packages/intel-sgx-ssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-2068 CVE-2022-0778 CVE-2022-1292 CVE-2022-2097

Browse Source
This commit is contained in:
w00559322 2022-09-03 16:23:01 +08:00
parent ccbe1325b5
commit 3ce3a430e7
8 changed files with 590 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
adapt-openssl-CVE.patch Normal file
View File

@ -0,0 +1,25 @@
From d13f8cbc7ec066b04cbe13ef6bf14b2b085fbc35 Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Sun, 5 Jun 2022 14:44:37 +0800
Subject: [PATCH] decompress openssl sourece before build
---
Linux/build_openssl.sh | 2 --
1 file changed, 2 deletions(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7d77b79..43745b8 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -54,8 +54,6 @@ mkdir -p $SGXSSL_ROOT/package/lib64/
# build openssl modules, clean previous openssl dir if it exist
cd $SGXSSL_ROOT/../openssl_source || exit 1
-rm -rf $OPENSSL_VERSION
-tar xvf $OPENSSL_VERSION.tar.gz || exit 1
# Remove AESBS to support only AESNI and VPAES
sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure
--
2.23.0

72
backport-CVE-2022-0778.patch Normal file
View File

@ -0,0 +1,72 @@
From 4382b4d9446c34d29b12dedf6b93f35215b9dd3b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65
Conflict: NA
---
openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c | 30 +++++++++++--------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c b/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
index 1723d5d..53b0f55 100644
--- a/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
+++ b/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.23.0

61
backport-CVE-2022-0778_test.patch Normal file
View File

@ -0,0 +1,61 @@
From 6ec7f406d2141b78508b5df91597a61de2ac38ed Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0
Conflict: NA
---
openssl_source/openssl-1.1.1l/test/bntest.c | 11 ++++++++++-
openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/openssl_source/openssl-1.1.1l/test/bntest.c b/openssl_source/openssl-1.1.1l/test/bntest.c
index 236501e..08c60a2 100644
--- a/openssl_source/openssl-1.1.1l/test/bntest.c
+++ b/openssl_source/openssl-1.1.1l/test/bntest.c
@@ -1685,8 +1685,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt b/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d03..e28cc6b 100644
--- a/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
+++ b/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--
2.23.0

80
backport-CVE-2022-1292.patch Normal file
View File

@ -0,0 +1,80 @@
From 9b495e8d9028ca893019c5b176d913051ea925ac Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
Conflict:NA
---
openssl_source/openssl-1.1.1l/tools/c_rehash.in | 29 ++++++++++++++++---
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index fa7c6c9..83c1cc8 100644
--- a/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
--
2.23.0

259
backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch Normal file
View File

@ -0,0 +1,259 @@
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 29 May 2022 20:11:24 +0200
Subject: [PATCH] Fix file operations in c_rehash.
CVE-2022-2068
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reference: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7
Conflict: NA
---
openssl_source/openssl-1.1.1l/tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
1 file changed, 107 insertions(+), 109 deletions(-)
diff --git a/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index cfd18f5da1..9d2a6f6db7 100644
--- a/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -104,52 +104,78 @@ foreach (@dirlist) {
}
exit($errorcount);
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
+}
+
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -177,76 +203,48 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
}
--
2.23.0

76
backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch Normal file
View File

@ -0,0 +1,76 @@
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:00:22 +1000
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reference:https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431
Conflict: NA
---
openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl b/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
index fe2b26542a..812758e02e 100644
--- a/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
+++ b/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
--
2.27.0

19
intel-sgx-ssl.spec
View File

@ -1,7 +1,7 @@
%define openssl_version 1.1.1l
Name: intel-sgx-ssl
Version: 2.15.1
Release: 1
Release: 2
Summary: Intel® Software Guard Extensions SSL
ExclusiveArch: x86_64
License: OpenSSL and BSD-3-Clause
@ -10,7 +10,12 @@ Source0: https://github.com/intel/intel-sgx-ssl/archive/intel-sgx-ssl-lin
Source1: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz
Patch0: 0001-Solution_to_issue_ssl_library_is_not_supported.patch
Patch1: sgxssl_fgets-adapt-glibc-2.35.patch
Patch1: adapt-openssl-CVE.patch
Patch2: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch3: backport-CVE-2022-1292.patch
Patch4: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch5: backport-CVE-2022-0778.patch
Patch6: backport-CVE-2022-0778_test.patch
BuildRequires: gcc gcc-c++
BuildRequires: libsgx-launch libsgx-urts sgxsdk perl
@ -40,8 +45,15 @@ Requires: %{name} = %{version}-%{release}
%prep
%setup -q -n intel-sgx-ssl-lin_%{version}_%{openssl_version}
%setup -q -D -T -a 1 -n intel-sgx-ssl-lin_%{version}_%{openssl_version}/openssl_source
%setup -q -D -T -n intel-sgx-ssl-lin_%{version}_%{openssl_version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%build
cp %{SOURCE1} openssl_source/
@ -63,5 +75,8 @@ cp License.txt $RPM_BUILD_ROOT/opt/intel/sgxssl/docs/
/opt/intel/sgxssl/include/*
%changelog
* Sat Sep 03 2022 wangyu <wangyu283@huawei.com> - 2.15.1-2
- Fix CVE-2022-2068 CVE-2022-0778 CVE-2022-1292 CVE-2022-2097
* Mon Jun 27 2022 wangyu<wangyu283@huawei.com> - 2.15.1-1
- init

41
sgxssl_fgets-adapt-glibc-2.35.patch
View File

@ -1,41 +0,0 @@
From 554f95d343c231cdf97d96c876c3e8f6079ccc31 Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Mon, 27 Jun 2022 11:28:20 +0800
Subject: [PATCH] sgxssl_fgets adapt glibc-2.35
---
openssl_source/bypass_to_sgxssl.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/openssl_source/bypass_to_sgxssl.h b/openssl_source/bypass_to_sgxssl.h
index 9676726..c833bd2 100644
--- a/openssl_source/bypass_to_sgxssl.h
+++ b/openssl_source/bypass_to_sgxssl.h
@@ -175,6 +175,8 @@
#else //_WIN32
+#include <features.h>
+
#define mmap sgxssl_mmap
#define munmap sgxssl_munmap
#define mprotect sgxssl_mprotect
@@ -194,7 +196,14 @@
#define __fprintf_chk sgxssl_fprintf
#define __vfprintf_chk sgxssl_vfprintf
#define __fread_alias sgxssl_fread
-#define __fgets_alias sgxssl_fgets
+
+# if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+# if __GLIBC_PREREQ(2, 35)
+# define __fgets_chk sgxssl_fgets
+# else
+# define __fgets_alias sgxssl_fgets
+# endif
+#endif
#if defined(SGXSDK_INT_VERSION) && (SGXSDK_INT_VERSION > 18)
#define _longjmp longjmp
--
2.23.0