packages/linux-sgx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport openssl CVE-2022-2068 and CVE-2022-2097

Browse Source
This commit is contained in:
houmingyong 2022-08-27 10:16:44 +08:00
parent 9435d75d1d
commit 526d9da595
3 changed files with 343 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

259
backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch Normal file
View File

@ -0,0 +1,259 @@
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 29 May 2022 20:11:24 +0200
Subject: [PATCH] Fix file operations in c_rehash.
CVE-2022-2068
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reference: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7
Conflict: NA
---
external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
1 file changed, 107 insertions(+), 109 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index cfd18f5da1..9d2a6f6db7 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -104,52 +104,78 @@ foreach (@dirlist) {
}
exit($errorcount);
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
+}
+
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -177,76 +203,48 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
}
--
2.23.0

76
backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch Normal file
View File

@ -0,0 +1,76 @@
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:00:22 +1000
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reference:https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431
Conflict: NA
---
external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
index fe2b26542a..812758e02e 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
--
2.27.0

9
linux-sgx.spec
View File

@ -1,6 +1,6 @@
Name: linux-sgx
Version: 2.15.1
Release: 4
Release: 5
Summary: Intel(R) Software Guard Extensions for Linux* OS
ExclusiveArch: x86_64
License: BSD-3-Clause
@ -26,6 +26,8 @@ Patch4: backport-CVE-2022-0778.patch
Patch5: backport-CVE-2022-0778_test.patch
Patch6: backport-CVE-2022-1292.patch
Patch7: adapt-openssl-CVE.patch
Patch8: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch9: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
BuildRequires: gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm
@ -277,6 +279,8 @@ Intel(R) Software Guard Extensions Basic Headers
%%patch5 -p1
%%patch6 -p1
%%patch7 -p1
%%patch8 -p1
%%patch9 -p1
%build
@ -1033,6 +1037,9 @@ fi
%files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
%changelog
* Sat Aug 27 2022 houmingyong<houmingyong@huawei.com> - 2.15.1-5
- backport openssl CVE-2022-2068 and CVE-2022-2097
* Mon Jun 27 2022 wangyu <wangyu283@huawei.com> - 2.15.1-4
- backport openssl CVE-2022-0778 and CVE-2022-1292, protobuf CVE-2021-22570