(&p, phex)) ++ || !TEST_true(parse_bigBN(&m, mhex)) ++ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) ++ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) ++ || !TEST_BN_eq(a, d)) ++ goto err; ++ } ++ + /* Zero input */ + if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) + goto err; \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-1292.patch b/third_party/patch/openssl/CVE-2022-1292.patch new file mode 100644 index 00000000000..d07162220b5 --- /dev/null +++ b/third_party/patch/openssl/CVE-2022-1292.patch @@ -0,0 +1,58 @@ +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index fa7c6c9fef..83c1cc80e0 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -152,6 +152,23 @@ sub check_file { + return ($is_cert, $is_crl); + } + ++sub compute_hash { ++ my $fh; ++ if ( $^O eq "VMS" ) { ++ # VMS uses the open through shell ++ # The file names are safe there and list form is unsupported ++ if (!open($fh, "-|", join(' ', @_))) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } else { ++ if (!open($fh, "-|", @_)) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } ++ return (<$fh>, <$fh>); ++} + + # Link a certificate to its subject name hash value, each hash is of + # the form . where n is an integer. If the hash value already exists +@@ -161,10 +178,12 @@ sub check_file { + + sub link_hash_cert { + my $fname = $_[0]; +- $fname =~ s/\"/\\\"/g; +- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; ++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; +@@ -202,10 +221,12 @@ sub link_hash_cert { + + sub link_hash_crl { + my $fname = $_[0]; +- $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; ++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; \ No newline at end of file diff --git a/third_party/patch/openssl/CVE-2022-2068.patch b/third_party/patch/openssl/CVE-2022-2068.patch new file mode 100644 index 00000000000..fde78b92782 --- /dev/null +++ b/third_party/patch/openssl/CVE-2022-2068.patch @@ -0,0 +1,241 @@ +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index cfd18f5da1..9d2a6f6db7 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -104,52 +104,78 @@ foreach (@dirlist) { + } + exit($errorcount); + ++sub copy_file { ++ my ($src_fname, $dst_fname) = @_; ++ ++ if (open(my $in, "<", $src_fname)) { ++ if (open(my $out, ">", $dst_fname)) { ++ print $out $_ while (<$in>); ++ close $out; ++ } else { ++ warn "Cannot open $dst_fname for write, $!"; ++ } ++ close $in; ++ } else { ++ warn "Cannot open $src_fname for read, $!"; ++ } ++} ++ + sub hash_dir { +- my %hashlist; +- print "Doing $_[0]\n"; +- chdir $_[0]; +- opendir(DIR, "."); +- my @flist = sort readdir(DIR); +- closedir DIR; +- if ( $removelinks ) { +- # Delete any existing symbolic links +- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { +- if (-l $_) { +- print "unlink $_" if $verbose; +- unlink $_ || warn "Can't unlink $_, $!\n"; +- } +- } +- } +- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { +- # Check to see if certificates and/or CRLs present. +- my ($cert, $crl) = check_file($fname); +- if (!$cert && !$crl) { +- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; +- next; +- } +- link_hash_cert($fname) if ($cert); +- link_hash_crl($fname) if ($crl); +- } ++ my $dir = shift; ++ my %hashlist; ++ ++ print "Doing $dir\n"; ++ ++ if (!chdir $dir) { ++ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; ++ return; ++ } ++ ++ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; ++ my @flist = sort readdir(DIR); ++ closedir DIR; ++ if ( $removelinks ) { ++ # Delete any existing symbolic links ++ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { ++ if (-l $_) { ++ print "unlink $_\n" if $verbose; ++ unlink $_ || warn "Can't unlink $_, $!\n"; ++ } ++ } ++ } ++ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { ++ # Check to see if certificates and/or CRLs present. ++ my ($cert, $crl) = check_file($fname); ++ if (!$cert && !$crl) { ++ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; ++ next; ++ } ++ link_hash_cert($fname) if ($cert); ++ link_hash_crl($fname) if ($crl); ++ } ++ ++ chdir $pwd; + } + + sub check_file { +- my ($is_cert, $is_crl) = (0,0); +- my $fname = $_[0]; +- open IN, $fname; +- while() { +- if (/^-----BEGIN (.*)-----/) { +- my $hdr = $1; +- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { +- $is_cert = 1; +- last if ($is_crl); +- } elsif ($hdr eq "X509 CRL") { +- $is_crl = 1; +- last if ($is_cert); +- } +- } +- } +- close IN; +- return ($is_cert, $is_crl); ++ my ($is_cert, $is_crl) = (0,0); ++ my $fname = $_[0]; ++ ++ open(my $in, "<", $fname); ++ while(<$in>) { ++ if (/^-----BEGIN (.*)-----/) { ++ my $hdr = $1; ++ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { ++ $is_cert = 1; ++ last if ($is_crl); ++ } elsif ($hdr eq "X509 CRL") { ++ $is_crl = 1; ++ last if ($is_cert); ++ } ++ } ++ } ++ close $in; ++ return ($is_cert, $is_crl); + } + + sub compute_hash { +@@ -177,76 +203,48 @@ sub compute_hash { + # certificate fingerprints + + sub link_hash_cert { +- my $fname = $_[0]; +- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, +- "-fingerprint", "-noout", +- "-in", $fname); +- chomp $hash; +- chomp $fprint; +- return if !$hash; +- $fprint =~ s/^.*=//; +- $fprint =~ tr/://d; +- my $suffix = 0; +- # Search for an unused hash filename +- while(exists $hashlist{"$hash.$suffix"}) { +- # Hash matches: if fingerprint matches its a duplicate cert +- if ($hashlist{"$hash.$suffix"} eq $fprint) { +- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; +- return; +- } +- $suffix++; +- } +- $hash .= ".$suffix"; +- if ($symlink_exists) { +- print "link $fname -> $hash\n" if $verbose; +- symlink $fname, $hash || warn "Can't symlink, $!"; +- } else { +- print "copy $fname -> $hash\n" if $verbose; +- if (open($in, "<", $fname)) { +- if (open($out,">", $hash)) { +- print $out $_ while (<$in>); +- close $out; +- } else { +- warn "can't open $hash for write, $!"; +- } +- close $in; +- } else { +- warn "can't open $fname for read, $!"; +- } +- } +- $hashlist{$hash} = $fprint; ++ link_hash($_[0], 'cert'); + } + + # Same as above except for a CRL. CRL links are of the form .r + + sub link_hash_crl { +- my $fname = $_[0]; +- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, +- "-fingerprint", "-noout", +- "-in", $fname); +- chomp $hash; +- chomp $fprint; +- return if !$hash; +- $fprint =~ s/^.*=//; +- $fprint =~ tr/://d; +- my $suffix = 0; +- # Search for an unused hash filename +- while(exists $hashlist{"$hash.r$suffix"}) { +- # Hash matches: if fingerprint matches its a duplicate cert +- if ($hashlist{"$hash.r$suffix"} eq $fprint) { +- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; +- return; +- } +- $suffix++; +- } +- $hash .= ".r$suffix"; +- if ($symlink_exists) { +- print "link $fname -> $hash\n" if $verbose; +- symlink $fname, $hash || warn "Can't symlink, $!"; +- } else { +- print "cp $fname -> $hash\n" if $verbose; +- system ("cp", $fname, $hash); +- warn "Can't copy, $!" if ($? >> 8) != 0; +- } +- $hashlist{$hash} = $fprint; ++ link_hash($_[0], 'crl'); ++} ++ ++sub link_hash { ++ my ($fname, $type) = @_; ++ my $is_cert = $type eq 'cert'; ++ ++ my ($hash, $fprint) = compute_hash($openssl, ++ $is_cert ? "x509" : "crl", ++ $is_cert ? $x509hash : $crlhash, ++ "-fingerprint", "-noout", ++ "-in", $fname); ++ chomp $hash; ++ chomp $fprint; ++ return if !$hash; ++ $fprint =~ s/^.*=//; ++ $fprint =~ tr/://d; ++ my $suffix = 0; ++ # Search for an unused hash filename ++ my $crlmark = $is_cert ? "" : "r"; ++ while(exists $hashlist{"$hash.$crlmark$suffix"}) { ++ # Hash matches: if fingerprint matches its a duplicate cert ++ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { ++ my $what = $is_cert ? 'certificate' : 'CRL'; ++ print STDERR "WARNING: Skipping duplicate $what $fname\n"; ++ return; ++ } ++ $suffix++; ++ } ++ $hash .= ".$crlmark$suffix"; ++ if ($symlink_exists) { ++ print "link $fname -> $hash\n" if $verbose; ++ symlink $fname, $hash || warn "Can't symlink, $!"; ++ } else { ++ print "copy $fname -> $hash\n" if $verbose; ++ copy_file($fname, $hash); ++ } ++ $hashlist{$hash} = $fprint; + } \ No newline at end of file