add patches for fixing openssl CVEs
修改: cmake/external_libs/openssl.cmake 新文件: third_party/patch/openssl/CVE-2021-4160.patch 新文件: third_party/patch/openssl/CVE-2022-1292.patch 新文件: third_party/patch/openssl/CVE-2022-2068.patch
This commit is contained in:
parent
b7ec631f11
commit
29c6397ba2
|
@ -28,7 +28,10 @@ if(BUILD_LITE)
|
|||
CONFIGURE_COMMAND ./Configure android-arm64 -D__ANDROID_API__=29 no-zlib
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
|
||||
)
|
||||
elseif(PLATFORM_ARM32 AND ANDROID_NDK_TOOLCHAIN_INCLUDED)
|
||||
|
@ -46,7 +49,10 @@ if(BUILD_LITE)
|
|||
CONFIGURE_COMMAND ./Configure android-arm -D__ANDROID_API__=19 no-zlib
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
|
||||
)
|
||||
elseif(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR APPLE)
|
||||
|
@ -59,7 +65,10 @@ if(BUILD_LITE)
|
|||
CONFIGURE_COMMAND ./config no-zlib no-shared
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
|
||||
)
|
||||
else()
|
||||
|
@ -79,7 +88,10 @@ else()
|
|||
CONFIGURE_COMMAND ./config no-zlib no-shared
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3711.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-3712.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2021-4160.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-0778.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-1292.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2068.patch
|
||||
PATCHES ${OPENSSL_PATCH_ROOT}/CVE-2022-2097.patch
|
||||
)
|
||||
include_directories(${openssl_INC})
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
|
||||
index 95cb227dc5..91b7aac6e7 100644
|
||||
--- a/crypto/bn/asm/mips.pl
|
||||
+++ b/crypto/bn/asm/mips.pl
|
||||
@@ -1986,6 +1986,8 @@ $code.=<<___;
|
||||
sltu $at,$c_2,$t_1
|
||||
$ADDU $c_3,$t_2,$at
|
||||
$ST $c_2,$BNSZ($a0)
|
||||
+ sltu $at,$c_3,$t_2
|
||||
+ $ADDU $c_1,$at
|
||||
mflo ($t_1,$a_2,$a_0)
|
||||
mfhi ($t_2,$a_2,$a_0)
|
||||
___
|
||||
@@ -2196,6 +2198,8 @@ $code.=<<___;
|
||||
sltu $at,$c_2,$t_1
|
||||
$ADDU $c_3,$t_2,$at
|
||||
$ST $c_2,$BNSZ($a0)
|
||||
+ sltu $at,$c_3,$t_2
|
||||
+ $ADDU $c_1,$at
|
||||
mflo ($t_1,$a_2,$a_0)
|
||||
mfhi ($t_2,$a_2,$a_0)
|
||||
___
|
||||
diff --git a/test/bntest.c b/test/bntest.c
|
||||
index 87e5c4065b..fa9fc07cef 100644
|
||||
--- a/test/bntest.c
|
||||
+++ b/test/bntest.c
|
||||
@@ -630,6 +630,51 @@ static int test_modexp_mont5(void)
|
||||
if (!TEST_BN_eq(c, d))
|
||||
goto err;
|
||||
|
||||
+ /*
|
||||
+ * Regression test for overflow bug in bn_sqr_comba4/8 for
|
||||
+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets.
|
||||
+ */
|
||||
+ {
|
||||
+ static const char *ehex[] = {
|
||||
+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee",
|
||||
+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5",
|
||||
+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a",
|
||||
+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985",
|
||||
+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1",
|
||||
+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680",
|
||||
+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e",
|
||||
+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465",
|
||||
+ NULL};
|
||||
+ static const char *phex[] = {
|
||||
+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241",
|
||||
+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31",
|
||||
+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053",
|
||||
+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439",
|
||||
+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5",
|
||||
+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813",
|
||||
+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4",
|
||||
+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5",
|
||||
+ NULL};
|
||||
+ static const char *mhex[] = {
|
||||
+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f",
|
||||
+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3",
|
||||
+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900",
|
||||
+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b",
|
||||
+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc",
|
||||
+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647",
|
||||
+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c",
|
||||
+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b",
|
||||
+ NULL};
|
||||
+
|
||||
+ if (!TEST_true(parse_bigBN(&e, ehex))
|
||||
+ || !TEST_true(parse_bigBN(&p, phex))
|
||||
+ || !TEST_true(parse_bigBN(&m, mhex))
|
||||
+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
|
||||
+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
|
||||
+ || !TEST_BN_eq(a, d))
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
/* Zero input */
|
||||
if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0)))
|
||||
goto err;
|
|
@ -0,0 +1,58 @@
|
|||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||
index fa7c6c9fef..83c1cc80e0 100644
|
||||
--- a/tools/c_rehash.in
|
||||
+++ b/tools/c_rehash.in
|
||||
@@ -152,6 +152,23 @@ sub check_file {
|
||||
return ($is_cert, $is_crl);
|
||||
}
|
||||
|
||||
+sub compute_hash {
|
||||
+ my $fh;
|
||||
+ if ( $^O eq "VMS" ) {
|
||||
+ # VMS uses the open through shell
|
||||
+ # The file names are safe there and list form is unsupported
|
||||
+ if (!open($fh, "-|", join(' ', @_))) {
|
||||
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!open($fh, "-|", @_)) {
|
||||
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ return (<$fh>, <$fh>);
|
||||
+}
|
||||
|
||||
# Link a certificate to its subject name hash value, each hash is of
|
||||
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
||||
@@ -161,10 +178,12 @@ sub check_file {
|
||||
|
||||
sub link_hash_cert {
|
||||
my $fname = $_[0];
|
||||
- $fname =~ s/\"/\\\"/g;
|
||||
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
||||
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
chomp $hash;
|
||||
chomp $fprint;
|
||||
+ return if !$hash;
|
||||
$fprint =~ s/^.*=//;
|
||||
$fprint =~ tr/://d;
|
||||
my $suffix = 0;
|
||||
@@ -202,10 +221,12 @@ sub link_hash_cert {
|
||||
|
||||
sub link_hash_crl {
|
||||
my $fname = $_[0];
|
||||
- $fname =~ s/'/'\\''/g;
|
||||
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
||||
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
chomp $hash;
|
||||
chomp $fprint;
|
||||
+ return if !$hash;
|
||||
$fprint =~ s/^.*=//;
|
||||
$fprint =~ tr/://d;
|
||||
my $suffix = 0;
|
|
@ -0,0 +1,241 @@
|
|||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||
index cfd18f5da1..9d2a6f6db7 100644
|
||||
--- a/tools/c_rehash.in
|
||||
+++ b/tools/c_rehash.in
|
||||
@@ -104,52 +104,78 @@ foreach (@dirlist) {
|
||||
}
|
||||
exit($errorcount);
|
||||
|
||||
+sub copy_file {
|
||||
+ my ($src_fname, $dst_fname) = @_;
|
||||
+
|
||||
+ if (open(my $in, "<", $src_fname)) {
|
||||
+ if (open(my $out, ">", $dst_fname)) {
|
||||
+ print $out $_ while (<$in>);
|
||||
+ close $out;
|
||||
+ } else {
|
||||
+ warn "Cannot open $dst_fname for write, $!";
|
||||
+ }
|
||||
+ close $in;
|
||||
+ } else {
|
||||
+ warn "Cannot open $src_fname for read, $!";
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
sub hash_dir {
|
||||
- my %hashlist;
|
||||
- print "Doing $_[0]\n";
|
||||
- chdir $_[0];
|
||||
- opendir(DIR, ".");
|
||||
- my @flist = sort readdir(DIR);
|
||||
- closedir DIR;
|
||||
- if ( $removelinks ) {
|
||||
- # Delete any existing symbolic links
|
||||
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||
- if (-l $_) {
|
||||
- print "unlink $_" if $verbose;
|
||||
- unlink $_ || warn "Can't unlink $_, $!\n";
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||
- # Check to see if certificates and/or CRLs present.
|
||||
- my ($cert, $crl) = check_file($fname);
|
||||
- if (!$cert && !$crl) {
|
||||
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||
- next;
|
||||
- }
|
||||
- link_hash_cert($fname) if ($cert);
|
||||
- link_hash_crl($fname) if ($crl);
|
||||
- }
|
||||
+ my $dir = shift;
|
||||
+ my %hashlist;
|
||||
+
|
||||
+ print "Doing $dir\n";
|
||||
+
|
||||
+ if (!chdir $dir) {
|
||||
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
|
||||
+ my @flist = sort readdir(DIR);
|
||||
+ closedir DIR;
|
||||
+ if ( $removelinks ) {
|
||||
+ # Delete any existing symbolic links
|
||||
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||
+ if (-l $_) {
|
||||
+ print "unlink $_\n" if $verbose;
|
||||
+ unlink $_ || warn "Can't unlink $_, $!\n";
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||
+ # Check to see if certificates and/or CRLs present.
|
||||
+ my ($cert, $crl) = check_file($fname);
|
||||
+ if (!$cert && !$crl) {
|
||||
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||
+ next;
|
||||
+ }
|
||||
+ link_hash_cert($fname) if ($cert);
|
||||
+ link_hash_crl($fname) if ($crl);
|
||||
+ }
|
||||
+
|
||||
+ chdir $pwd;
|
||||
}
|
||||
|
||||
sub check_file {
|
||||
- my ($is_cert, $is_crl) = (0,0);
|
||||
- my $fname = $_[0];
|
||||
- open IN, $fname;
|
||||
- while(<IN>) {
|
||||
- if (/^-----BEGIN (.*)-----/) {
|
||||
- my $hdr = $1;
|
||||
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||
- $is_cert = 1;
|
||||
- last if ($is_crl);
|
||||
- } elsif ($hdr eq "X509 CRL") {
|
||||
- $is_crl = 1;
|
||||
- last if ($is_cert);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- close IN;
|
||||
- return ($is_cert, $is_crl);
|
||||
+ my ($is_cert, $is_crl) = (0,0);
|
||||
+ my $fname = $_[0];
|
||||
+
|
||||
+ open(my $in, "<", $fname);
|
||||
+ while(<$in>) {
|
||||
+ if (/^-----BEGIN (.*)-----/) {
|
||||
+ my $hdr = $1;
|
||||
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||
+ $is_cert = 1;
|
||||
+ last if ($is_crl);
|
||||
+ } elsif ($hdr eq "X509 CRL") {
|
||||
+ $is_crl = 1;
|
||||
+ last if ($is_cert);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ close $in;
|
||||
+ return ($is_cert, $is_crl);
|
||||
}
|
||||
|
||||
sub compute_hash {
|
||||
@@ -177,76 +203,48 @@ sub compute_hash {
|
||||
# certificate fingerprints
|
||||
|
||||
sub link_hash_cert {
|
||||
- my $fname = $_[0];
|
||||
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||
- "-fingerprint", "-noout",
|
||||
- "-in", $fname);
|
||||
- chomp $hash;
|
||||
- chomp $fprint;
|
||||
- return if !$hash;
|
||||
- $fprint =~ s/^.*=//;
|
||||
- $fprint =~ tr/://d;
|
||||
- my $suffix = 0;
|
||||
- # Search for an unused hash filename
|
||||
- while(exists $hashlist{"$hash.$suffix"}) {
|
||||
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
||||
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
||||
- return;
|
||||
- }
|
||||
- $suffix++;
|
||||
- }
|
||||
- $hash .= ".$suffix";
|
||||
- if ($symlink_exists) {
|
||||
- print "link $fname -> $hash\n" if $verbose;
|
||||
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
- } else {
|
||||
- print "copy $fname -> $hash\n" if $verbose;
|
||||
- if (open($in, "<", $fname)) {
|
||||
- if (open($out,">", $hash)) {
|
||||
- print $out $_ while (<$in>);
|
||||
- close $out;
|
||||
- } else {
|
||||
- warn "can't open $hash for write, $!";
|
||||
- }
|
||||
- close $in;
|
||||
- } else {
|
||||
- warn "can't open $fname for read, $!";
|
||||
- }
|
||||
- }
|
||||
- $hashlist{$hash} = $fprint;
|
||||
+ link_hash($_[0], 'cert');
|
||||
}
|
||||
|
||||
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
||||
|
||||
sub link_hash_crl {
|
||||
- my $fname = $_[0];
|
||||
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||
- "-fingerprint", "-noout",
|
||||
- "-in", $fname);
|
||||
- chomp $hash;
|
||||
- chomp $fprint;
|
||||
- return if !$hash;
|
||||
- $fprint =~ s/^.*=//;
|
||||
- $fprint =~ tr/://d;
|
||||
- my $suffix = 0;
|
||||
- # Search for an unused hash filename
|
||||
- while(exists $hashlist{"$hash.r$suffix"}) {
|
||||
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
||||
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
||||
- return;
|
||||
- }
|
||||
- $suffix++;
|
||||
- }
|
||||
- $hash .= ".r$suffix";
|
||||
- if ($symlink_exists) {
|
||||
- print "link $fname -> $hash\n" if $verbose;
|
||||
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
- } else {
|
||||
- print "cp $fname -> $hash\n" if $verbose;
|
||||
- system ("cp", $fname, $hash);
|
||||
- warn "Can't copy, $!" if ($? >> 8) != 0;
|
||||
- }
|
||||
- $hashlist{$hash} = $fprint;
|
||||
+ link_hash($_[0], 'crl');
|
||||
+}
|
||||
+
|
||||
+sub link_hash {
|
||||
+ my ($fname, $type) = @_;
|
||||
+ my $is_cert = $type eq 'cert';
|
||||
+
|
||||
+ my ($hash, $fprint) = compute_hash($openssl,
|
||||
+ $is_cert ? "x509" : "crl",
|
||||
+ $is_cert ? $x509hash : $crlhash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
+ chomp $hash;
|
||||
+ chomp $fprint;
|
||||
+ return if !$hash;
|
||||
+ $fprint =~ s/^.*=//;
|
||||
+ $fprint =~ tr/://d;
|
||||
+ my $suffix = 0;
|
||||
+ # Search for an unused hash filename
|
||||
+ my $crlmark = $is_cert ? "" : "r";
|
||||
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
|
||||
+ # Hash matches: if fingerprint matches its a duplicate cert
|
||||
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
|
||||
+ my $what = $is_cert ? 'certificate' : 'CRL';
|
||||
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ $suffix++;
|
||||
+ }
|
||||
+ $hash .= ".$crlmark$suffix";
|
||||
+ if ($symlink_exists) {
|
||||
+ print "link $fname -> $hash\n" if $verbose;
|
||||
+ symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
+ } else {
|
||||
+ print "copy $fname -> $hash\n" if $verbose;
|
||||
+ copy_file($fname, $hash);
|
||||
+ }
|
||||
+ $hashlist{$hash} = $fprint;
|
||||
}
|
Loading…
Reference in New Issue