diff --git a/0001-Solution_to_issue_ssl_library_is_not_supported.patch b/0001-Solution_to_issue_ssl_library_is_not_supported.patch index cbab2f0..00dc3dc 100644 --- a/0001-Solution_to_issue_ssl_library_is_not_supported.patch +++ b/0001-Solution_to_issue_ssl_library_is_not_supported.patch @@ -1,4 +1,4 @@ -From 94d10d73ac952fc8b4f5b6581b858d6fe7f7a352 Mon Sep 17 00:00:00 2001 +From c2380f793beedc0bef5ab1248ff1163890e63cc8 Mon Sep 17 00:00:00 2001 From: yanlu Date: Thu, 25 Feb 2021 16:41:56 +0800 Subject: [PATCH] support ssl library @@ -9,12 +9,12 @@ update copyright year Reference: https://github.com/intel/intel-sgx-ssl/commit/94d10d73ac952fc8b4f5b6581b858d6fe7f7a352 Conflict: NA - +Signed-off-by: zhoushuiqing --- Linux/Makefile | 1 + - Linux/build_openssl.sh | 9 +- + Linux/build_openssl.sh | 8 +- Linux/package/include/sgx_tsgxssl.edl | 14 ++ - Linux/package/include/tsgxsslio.h | 13 +- + Linux/package/include/tsgxsslio.h | 14 +- Linux/sgx/buildenv.mk | 2 + Linux/sgx/libsgx_tsgxssl/Makefile | 2 +- Linux/sgx/libsgx_tsgxssl/tcommon.h | 1 + @@ -25,9 +25,10 @@ Conflict: NA Linux/sgx/libsgx_usgxssl/ustdio.cpp | 96 ++++++++ Linux/sgx/libsgx_usgxssl/ustdlib.cpp | 61 +++++ Linux/sgx/libsgx_usgxssl/uunistd.cpp | 46 ++++ + Linux/sgx/test_app/enclave/TestEnclave.h | 2 +- Linux/sgx/test_app/enclave/tests/stdio_func.c | 4 +- openssl_source/bypass_to_sgxssl.h | 11 +- - 16 files changed, 516 insertions(+), 82 deletions(-) + 17 files changed, 518 insertions(+), 82 deletions(-) create mode 100644 Linux/sgx/libsgx_usgxssl/ustdio.cpp create mode 100644 Linux/sgx/libsgx_usgxssl/ustdlib.cpp create mode 100644 Linux/sgx/libsgx_usgxssl/uunistd.cpp @@ -45,10 +46,10 @@ index 9524f45..304ce24 100644 rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index 7d77b79..9dc4082 100755 +index ba9ff65..ce12472 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh -@@ -59,6 +59,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1 +@@ -58,6 +58,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1 # Remove AESBS to support only AESNI and VPAES sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure @@ -56,7 +57,7 @@ index 7d77b79..9dc4082 100755 ##Space optimization flags. SPACE_OPT= -@@ -69,8 +70,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt +@@ -68,8 +69,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt fi OUTPUT_LIB=libsgx_tsgxssl_crypto.a @@ -67,17 +68,16 @@ index 7d77b79..9dc4082 100755 ADDITIONAL_CONF="-g " fi -@@ -136,8 +139,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 +@@ -136,7 +139,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1 cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1 --perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h --prefix=$OPENSSL_INSTALL_DIR || exit 1 -- -+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h -include$SGXSSL_ROOT/../Linux/package/include/tsgxsslio.h --prefix=$OPENSSL_INSTALL_DIR || exit 1 +-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1 ++perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h -include$SGXSSL_ROOT/../Linux/package/include/tsgxsslio.h || exit 1 + sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c make build_all_generated || exit 1 - -@@ -159,8 +161,9 @@ then +@@ -159,8 +162,9 @@ then cp $SGXSSL_ROOT/../openssl_source/Linux/x86_64cpuid.s ./crypto/x86_64cpuid.s fi @@ -114,7 +114,7 @@ index cbc4888..e385250 100644 trusted { diff --git a/Linux/package/include/tsgxsslio.h b/Linux/package/include/tsgxsslio.h -index a200a17..fe56f61 100644 +index a200a17..535e37a 100644 --- a/Linux/package/include/tsgxsslio.h +++ b/Linux/package/include/tsgxsslio.h @@ -32,6 +32,18 @@ @@ -138,7 +138,7 @@ index a200a17..fe56f61 100644 #endif // _TSGXSSL_IO_H_ diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk -index cd8818e..7cd794c 100644 +index dac23c7..971b991 100644 --- a/Linux/sgx/buildenv.mk +++ b/Linux/sgx/buildenv.mk @@ -73,11 +73,13 @@ endif @@ -156,10 +156,10 @@ index cd8818e..7cd794c 100644 UNTRUSTED_LIB := libsgx_usgxssl.a endif diff --git a/Linux/sgx/libsgx_tsgxssl/Makefile b/Linux/sgx/libsgx_tsgxssl/Makefile -index 40d8f3b..3eb4a7e 100644 +index f9d29ca..62488c7 100644 --- a/Linux/sgx/libsgx_tsgxssl/Makefile +++ b/Linux/sgx/libsgx_tsgxssl/Makefile -@@ -90,7 +90,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o)) +@@ -95,7 +95,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o)) Sgx_tssl_Include_Paths := -I. -I$(PACKAGE_INC) -I$(SGX_SDK_INC) -I$(SGX_SDK_INC)/tlibc -I$(LIBCXX_INC) @@ -167,7 +167,7 @@ index 40d8f3b..3eb4a7e 100644 +Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector-strong -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths) Sgx_tssl_C_Flags := $(Common_C_Cpp_Flags) -Wno-implicit-function-declaration -std=c11 $(MITIGATION_CFLAGS) $(NO_THREADS_CFLAG) Sgx_tssl_Cpp_Flags := $(Common_C_Cpp_Flags) -std=c++11 -nostdinc++ $(MITIGATION_CFLAGS) - $(shell mkdir -p $(OBJDIR)) + ifeq ($(SKIP_INTELCPU_CHECK), TRUE) diff --git a/Linux/sgx/libsgx_tsgxssl/tcommon.h b/Linux/sgx/libsgx_tsgxssl/tcommon.h index f8d9379..dd1ca8d 100644 --- a/Linux/sgx/libsgx_tsgxssl/tcommon.h @@ -565,10 +565,10 @@ index 7bdfa07..d7aba27 100644 // TODO diff --git a/Linux/sgx/libsgx_usgxssl/Makefile b/Linux/sgx/libsgx_usgxssl/Makefile -index 5d7e756..ee1f29f 100644 +index b469f23..4534acf 100644 --- a/Linux/sgx/libsgx_usgxssl/Makefile +++ b/Linux/sgx/libsgx_usgxssl/Makefile -@@ -72,7 +72,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl +@@ -77,7 +77,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl Sgx_ussl_Include_Paths := -I. -I$(SGX_SDK_INC) @@ -798,6 +798,19 @@ index 0000000..c2456ba +} + +} +diff --git a/Linux/sgx/test_app/enclave/TestEnclave.h b/Linux/sgx/test_app/enclave/TestEnclave.h +index f120489..26cfedf 100644 +--- a/Linux/sgx/test_app/enclave/TestEnclave.h ++++ b/Linux/sgx/test_app/enclave/TestEnclave.h +@@ -43,7 +43,7 @@ + abort(); \ + } \ + } +-void ERR_print_errors_fp(FILE *fp); ++// void ERR_print_errors_fp(FILE *fp); + int BN_print_fp(FILE *fp, const BIGNUM *a); + + #if defined(__cplusplus) diff --git a/Linux/sgx/test_app/enclave/tests/stdio_func.c b/Linux/sgx/test_app/enclave/tests/stdio_func.c index 286340e..13de4dd 100644 --- a/Linux/sgx/test_app/enclave/tests/stdio_func.c @@ -850,5 +863,5 @@ index 6ff3fc2..9676726 100644 #if defined(SGXSDK_INT_VERSION) && (SGXSDK_INT_VERSION > 18) #define _longjmp longjmp -- -2.27.0 +2.33.0 diff --git a/adapt-openssl-CVE.patch b/0002-adapt-openssl-CVE.patch similarity index 100% rename from adapt-openssl-CVE.patch rename to 0002-adapt-openssl-CVE.patch diff --git a/backport-CVE-2022-0778.patch b/backport-CVE-2022-0778.patch deleted file mode 100644 index cd3949a..0000000 --- a/backport-CVE-2022-0778.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 4382b4d9446c34d29b12dedf6b93f35215b9dd3b Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:21 +0100 -Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() - -The calculation in some cases does not finish for non-prime p. - -This fixes CVE-2022-0778. - -Based on patch by David Benjamin . - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell - -Reference: https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65 -Conflict: NA ---- - openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c | 30 +++++++++++-------- - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c b/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c -index 1723d5d..53b0f55 100644 ---- a/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c -+++ b/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c -@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - /* - * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks - * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number -- * Theory", algorithm 1.5.1). 'p' must be prime! -+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or -+ * an incorrect "result" will be returned. - */ - { - BIGNUM *ret = in; -@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - goto vrfy; - } - -- /* find smallest i such that b^(2^i) = 1 */ -- i = 1; -- if (!BN_mod_sqr(t, b, p, ctx)) -- goto end; -- while (!BN_is_one(t)) { -- i++; -- if (i == e) { -- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -- goto end; -+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ -+ for (i = 1; i < e; i++) { -+ if (i == 1) { -+ if (!BN_mod_sqr(t, b, p, ctx)) -+ goto end; -+ -+ } else { -+ if (!BN_mod_mul(t, t, t, p, ctx)) -+ goto end; - } -- if (!BN_mod_mul(t, t, t, p, ctx)) -- goto end; -+ if (BN_is_one(t)) -+ break; -+ } -+ /* If not found, a is not a square or p is not prime. */ -+ if (i >= e) { -+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -+ goto end; - } - - /* t := y^2^(e - i - 1) */ --- -2.23.0 - diff --git a/backport-CVE-2022-0778_test.patch b/backport-CVE-2022-0778_test.patch deleted file mode 100644 index bd8236b..0000000 --- a/backport-CVE-2022-0778_test.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6ec7f406d2141b78508b5df91597a61de2ac38ed Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:35 +0100 -Subject: [PATCH] Add a negative testcase for BN_mod_sqrt - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell - -Reference: https://github.com/openssl/openssl/commit/3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 -Conflict: NA ---- - openssl_source/openssl-1.1.1l/test/bntest.c | 11 ++++++++++- - openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ - 2 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/openssl_source/openssl-1.1.1l/test/bntest.c b/openssl_source/openssl-1.1.1l/test/bntest.c -index 236501e..08c60a2 100644 ---- a/openssl_source/openssl-1.1.1l/test/bntest.c -+++ b/openssl_source/openssl-1.1.1l/test/bntest.c -@@ -1685,8 +1685,17 @@ static int file_modsqrt(STANZA *s) - || !TEST_ptr(ret2 = BN_new())) - goto err; - -+ if (BN_is_negative(mod_sqrt)) { -+ /* A negative testcase */ -+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) -+ goto err; -+ -+ st = 1; -+ goto err; -+ } -+ - /* There are two possible answers. */ -- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) -+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) - || !TEST_true(BN_sub(ret2, p, ret))) - goto err; - -diff --git a/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt b/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt -index 5ea4d03..e28cc6b 100644 ---- a/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt -+++ b/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt -@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f - ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 - A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 - P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f -+ -+# Negative testcases for BN_mod_sqrt() -+ -+# This one triggers an infinite loop with unfixed implementation -+# It should just fail. -+ModSqrt = -1 -+A = 20a7ee -+P = 460201 -+ -+ModSqrt = -1 -+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed -+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f --- -2.23.0 - diff --git a/backport-CVE-2022-1292.patch b/backport-CVE-2022-1292.patch deleted file mode 100644 index b88f786..0000000 --- a/backport-CVE-2022-1292.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9b495e8d9028ca893019c5b176d913051ea925ac Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 26 Apr 2022 12:40:24 +0200 -Subject: [PATCH] c_rehash: Do not use shell to invoke openssl - -Except on VMS where it is safe. - -This fixes CVE-2022-1292. - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Matt Caswell - -Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 -Conflict:NA - ---- - openssl_source/openssl-1.1.1l/tools/c_rehash.in | 29 ++++++++++++++++--- - 1 file changed, 25 insertions(+), 4 deletions(-) - -diff --git a/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/openssl_source/openssl-1.1.1l/tools/c_rehash.in -index fa7c6c9..83c1cc8 100644 ---- a/openssl_source/openssl-1.1.1l/tools/c_rehash.in -+++ b/openssl_source/openssl-1.1.1l/tools/c_rehash.in -@@ -152,6 +152,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form . where n is an integer. If the hash value already exists -@@ -161,10 +178,12 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -202,10 +221,12 @@ sub link_hash_cert { - - sub link_hash_crl { - my $fname = $_[0]; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; --- -2.23.0 - diff --git a/backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch b/backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch deleted file mode 100644 index f96a5e2..0000000 --- a/backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch +++ /dev/null @@ -1,259 +0,0 @@ -From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001 -From: Daniel Fiala -Date: Sun, 29 May 2022 20:11:24 +0200 -Subject: [PATCH] Fix file operations in c_rehash. - -CVE-2022-2068 - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte - -Reference: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 -Conflict: NA ---- - openssl_source/openssl-1.1.1l/tools/c_rehash.in | 216 +++++++++++++++++++++++----------------------- - 1 file changed, 107 insertions(+), 109 deletions(-) - -diff --git a/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/openssl_source/openssl-1.1.1l/tools/c_rehash.in -index cfd18f5da1..9d2a6f6db7 100644 ---- a/openssl_source/openssl-1.1.1l/tools/c_rehash.in -+++ b/openssl_source/openssl-1.1.1l/tools/c_rehash.in -@@ -104,52 +104,78 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -- my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -- my @flist = sort readdir(DIR); -- closedir DIR; -- if ( $removelinks ) { -- # Delete any existing symbolic links -- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -- if (-l $_) { -- print "unlink $_" if $verbose; -- unlink $_ || warn "Can't unlink $_, $!\n"; -- } -- } -- } -- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -- # Check to see if certificates and/or CRLs present. -- my ($cert, $crl) = check_file($fname); -- if (!$cert && !$crl) { -- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -- next; -- } -- link_hash_cert($fname) if ($cert); -- link_hash_crl($fname) if ($crl); -- } -+ my $dir = shift; -+ my %hashlist; -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; -+ my @flist = sort readdir(DIR); -+ closedir DIR; -+ if ( $removelinks ) { -+ # Delete any existing symbolic links -+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -+ if (-l $_) { -+ print "unlink $_\n" if $verbose; -+ unlink $_ || warn "Can't unlink $_, $!\n"; -+ } -+ } -+ } -+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -+ # Check to see if certificates and/or CRLs present. -+ my ($cert, $crl) = check_file($fname); -+ if (!$cert && !$crl) { -+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -+ next; -+ } -+ link_hash_cert($fname) if ($cert); -+ link_hash_crl($fname) if ($crl); -+ } -+ -+ chdir $pwd; - } - - sub check_file { -- my ($is_cert, $is_crl) = (0,0); -- my $fname = $_[0]; -- open IN, $fname; -- while() { -- if (/^-----BEGIN (.*)-----/) { -- my $hdr = $1; -- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -- $is_cert = 1; -- last if ($is_crl); -- } elsif ($hdr eq "X509 CRL") { -- $is_crl = 1; -- last if ($is_cert); -- } -- } -- } -- close IN; -- return ($is_cert, $is_crl); -+ my ($is_cert, $is_crl) = (0,0); -+ my $fname = $_[0]; -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { -+ if (/^-----BEGIN (.*)-----/) { -+ my $hdr = $1; -+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -+ $is_cert = 1; -+ last if ($is_crl); -+ } elsif ($hdr eq "X509 CRL") { -+ $is_crl = 1; -+ last if ($is_cert); -+ } -+ } -+ } -+ close $in; -+ return ($is_cert, $is_crl); - } - - sub compute_hash { -@@ -177,76 +203,48 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'cert'); - } - - # Same as above except for a CRL. CRL links are of the form .r - - sub link_hash_crl { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".r$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'crl'); -+} -+ -+sub link_hash { -+ my ($fname, $type) = @_; -+ my $is_cert = $type eq 'cert'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $is_cert ? $x509hash : $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); -+ chomp $hash; -+ chomp $fprint; -+ return if !$hash; -+ $fprint =~ s/^.*=//; -+ $fprint =~ tr/://d; -+ my $suffix = 0; -+ # Search for an unused hash filename -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { -+ # Hash matches: if fingerprint matches its a duplicate cert -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; -+ return; -+ } -+ $suffix++; -+ } -+ $hash .= ".$crlmark$suffix"; -+ if ($symlink_exists) { -+ print "link $fname -> $hash\n" if $verbose; -+ symlink $fname, $hash || warn "Can't symlink, $!"; -+ } else { -+ print "copy $fname -> $hash\n" if $verbose; -+ copy_file($fname, $hash); -+ } -+ $hashlist{$hash} = $fprint; - } --- -2.23.0 diff --git a/backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch b/backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch deleted file mode 100644 index c8fb3db..0000000 --- a/backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:00:22 +1000 -Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path -that performs operations on 6 16-byte blocks concurrently (the -"grandloop") and then proceeds to handle the "short" tail (which can -be anywhere from 0 to 5 blocks) that remain. - -As part of initialization, the assembly initializes $len to the true -length, less 96 bytes and converts it to a pointer so that the $inp -can be compared to it. Each iteration of "grandloop" checks to see if -there's a full 96-byte chunk to process, and if so, continues. Once -this has been exhausted, it falls through to "short", which handles -the remaining zero to five blocks. - -Unfortunately, the jump at the end of "grandloop" had a fencepost -error, doing a `jb` ("jump below") rather than `jbe` (jump below or -equal). This should be `jbe`, as $inp is pointing to the *end* of the -chunk currently being handled. If $inp == $len, that means that -there's a whole 96-byte chunk waiting to be handled. If $inp > $len, -then there's 5 or fewer 16-byte blocks left to be handled, and the -fall-through is intended. - -The net effect of `jb` instead of `jbe` is that the last 16-byte block -of the last 96-byte chunk was completely omitted. The contents of -`out` in this position were never written to. Additionally, since -those bytes were never processed, the authentication tag generated is -also incorrect. - -The same fencepost error, and identical logic, exists in both -aesni_ocb_encrypt and aesni_ocb_decrypt. - -This addresses CVE-2022-2097. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz - -Reference:https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431 -Conflict: NA ---- - openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl b/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl -index fe2b26542a..812758e02e 100644 ---- a/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl -+++ b/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl -@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); --- -2.27.0 - diff --git a/intel-sgx-ssl.spec b/intel-sgx-ssl.spec index 3257368..1a5ff9b 100644 --- a/intel-sgx-ssl.spec +++ b/intel-sgx-ssl.spec @@ -1,7 +1,7 @@ -%define openssl_version 1.1.1l +%define openssl_version 1.1.1t Name: intel-sgx-ssl -Version: 2.15.1 -Release: 3 +Version: 2.19 +Release: 1 Summary: Intel® Software Guard Extensions SSL ExclusiveArch: x86_64 License: OpenSSL and BSD-3-Clause @@ -10,12 +10,7 @@ Source0: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/lin_%{v Source1: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz Patch0: 0001-Solution_to_issue_ssl_library_is_not_supported.patch -Patch1: adapt-openssl-CVE.patch -Patch2: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch -Patch3: backport-CVE-2022-1292.patch -Patch4: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch -Patch5: backport-CVE-2022-0778.patch -Patch6: backport-CVE-2022-0778_test.patch +Patch1: 0002-adapt-openssl-CVE.patch BuildRequires: gcc gcc-c++ BuildRequires: libsgx-launch libsgx-urts sgxsdk perl @@ -49,11 +44,6 @@ Requires: %{name} = %{version}-%{release} %setup -q -D -T -n intel-sgx-ssl-lin_%{version}_%{openssl_version} %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build cp %{SOURCE1} openssl_source/ @@ -75,6 +65,9 @@ cp License.txt $RPM_BUILD_ROOT/opt/intel/sgxssl/docs/ /opt/intel/sgxssl/include/* %changelog +* Fri Jul 21 2023 zhoushuiqing - 2.19-1 +- Upgrade to 2.19 + * Thu Nov 24 2022 wangyu - 2.15.1-3 - Update the source0 link address. diff --git a/lin_2.15.1_1.1.1l.zip b/lin_2.19_1.1.1t.zip similarity index 54% rename from lin_2.15.1_1.1.1l.zip rename to lin_2.19_1.1.1t.zip index 6f8a1ff..533d173 100644 Binary files a/lin_2.15.1_1.1.1l.zip and b/lin_2.19_1.1.1t.zip differ diff --git a/openssl-1.1.1l.tar.gz b/openssl-1.1.1t.tar.gz similarity index 54% rename from openssl-1.1.1l.tar.gz rename to openssl-1.1.1t.tar.gz index c8e2e0b..72a599e 100644 Binary files a/openssl-1.1.1l.tar.gz and b/openssl-1.1.1t.tar.gz differ