packages/intel-sgx-ssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 2.19

Browse Source
This commit is contained in:
zhoushuiqing 2023-07-21 15:55:41 +08:00
parent 6c43f8c670
commit 53bb4b8a60
10 changed files with 42 additions and 584 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
0001-Solution_to_issue_ssl_library_is_not_supported.patch
View File

@ -1,4 +1,4 @@
From 94d10d73ac952fc8b4f5b6581b858d6fe7f7a352 Mon Sep 17 00:00:00 2001
From c2380f793beedc0bef5ab1248ff1163890e63cc8 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Thu, 25 Feb 2021 16:41:56 +0800
Subject: [PATCH] support ssl library
@ -9,12 +9,12 @@ update copyright year
Reference: https://github.com/intel/intel-sgx-ssl/commit/94d10d73ac952fc8b4f5b6581b858d6fe7f7a352
Conflict: NA
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
---
Linux/Makefile | 1 +
Linux/build_openssl.sh | 9 +-
Linux/build_openssl.sh | 8 +-
Linux/package/include/sgx_tsgxssl.edl | 14 ++
Linux/package/include/tsgxsslio.h | 13 +-
Linux/package/include/tsgxsslio.h | 14 +-
Linux/sgx/buildenv.mk | 2 +
Linux/sgx/libsgx_tsgxssl/Makefile | 2 +-
Linux/sgx/libsgx_tsgxssl/tcommon.h | 1 +
@ -25,9 +25,10 @@ Conflict: NA
Linux/sgx/libsgx_usgxssl/ustdio.cpp | 96 ++++++++
Linux/sgx/libsgx_usgxssl/ustdlib.cpp | 61 +++++
Linux/sgx/libsgx_usgxssl/uunistd.cpp | 46 ++++
Linux/sgx/test_app/enclave/TestEnclave.h | 2 +-
Linux/sgx/test_app/enclave/tests/stdio_func.c | 4 +-
openssl_source/bypass_to_sgxssl.h | 11 +-
16 files changed, 516 insertions(+), 82 deletions(-)
17 files changed, 518 insertions(+), 82 deletions(-)
create mode 100644 Linux/sgx/libsgx_usgxssl/ustdio.cpp
create mode 100644 Linux/sgx/libsgx_usgxssl/ustdlib.cpp
create mode 100644 Linux/sgx/libsgx_usgxssl/uunistd.cpp
@ -45,10 +46,10 @@ index 9524f45..304ce24 100644
rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7d77b79..9dc4082 100755
index ba9ff65..ce12472 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -59,6 +59,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1
@@ -58,6 +58,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1
# Remove AESBS to support only AESNI and VPAES
sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure
@ -56,7 +57,7 @@ index 7d77b79..9dc4082 100755
##Space optimization flags.
SPACE_OPT=
@@ -69,8 +70,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt
@@ -68,8 +69,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt
fi
OUTPUT_LIB=libsgx_tsgxssl_crypto.a
@ -67,17 +68,16 @@ index 7d77b79..9dc4082 100755
ADDITIONAL_CONF="-g "
fi
@@ -136,8 +139,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
@@ -136,7 +139,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h --prefix=$OPENSSL_INSTALL_DIR || exit 1
-
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h -include$SGXSSL_ROOT/../Linux/package/include/tsgxsslio.h --prefix=$OPENSSL_INSTALL_DIR || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h -include$SGXSSL_ROOT/../Linux/package/include/tsgxsslio.h || exit 1
sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c
make build_all_generated || exit 1
@@ -159,8 +161,9 @@ then
@@ -159,8 +162,9 @@ then
cp $SGXSSL_ROOT/../openssl_source/Linux/x86_64cpuid.s ./crypto/x86_64cpuid.s
fi
@ -114,7 +114,7 @@ index cbc4888..e385250 100644
trusted {
diff --git a/Linux/package/include/tsgxsslio.h b/Linux/package/include/tsgxsslio.h
index a200a17..fe56f61 100644
index a200a17..535e37a 100644
--- a/Linux/package/include/tsgxsslio.h
+++ b/Linux/package/include/tsgxsslio.h
@@ -32,6 +32,18 @@
@ -138,7 +138,7 @@ index a200a17..fe56f61 100644
#endif // _TSGXSSL_IO_H_
diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
index cd8818e..7cd794c 100644
index dac23c7..971b991 100644
--- a/Linux/sgx/buildenv.mk
+++ b/Linux/sgx/buildenv.mk
@@ -73,11 +73,13 @@ endif
@ -156,10 +156,10 @@ index cd8818e..7cd794c 100644
UNTRUSTED_LIB := libsgx_usgxssl.a
endif
diff --git a/Linux/sgx/libsgx_tsgxssl/Makefile b/Linux/sgx/libsgx_tsgxssl/Makefile
index 40d8f3b..3eb4a7e 100644
index f9d29ca..62488c7 100644
--- a/Linux/sgx/libsgx_tsgxssl/Makefile
+++ b/Linux/sgx/libsgx_tsgxssl/Makefile
@@ -90,7 +90,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o))
@@ -95,7 +95,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o))
Sgx_tssl_Include_Paths := -I. -I$(PACKAGE_INC) -I$(SGX_SDK_INC) -I$(SGX_SDK_INC)/tlibc -I$(LIBCXX_INC)
@ -167,7 +167,7 @@ index 40d8f3b..3eb4a7e 100644
+Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector-strong -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths)
Sgx_tssl_C_Flags := $(Common_C_Cpp_Flags) -Wno-implicit-function-declaration -std=c11 $(MITIGATION_CFLAGS) $(NO_THREADS_CFLAG)
Sgx_tssl_Cpp_Flags := $(Common_C_Cpp_Flags) -std=c++11 -nostdinc++ $(MITIGATION_CFLAGS)
$(shell mkdir -p $(OBJDIR))
ifeq ($(SKIP_INTELCPU_CHECK), TRUE)
diff --git a/Linux/sgx/libsgx_tsgxssl/tcommon.h b/Linux/sgx/libsgx_tsgxssl/tcommon.h
index f8d9379..dd1ca8d 100644
--- a/Linux/sgx/libsgx_tsgxssl/tcommon.h
@ -565,10 +565,10 @@ index 7bdfa07..d7aba27 100644
// TODO
diff --git a/Linux/sgx/libsgx_usgxssl/Makefile b/Linux/sgx/libsgx_usgxssl/Makefile
index 5d7e756..ee1f29f 100644
index b469f23..4534acf 100644
--- a/Linux/sgx/libsgx_usgxssl/Makefile
+++ b/Linux/sgx/libsgx_usgxssl/Makefile
@@ -72,7 +72,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl
@@ -77,7 +77,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl
Sgx_ussl_Include_Paths := -I. -I$(SGX_SDK_INC)
@ -798,6 +798,19 @@ index 0000000..c2456ba
+}
+
+}
diff --git a/Linux/sgx/test_app/enclave/TestEnclave.h b/Linux/sgx/test_app/enclave/TestEnclave.h
index f120489..26cfedf 100644
--- a/Linux/sgx/test_app/enclave/TestEnclave.h
+++ b/Linux/sgx/test_app/enclave/TestEnclave.h
@@ -43,7 +43,7 @@
abort(); \
} \
}
-void ERR_print_errors_fp(FILE *fp);
+// void ERR_print_errors_fp(FILE *fp);
int BN_print_fp(FILE *fp, const BIGNUM *a);
#if defined(__cplusplus)
diff --git a/Linux/sgx/test_app/enclave/tests/stdio_func.c b/Linux/sgx/test_app/enclave/tests/stdio_func.c
index 286340e..13de4dd 100644
--- a/Linux/sgx/test_app/enclave/tests/stdio_func.c
@ -850,5 +863,5 @@ index 6ff3fc2..9676726 100644
#if defined(SGXSDK_INT_VERSION) && (SGXSDK_INT_VERSION > 18)
#define _longjmp longjmp
--
2.27.0
2.33.0

0
adapt-openssl-CVE.patch → 0002-adapt-openssl-CVE.patch
View File

72
backport-CVE-2022-0778.patch
View File

@ -1,72 +0,0 @@
From 4382b4d9446c34d29b12dedf6b93f35215b9dd3b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65
Conflict: NA
---
openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c | 30 +++++++++++--------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c b/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
index 1723d5d..53b0f55 100644
--- a/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
+++ b/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.23.0

61
backport-CVE-2022-0778_test.patch
View File

@ -1,61 +0,0 @@
From 6ec7f406d2141b78508b5df91597a61de2ac38ed Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0
Conflict: NA
---
openssl_source/openssl-1.1.1l/test/bntest.c | 11 ++++++++++-
openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/openssl_source/openssl-1.1.1l/test/bntest.c b/openssl_source/openssl-1.1.1l/test/bntest.c
index 236501e..08c60a2 100644
--- a/openssl_source/openssl-1.1.1l/test/bntest.c
+++ b/openssl_source/openssl-1.1.1l/test/bntest.c
@@ -1685,8 +1685,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt b/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d03..e28cc6b 100644
--- a/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
+++ b/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--
2.23.0

80
backport-CVE-2022-1292.patch
View File

@ -1,80 +0,0 @@
From 9b495e8d9028ca893019c5b176d913051ea925ac Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
Conflict:NA
---
openssl_source/openssl-1.1.1l/tools/c_rehash.in | 29 ++++++++++++++++---
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index fa7c6c9..83c1cc8 100644
--- a/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
--
2.23.0

259
backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
View File

@ -1,259 +0,0 @@
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 29 May 2022 20:11:24 +0200
Subject: [PATCH] Fix file operations in c_rehash.
CVE-2022-2068
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reference: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7
Conflict: NA
---
openssl_source/openssl-1.1.1l/tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
1 file changed, 107 insertions(+), 109 deletions(-)
diff --git a/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index cfd18f5da1..9d2a6f6db7 100644
--- a/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -104,52 +104,78 @@ foreach (@dirlist) {
}
exit($errorcount);
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
+}
+
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -177,76 +203,48 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
}
--
2.23.0

76
backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
View File

@ -1,76 +0,0 @@
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:00:22 +1000
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reference:https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431
Conflict: NA
---
openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl b/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
index fe2b26542a..812758e02e 100644
--- a/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
+++ b/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
--
2.27.0

21
intel-sgx-ssl.spec
View File

@ -1,7 +1,7 @@
%define openssl_version 1.1.1l
%define openssl_version 1.1.1t
Name: intel-sgx-ssl
Version: 2.15.1
Release: 3
Version: 2.19
Release: 1
Summary: Intel® Software Guard Extensions SSL
ExclusiveArch: x86_64
License: OpenSSL and BSD-3-Clause
@ -10,12 +10,7 @@ Source0: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/lin_%{v
Source1: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz
Patch0: 0001-Solution_to_issue_ssl_library_is_not_supported.patch
Patch1: adapt-openssl-CVE.patch
Patch2: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch3: backport-CVE-2022-1292.patch
Patch4: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch5: backport-CVE-2022-0778.patch
Patch6: backport-CVE-2022-0778_test.patch
Patch1: 0002-adapt-openssl-CVE.patch
BuildRequires: gcc gcc-c++
BuildRequires: libsgx-launch libsgx-urts sgxsdk perl
@ -49,11 +44,6 @@ Requires: %{name} = %{version}-%{release}
%setup -q -D -T -n intel-sgx-ssl-lin_%{version}_%{openssl_version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%build
cp %{SOURCE1} openssl_source/
@ -75,6 +65,9 @@ cp License.txt $RPM_BUILD_ROOT/opt/intel/sgxssl/docs/
/opt/intel/sgxssl/include/*
%changelog
* Fri Jul 21 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 2.19-1
- Upgrade to 2.19
* Thu Nov 24 2022 wangyu <wangyu283@huawei.com> - 2.15.1-3
- Update the source0 link address.

BIN
lin_2.15.1_1.1.1l.zip → lin_2.19_1.1.1t.zip
View File

Binary file not shown.

BIN
openssl-1.1.1l.tar.gz → openssl-1.1.1t.tar.gz
View File

Binary file not shown.