diff --git a/cmake/external_libs/openssl.cmake b/cmake/external_libs/openssl.cmake
index dad9f12fdb9..447c35377df 100644
--- a/cmake/external_libs/openssl.cmake
+++ b/cmake/external_libs/openssl.cmake
@@ -28,7 +28,10 @@ if(BUILD_LITE)
CONFIGURE_COMMAND ./Configure android-arm64 -D__ANDROID_API__=29 no-zlib
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
)
elseif(PLATFORM_ARM32 AND ANDROID_NDK_TOOLCHAIN_INCLUDED)
@@ -46,7 +49,10 @@ if(BUILD_LITE)
CONFIGURE_COMMAND ./Configure android-arm -D__ANDROID_API__=19 no-zlib
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
)
elseif(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR APPLE)
@@ -59,7 +65,10 @@ if(BUILD_LITE)
CONFIGURE_COMMAND ./config no-zlib no-shared
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
)
else()
@@ -79,7 +88,10 @@ else()
CONFIGURE_COMMAND ./config no-zlib no-shared
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
+ PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
)
include_directories(${openssl_INC})
diff --git a/third_party/patch/openssl/CVE-2021-4160.patch b/third_party/patch/openssl/CVE-2021-4160.patch
new file mode 100644
index 00000000000..c5773f5b9f1
--- /dev/null
+++ b/third_party/patch/openssl/CVE-2021-4160.patch
@@ -0,0 +1,78 @@
+diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
+index 95cb227dc5..91b7aac6e7 100644
+--- a/crypto/bn/asm/mips.pl
++++ b/crypto/bn/asm/mips.pl
+@@ -1986,6 +1986,8 @@ $code.=<<___;
+ sltu $at,$c_2,$t_1
+ $ADDU $c_3,$t_2,$at
+ $ST $c_2,$BNSZ($a0)
++ sltu $at,$c_3,$t_2
++ $ADDU $c_1,$at
+ mflo ($t_1,$a_2,$a_0)
+ mfhi ($t_2,$a_2,$a_0)
+ ___
+@@ -2196,6 +2198,8 @@ $code.=<<___;
+ sltu $at,$c_2,$t_1
+ $ADDU $c_3,$t_2,$at
+ $ST $c_2,$BNSZ($a0)
++ sltu $at,$c_3,$t_2
++ $ADDU $c_1,$at
+ mflo ($t_1,$a_2,$a_0)
+ mfhi ($t_2,$a_2,$a_0)
+ ___
+diff --git a/test/bntest.c b/test/bntest.c
+index 87e5c4065b..fa9fc07cef 100644
+--- a/test/bntest.c
++++ b/test/bntest.c
+@@ -630,6 +630,51 @@ static int test_modexp_mont5(void)
+ if (!TEST_BN_eq(c, d))
+ goto err;
+
++ /*
++ * Regression test for overflow bug in bn_sqr_comba4/8 for
++ * mips-linux-gnu and mipsel-linux-gnu 32bit targets.
++ */
++ {
++ static const char *ehex[] = {
++ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee",
++ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5",
++ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a",
++ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985",
++ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1",
++ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680",
++ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e",
++ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465",
++ NULL};
++ static const char *phex[] = {
++ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241",
++ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31",
++ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053",
++ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439",
++ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5",
++ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813",
++ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4",
++ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5",
++ NULL};
++ static const char *mhex[] = {
++ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f",
++ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3",
++ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900",
++ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b",
++ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc",
++ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647",
++ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c",
++ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b",
++ NULL};
++
++ if (!TEST_true(parse_bigBN(&e, ehex))
++ || !TEST_true(parse_bigBN(&p, phex))
++ || !TEST_true(parse_bigBN(&m, mhex))
++ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
++ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
++ || !TEST_BN_eq(a, d))
++ goto err;
++ }
++
+ /* Zero input */
+ if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0)))
+ goto err;
\ No newline at end of file
diff --git a/third_party/patch/openssl/CVE-2022-1292.patch b/third_party/patch/openssl/CVE-2022-1292.patch
new file mode 100644
index 00000000000..d07162220b5
--- /dev/null
+++ b/third_party/patch/openssl/CVE-2022-1292.patch
@@ -0,0 +1,58 @@
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index fa7c6c9fef..83c1cc80e0 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -152,6 +152,23 @@ sub check_file {
+ return ($is_cert, $is_crl);
+ }
+
++sub compute_hash {
++ my $fh;
++ if ( $^O eq "VMS" ) {
++ # VMS uses the open through shell
++ # The file names are safe there and list form is unsupported
++ if (!open($fh, "-|", join(' ', @_))) {
++ print STDERR "Cannot compute hash on '$fname'\n";
++ return;
++ }
++ } else {
++ if (!open($fh, "-|", @_)) {
++ print STDERR "Cannot compute hash on '$fname'\n";
++ return;
++ }
++ }
++ return (<$fh>, <$fh>);
++}
+
+ # Link a certificate to its subject name hash value, each hash is of
+ # the form <hash>.<n> where n is an integer. If the hash value already exists
+@@ -161,10 +178,12 @@ sub check_file {
+
+ sub link_hash_cert {
+ my $fname = $_[0];
+- $fname =~ s/\"/\\\"/g;
+- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
++ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+@@ -202,10 +221,12 @@ sub link_hash_cert {
+
+ sub link_hash_crl {
+ my $fname = $_[0];
+- $fname =~ s/'/'\\''/g;
+- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
++ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
\ No newline at end of file
diff --git a/third_party/patch/openssl/CVE-2022-2068.patch b/third_party/patch/openssl/CVE-2022-2068.patch
new file mode 100644
index 00000000000..fde78b92782
--- /dev/null
+++ b/third_party/patch/openssl/CVE-2022-2068.patch
@@ -0,0 +1,241 @@
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index cfd18f5da1..9d2a6f6db7 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -104,52 +104,78 @@ foreach (@dirlist) {
+ }
+ exit($errorcount);
+
++sub copy_file {
++ my ($src_fname, $dst_fname) = @_;
++
++ if (open(my $in, "<", $src_fname)) {
++ if (open(my $out, ">", $dst_fname)) {
++ print $out $_ while (<$in>);
++ close $out;
++ } else {
++ warn "Cannot open $dst_fname for write, $!";
++ }
++ close $in;
++ } else {
++ warn "Cannot open $src_fname for read, $!";
++ }
++}
++
+ sub hash_dir {
+- my %hashlist;
+- print "Doing $_[0]\n";
+- chdir $_[0];
+- opendir(DIR, ".");
+- my @flist = sort readdir(DIR);
+- closedir DIR;
+- if ( $removelinks ) {
+- # Delete any existing symbolic links
+- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+- if (-l $_) {
+- print "unlink $_" if $verbose;
+- unlink $_ || warn "Can't unlink $_, $!\n";
+- }
+- }
+- }
+- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+- # Check to see if certificates and/or CRLs present.
+- my ($cert, $crl) = check_file($fname);
+- if (!$cert && !$crl) {
+- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+- next;
+- }
+- link_hash_cert($fname) if ($cert);
+- link_hash_crl($fname) if ($crl);
+- }
++ my $dir = shift;
++ my %hashlist;
++
++ print "Doing $dir\n";
++
++ if (!chdir $dir) {
++ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
++ return;
++ }
++
++ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
++ my @flist = sort readdir(DIR);
++ closedir DIR;
++ if ( $removelinks ) {
++ # Delete any existing symbolic links
++ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
++ if (-l $_) {
++ print "unlink $_\n" if $verbose;
++ unlink $_ || warn "Can't unlink $_, $!\n";
++ }
++ }
++ }
++ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
++ # Check to see if certificates and/or CRLs present.
++ my ($cert, $crl) = check_file($fname);
++ if (!$cert && !$crl) {
++ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
++ next;
++ }
++ link_hash_cert($fname) if ($cert);
++ link_hash_crl($fname) if ($crl);
++ }
++
++ chdir $pwd;
+ }
+
+ sub check_file {
+- my ($is_cert, $is_crl) = (0,0);
+- my $fname = $_[0];
+- open IN, $fname;
+- while(<IN>) {
+- if (/^-----BEGIN (.*)-----/) {
+- my $hdr = $1;
+- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+- $is_cert = 1;
+- last if ($is_crl);
+- } elsif ($hdr eq "X509 CRL") {
+- $is_crl = 1;
+- last if ($is_cert);
+- }
+- }
+- }
+- close IN;
+- return ($is_cert, $is_crl);
++ my ($is_cert, $is_crl) = (0,0);
++ my $fname = $_[0];
++
++ open(my $in, "<", $fname);
++ while(<$in>) {
++ if (/^-----BEGIN (.*)-----/) {
++ my $hdr = $1;
++ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
++ $is_cert = 1;
++ last if ($is_crl);
++ } elsif ($hdr eq "X509 CRL") {
++ $is_crl = 1;
++ last if ($is_cert);
++ }
++ }
++ }
++ close $in;
++ return ($is_cert, $is_crl);
+ }
+
+ sub compute_hash {
+@@ -177,76 +203,48 @@ sub compute_hash {
+ # certificate fingerprints
+
+ sub link_hash_cert {
+- my $fname = $_[0];
+- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+- "-fingerprint", "-noout",
+- "-in", $fname);
+- chomp $hash;
+- chomp $fprint;
+- return if !$hash;
+- $fprint =~ s/^.*=//;
+- $fprint =~ tr/://d;
+- my $suffix = 0;
+- # Search for an unused hash filename
+- while(exists $hashlist{"$hash.$suffix"}) {
+- # Hash matches: if fingerprint matches its a duplicate cert
+- if ($hashlist{"$hash.$suffix"} eq $fprint) {
+- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+- return;
+- }
+- $suffix++;
+- }
+- $hash .= ".$suffix";
+- if ($symlink_exists) {
+- print "link $fname -> $hash\n" if $verbose;
+- symlink $fname, $hash || warn "Can't symlink, $!";
+- } else {
+- print "copy $fname -> $hash\n" if $verbose;
+- if (open($in, "<", $fname)) {
+- if (open($out,">", $hash)) {
+- print $out $_ while (<$in>);
+- close $out;
+- } else {
+- warn "can't open $hash for write, $!";
+- }
+- close $in;
+- } else {
+- warn "can't open $fname for read, $!";
+- }
+- }
+- $hashlist{$hash} = $fprint;
++ link_hash($_[0], 'cert');
+ }
+
+ # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
+
+ sub link_hash_crl {
+- my $fname = $_[0];
+- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+- "-fingerprint", "-noout",
+- "-in", $fname);
+- chomp $hash;
+- chomp $fprint;
+- return if !$hash;
+- $fprint =~ s/^.*=//;
+- $fprint =~ tr/://d;
+- my $suffix = 0;
+- # Search for an unused hash filename
+- while(exists $hashlist{"$hash.r$suffix"}) {
+- # Hash matches: if fingerprint matches its a duplicate cert
+- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
+- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
+- return;
+- }
+- $suffix++;
+- }
+- $hash .= ".r$suffix";
+- if ($symlink_exists) {
+- print "link $fname -> $hash\n" if $verbose;
+- symlink $fname, $hash || warn "Can't symlink, $!";
+- } else {
+- print "cp $fname -> $hash\n" if $verbose;
+- system ("cp", $fname, $hash);
+- warn "Can't copy, $!" if ($? >> 8) != 0;
+- }
+- $hashlist{$hash} = $fprint;
++ link_hash($_[0], 'crl');
++}
++
++sub link_hash {
++ my ($fname, $type) = @_;
++ my $is_cert = $type eq 'cert';
++
++ my ($hash, $fprint) = compute_hash($openssl,
++ $is_cert ? "x509" : "crl",
++ $is_cert ? $x509hash : $crlhash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
++ chomp $hash;
++ chomp $fprint;
++ return if !$hash;
++ $fprint =~ s/^.*=//;
++ $fprint =~ tr/://d;
++ my $suffix = 0;
++ # Search for an unused hash filename
++ my $crlmark = $is_cert ? "" : "r";
++ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
++ # Hash matches: if fingerprint matches its a duplicate cert
++ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
++ my $what = $is_cert ? 'certificate' : 'CRL';
++ print STDERR "WARNING: Skipping duplicate $what $fname\n";
++ return;
++ }
++ $suffix++;
++ }
++ $hash .= ".$crlmark$suffix";
++ if ($symlink_exists) {
++ print "link $fname -> $hash\n" if $verbose;
++ symlink $fname, $hash || warn "Can't symlink, $!";
++ } else {
++ print "copy $fname -> $hash\n" if $verbose;
++ copy_file($fname, $hash);
++ }
++ $hashlist{$hash} = $fprint;
+ }
\ No newline at end of file