!279 修改cmake推荐版本

Merge pull request !279 from zzh/fix3
!278 fix CVE-2024-9143
2024-11-21 11:05:43 +00:00 · 2024-11-21 11:00:00 +00:00 · 2024-11-20 17:47:30 +08:00 · 2024-11-20 11:45:03 +08:00 · 2024-11-12 09:35:04 +00:00 · 2024-11-12 01:55:23 +00:00
20 changed files with 317 additions and 32 deletions
--- a/OpenSource.yml
+++ b/OpenSource.yml
@ -34,7 +34,7 @@ opengauss:
    name: "bottle"
    pkg_name: "bottle-0.12.17.tar.gz"
    down_load_type: "wget"
-    sha256: "7df26ca1789aa0693277c4a86d564524bff03e5d3132d9405946c58739190928"
+    sha256: "9638e15337dfb37f7eee1010851b88bf1d8b292115924754f3f46a4934db6cc5"
  - github:
    repo: "https://github.com/cffi/cffi.git"
    branch: "1.15.0"
@ -254,13 +254,13 @@ opengauss:
    sha256: "f4a9be08d22f5ad9b4bf36c491f1be58e54dc35a1592eaf4e3f79567e4894d0c"
  - github:
    repo: "https://github.com/numactl/numactl.git"
-    url: "https://github.com/numactl/numactl/releases/download/v2.0.14/numactl-2.0.14.tar.gz"
-    branch: "v2.0.14"
+    url: "https://github.com/numactl/numactl/releases/download/v2.0.16/numactl-2.0.16.tar.gz"
+    branch: "v2.0.16"
    path: "dependency/numactl"
    name: "numactl"
-    pkg_name: "numactl-2.0.14.tar.gz"
+    pkg_name: "numactl-2.0.16.tar.gz"
    down_load_type: "wget"
-    sha256: "826bd148c1b6231e1284e42a4db510207747484b112aee25ed6b1078756bcff6"
+    sha256: "1b242f893af977a1d31af6ce9d6b8dafdd2d8ec3dc9207f7c2dc0d3446e7c7c8"
  - gitee:
    repo: "https://gitee.com/src-openeuler/openssl.git"
    url: "https://gitee.com/src-openeuler/openssl/repository/archive/openEuler-22.03-LTS-SP2.tar.gz"
--- a/README.md
+++ b/README.md
@ -108,17 +108,22 @@
            <strong>openEuler 22.03 arm:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/5.1.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_arm.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/5.1.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_arm.tar.gz</a><br/>
            <strong>openEuler 22.03 x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/5.1.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/5.1.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_x86_64.tar.gz</a></td>
        </tr>
+    </tr>
    <tr>
-        <td rowspan=2>master</td>
-        <td rowspan=2></td>
-        <td>gcc7.3</td>
+        <td rowspan=1>6.0.0</td>
+        <td rowspan=1></td>
+        <td>gcc10.3</td>
        <td rowspan=1>
-           <strong>openEuler_arm:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz</a><br/>
-            <strong>openEuler_x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_x86_64.tar.gz</a><br/>
-            <strong>Centos_x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_Centos7.6_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_Centos7.6_x86_64.tar.gz</a><br/>
-            <strong>openEuler 22.03 arm:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz</a><br/>
-            <strong>openEuler 22.03 x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_2203_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc7.3/openGauss-third_party_binarylibs_openEuler_2203_x86_64.tar.gz</a></td>
+           <strong>openEuler_arm:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz</a><br/>
+            <strong>openEuler_x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_x86_64.tar.gz</a><br/>
+            <strong>Centos_x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_Centos7.6_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_Centos7.6_x86_64.tar.gz</a><br/>
+            <strong>openEuler 22.03 arm:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_arm.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_arm.tar.gz</a><br/>
+            <strong>openEuler 22.03 x86:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_x86_64.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/6.0.0/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_2203_x86_64.tar.gz</a></td>
        </tr>
+    </tr>
+    <tr>
+        <td rowspan=1>master</td>
+        <td rowspan=1></td>
        <td>gcc10.3</td>
        <td rowspan=1>
           <strong>openEuler_arm:</strong> <a href="https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz">https://opengauss.obs.cn-south-1.myhuaweicloud.com/latest/binarylibs/gcc10.3/openGauss-third_party_binarylibs_openEuler_arm.tar.gz</a><br/>
@ -130,7 +135,7 @@
    </tr>
 </table>

-社区提供了已编译好的`centos7.6_x86_64, openeuler_aarch64, openeuler_x86_64` 三种系统的二进制文件。
+社区提供了已编译好的`centos7.6_x86, openeuler20.03_aarch64,openeuler22.03_aarch64,openeuler20.03_x86,openeuler22.03_x86` 五个操作系统的二进制文件。
 从3.1.0版本开始，每个系统提供独立的二级制文件使用。各个系统分别需要下载对应的文件。
 对于其他系统，需要自行编译，可以按照下方的步骤执行：

@ -169,7 +174,8 @@ bison
    git clone https://gitee.com/openeuler/gcc.git -b gcc-10
    ```
 2. 编译cmake
-    三方库编译依赖cmake(版本大于3.16.5)，cmake (https://cmake.org/download/#latest) 并解压后编译。
+    三方库编译依赖cmake(建议版本：3.18)，cmake (https://cmake.org/download/#latest) 并解压后编译。
+    推荐使用下载的cmake包(https://cmake.org/files/v3.18/) 无需编译，防止系统中原有的cmake因环境问题冲突无法使用。

 编译完成后，将gcc10.3和cmake导入到环境变量中（下一步的三方库编译依赖这两个），例如：

--- a/Third_Party_Open_Source_Software_List.yaml
+++ b/Third_Party_Open_Source_Software_List.yaml
@ -108,7 +108,7 @@ zlib:
  url: 'https://github.com/madler/zlib'
 numactl:
  cpeName: numactl
-  version: 2.0.14
+  version: 2.0.16
  url: 'https://github.com/numactl/numactl'
 pyOpenSSL:
  cpeName: pyOpenSSL
--- a/2
+++ b/2
@ -6236,7 +6236,7 @@ misrepresented as being the original software.
 3. This notice may not be removed or altered from any source
 distribution.

-Software: numactl 2.0.14
+Software: numactl 2.0.16
 Copyright notice��Copyright (C) 2010 Intel Corporation
 Copyright (C) 2005 Andi Kleen, SuSE Labs.
 Copyright (C) 2003,2004,2005,2008 Andi Kleen,SuSE Labs andCliff Wickman,SGI.
--- a/dependency/aws-sdk-cpp/build.sh
+++ b/dependency/aws-sdk-cpp/build.sh
@ -25,6 +25,13 @@ LOG_FILE=${LOCAL_DIR}/build_aws.log
 ROOT_DIR="${LOCAL_DIR}/../../"
 CURL_LIB="${ROOT_DIR}/output/kernel/dependency/libcurl/comm/lib/libcurl.so"
 CURL_INCLUDE="${ROOT_DIR}/output/kernel/dependency/libcurl/comm/include"
+CRYPTO_LIB="${ROOT_DIR}/output/kernel/dependency/openssl/comm/lib/libcrypto.so"
+CRYPTO_INCLUDE="${ROOT_DIR}/output/kernel/dependency/openssl/comm/include"
+CRYPTO_STATIC="${ROOT_DIR}/output/kernel/dependency/openssl/comm/lib/libcrypto_static.a"
+ZLIB_DIR="${ROOT_DIR}/output/kernel/dependency/zlib1.2.11/comm"
+ZLIB_INCLUDE="${ROOT_DIR}/output/kernel/dependency/zlib1.2.11/comm/include"
+ZLIB_LIB="${ROOT_DIR}/output/kernel/dependency/zlib1.2.11/comm/lib/libz.so"
+OPENSSL_DIR="${ROOT_DIR}/output/kernel/dependency/openssl/comm"
 INSTALL_COMPOENT_PATH_NAME="${ROOT_DIR}/output/kernel/dependency/aws-sdk-cpp"

 log()
@ -59,7 +66,14 @@ function build_component()
            -DCMAKE_INSTALL_PREFIX=${LOCAL_DIR}/install_comm \
            -DCURL_INCLUDE_DIR=${CURL_INCLUDE} \
            -DCURL_LIBRARY=${CURL_LIB} \
-            -DAUTORUN_UNIT_TESTS=OFF
+            -Dcrypto_INCLUDE_DIR=${CRYPTO_INCLUDE} \
+            -Dcrypto_SHARED_LIBRARY=${CRYPTO_LIB} \
+            -Dcrypto_STATIC_LIBRARY=${CRYPTO_STATIC} \
+            -DZLIB_ROOT=${ZLIB_DIR} \
+            -DZLIB_INCLUDE_DIRS=${ZLIB_INCLUDE} \
+            -DZLIB_LIBRARIES=${ZLIB_LIB} \
+            -DOPENSSL_ROOT_DIR=${OPENSSL_DIR} \
+            -DENABLE_TESTING=OFF
    make -j4
    make install
    cd ${LOCAL_DIR}/${SOURCE_CODE_PATH}
@ -77,7 +91,14 @@ function build_component()
        -DCMAKE_INSTALL_PREFIX=${LOCAL_DIR}/install_llt \
        -DCURL_INCLUDE_DIR=${CURL_INCLUDE} \
        -DCURL_LIBRARY=${CURL_LIB} \
-        -DAUTORUN_UNIT_TESTS=OFF
+        -Dcrypto_INCLUDE_DIR=${CRYPTO_INCLUDE} \
+        -Dcrypto_SHARED_LIBRARY=${CRYPTO_LIB} \
+        -Dcrypto_STATIC_LIBRARY=${CRYPTO_STATIC} \
+        -DZLIB_ROOT=${ZLIB_DIR} \
+        -DZLIB_INCLUDE_DIRS=${ZLIB_INCLUDE} \
+        -DZLIB_LIBRARIES=${ZLIB_LIB} \
+        -DOPENSSL_ROOT_DIR=${OPENSSL_DIR} \
+        -DENABLE_TESTING=OFF
    make -j4
    make install
    cd ${LOCAL_DIR}/${SOURCE_CODE_PATH}
--- a/dependency/bcrypt/build.sh
+++ b/dependency/bcrypt/build.sh
@ -23,7 +23,7 @@ tar -zxf $TAR_SOURCE_FILE -C $SOURCE_FILE --strip-components 1
 cd $SOURCE_FILE
 CFLAGS='-fstack-protector-all' LDFLAGS='-Wl,-z,relro,-z,now -z,noexecstack' python3 setup.py build

-version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
+version_num=("3.6" "3.7" "3.8" "3.9" "3.10" "3.11")
 lib_dir=""
 for (( i=0;i<${#version_num[*]};i++ ))
 do
--- a/dependency/boost/build_component.sh
+++ b/dependency/boost/build_component.sh
@ -23,7 +23,12 @@ function build_component()
    fi

    # Compatible with python3 compilation
-    sed -i "s/include\/python\$(version)/include\/python\$(version)m/g" tools/build/src/tools/python.jam
+    python_version=`python3 -V | awk -F ' ' '{print $2}' |awk -F '.' -v OFS='.' '{print $1,$2}'`
+    if [ "$python_version" == "3.11" ]; then
+        sed -i "s/include\/python\$(version)/include\/python\$(version)/g" tools/build/src/tools/python.jam
+    else
+        sed -i "s/include\/python\$(version)/include\/python\$(version)m/g" tools/build/src/tools/python.jam
+    fi

    chmod +x bootstrap.sh
    chmod +x ./tools/build/src/engine/build.sh
--- a/dependency/bottle/bottle-0.12.17.tar.gz
+++ b/dependency/bottle/bottle-0.12.17.tar.gz
--- a/dependency/build/build_dependency.sh
+++ b/dependency/build/build_dependency.sh
@ -41,7 +41,7 @@ echo "[libcgroup] is " $use_tm
 echo ------------------------------numactl----------------------------------------------------
 start_tm=$(date +%s%N)
 cd $(pwd)/../numactl
-python3 build.py -m all -t "comm|llt" -f numactl-2.0.14.tar.gz >>../build/build_result.log
+python3 build.py -m all -t "comm|llt" -f numactl-2.0.16.tar.gz >>../build/build_result.log
 end_tm=$(date +%s%N)
 use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
 echo "[numactl] is " $use_tm
--- a/dependency/cffi/build.sh
+++ b/dependency/cffi/build.sh
@ -8,7 +8,7 @@ export LD_LIBRARY_PATH=$TARGET_PATH:$LD_LIBRARY_PATH:/usr/lib64
 export PATH=$TARGET_PATH:$PATH
 export PYTHONPATH=$TARGET_PATH:$LIBRARY_PATH

-version_list=("3.6" "3.7" "3.8" "3.9" "3.10")
+version_list=("3.6" "3.7" "3.8" "3.9" "3.10" "3.11")
 python_version=`python3 -V | awk -F ' ' '{print $2}' | awk -F '.' -v OFS='.' '{print $1,$2}'`

 TAR_SOURCE_FILE=cffi-1.15.0.tar.gz
--- a/dependency/cryptography/build.sh
+++ b/dependency/cryptography/build.sh
@ -17,7 +17,7 @@ if [ -d ${SOURCE_FILE} ]; then
 fi
 mkdir ${SOURCE_FILE}

-version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
+version_num=("3.6" "3.7" "3.8" "3.9" "3.10" "3.11")
 lib_dir=""
 for (( i=0;i<${#version_num[*]};i++ ))
 do
--- a/dependency/esdk_obs_api/build_obs.sh
+++ b/dependency/esdk_obs_api/build_obs.sh
@ -25,7 +25,7 @@ g_PATH=build
 NGHTTP_DIR=${TRUNK_DIR}/dependency/nghttp2/install_comm
 LIBXML2_DIR=${TRUNK_DIR}/dependency/libxml2/install_comm
 CURL_DIR=${TRUNK_DIR}/output/kernel/dependency/libcurl/comm
-OPENSSL_DIR=${TRUNK_DIR}/output/kernrl/dependency/openssl/comm
+OPENSSL_DIR=${TRUNK_DIR}/output/kernel/dependency/openssl/comm
 PCRE_DIR=${TRUNK_DIR}/dependency/pcre/install_comm
 LIBICONV_DIR=${TRUNK_DIR}/dependency/libiconv/install_comm
 SECUREC_DIR=${TRUNK_DIR}/output/kernel/platform/Huawei_Secure_C/comm
--- a/dependency/kerberos/build.py
+++ b/dependency/kerberos/build.py
@ -23,6 +23,7 @@ import subprocess
 #--------------------------------------------------------#

 source_code_path = "kerberos"
+openssl_path = os.getcwd() + "/../../output/kernel/dependency/openssl/%s/%s"

 class OPOperator():
    def __init__(self, mode, filename, compiletype):
@ -137,8 +138,10 @@ class OPOperator():
                prepare_cmd = 'mkdir -p %s/install/comm' % (self.local_dir)
                ret = self.exe_cmd(prepare_cmd)
                self.error_handler(ret)
-                config_cmd = "cd %s/%s/src; ./configure --prefix=%s/install/comm LDFLAGS='-Wl,-z,relro,-z,now' CFLAGS='-fstack-protector-strong -fPIC' --disable-rpath --disable-pkinit --with-system-verto=no" % (self.local_dir, source_code_path, self.local_dir)
-                print("cd %s/%s/src; ./configure --prefix=%s/install/comm LDFLAGS='-Wl,-z,relro,-z,now' CFLAGS='-fstack-protector-strong -fPIC' --disable-rpath --disable-pkinit --with-system-verto=no" % (self.local_dir, source_code_path, self.local_dir))
+                openssl_comm_lib = (openssl_path % ("comm", "lib"))
+                openssl_comm_include = (openssl_path % ("comm", "include"))
+                config_cmd = "cd %s/%s/src; ./configure --prefix=%s/install/comm  LDFLAGS='-Wl,-z,relro,-z,now -L%s' CFLAGS='-fstack-protector-strong -fPIC -I%s' --disable-rpath --disable-pkinit --with-system-verto=no" % (self.local_dir, source_code_path, self.local_dir, openssl_comm_lib, openssl_comm_include)
+                print(config_cmd)
                ret = self.exe_cmd(config_cmd)
                self.error_handler(ret)
                make_cmd = 'cd %s/%s/src; make -j%s && make install' % (self.local_dir, source_code_path, cpu_num)
@ -148,8 +151,10 @@ class OPOperator():
                prepare_cmd = 'mkdir -p %s/install/llt' % (self.local_dir)
                ret = self.exe_cmd(prepare_cmd)
                self.error_handler(ret)
-                config_cmd = "cd %s/%s/src; ./configure --prefix=%s/install/llt LDFLAGS='-Wl,-z,relro,-z,now' CFLAGS='-fstack-protector-strong -fPIC' --disable-rpath --disable-pkinit --with-system-verto=no" % (self.local_dir, source_code_path, self.local_dir)
-                print("cd %s/%s/src; ./configure --prefix=%s/install/llt LDFLAGS='-Wl,-z,relro,-z,now' CFLAGS='-fstack-protector-strong -fPIC' --disable-rpath --disable-pkinit --with-system-verto=no" % (self.local_dir, source_code_path, self.local_dir))
+                openssl_llt_lib = (openssl_path % ("llt", "lib"))
+                openssl_llt_include = (openssl_path % ("llt", "include"))
+                config_cmd = "cd %s/%s/src; ./configure --prefix=%s/install/llt LDFLAGS='-Wl,-z,relro,-z,now -L%s' CFLAGS='-fstack-protector-strong -fPIC -I%s' --disable-rpath --disable-pkinit --with-system-verto=no" % (self.local_dir, source_code_path, self.local_dir, openssl_llt_lib, openssl_llt_include)
+                print(config_cmd)
                ret = self.exe_cmd(config_cmd)
                self.error_handler(ret)
                make_cmd = 'cd %s/%s/src; make -j%s && make install' % (self.local_dir, source_code_path, cpu_num)
--- a/dependency/numactl/numactl-2.0.14.tar.gz
+++ b/dependency/numactl/numactl-2.0.14.tar.gz
--- a/dependency/numactl/numactl-2.0.16.tar.gz
+++ b/dependency/numactl/numactl-2.0.16.tar.gz
--- a/dependency/openssl/backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch
+++ b/dependency/openssl/backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch
@ -0,0 +1,201 @@
+From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+---
+ crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
+ test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index c811ae82d6..bcc66613cc 100644
+--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
+ * coefficient.  The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1.  Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
+    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+        return 0;
+
+    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
+    return k + 1;
+ }
+ 
+ /*
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 8c2cd05631..02cfd4e9d8 100644
+--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+    int ret = 0;
+    BN_CTX *ctx = BN_CTX_new();
+    BIGNUM *p, *a, *b;
+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+    TEST_info("Testing GF2m hardening\n");
+
+    BN_CTX_start(ctx);
+    p = BN_CTX_get(ctx);
+    a = BN_CTX_get(ctx);
+    if (!TEST_ptr(b = BN_CTX_get(ctx))
+        || !TEST_true(BN_one(a))
+        || !TEST_true(BN_one(b)))
+        goto out;
+
+    /* Even pentanomial value should be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf2)))
+        goto out;
+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Zero constant term accepted in GF2m polynomial");
+
+    /* Odd hexanomial should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf3)))
+        goto out;
+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Hexanomial accepted as GF2m polynomial");
+
+    /* Excessive polynomial degree should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0x71))
+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+        goto out;
+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("GF2m polynomial degree > %d accepted",
+                   OPENSSL_ECC_MAX_FIELD_BITS);
+
+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+    EC_GROUP_free(group1);
+    EC_GROUP_free(group2);
+    EC_GROUP_free(group3);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+
+    return ret;
+}
+
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
+    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+-- 
+2.43.0.windows.1
+
--- a/dependency/openssl/backport-Pipeline-output-input-buf-arrays-must-live-until-the.patch
+++ b/dependency/openssl/backport-Pipeline-output-input-buf-arrays-must-live-until-the.patch
@ -0,0 +1,45 @@
+From df9c7ceefef59cc870c80346906471fabec62494 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 21 Oct 2022 14:08:29 +0100
+Subject: [PATCH] Pipeline output/input buf arrays must live until the
+ EVP_Cipher is called
+
+Conflict:adapt context
+Reference:https://github.com/openssl/openssl/commit/df9c7ceefef59cc870c80346906471fabec62494
+
+The pipeline input/output buf arrays must remain accessible to the
+EVP_CIPHER_CTX until EVP_Cipher is subsequently called. This fixes an
+asan error discovered by the newly added pipeline test.
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20208)
+---
+ ssl/record/ssl3_record.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
+index 368aaea5e9..4256f29663 100644
+--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
+@@ -964,6 +964,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
+     EVP_CIPHER_CTX *ds;
+     size_t reclen[SSL_MAX_PIPELINES];
+     unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
+    unsigned char *data[SSL_MAX_PIPELINES];
+     int i, pad = 0, ret, tmpr;
+     size_t bs, mac_size = 0, ctr, padnum, loop;
+     unsigned char padval;
+@@ -1123,8 +1124,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
+             }
+         }
+         if (n_recs > 1) {
+-            unsigned char *data[SSL_MAX_PIPELINES];
+-
+             /* Set the output buffers */
+             for (ctr = 0; ctr < n_recs; ctr++) {
+                 data[ctr] = recs[ctr].data;
+-- 
+2.33.0
+
--- a/dependency/openssl/patch_list
+++ b/dependency/openssl/patch_list
@ -70,4 +70,6 @@ Patch71:     backport-Add-a-test-for-session-cache-handling.patch
 Patch72:     backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch
 Patch73:     backport-Hardening-around-not_resumable-sessions.patch
 Patch74:     backport-Add-a-test-for-session-cache-overflow.patch
-Patch75:     backport-CVE-2024-5535-Fix-SSL_select_next_proto-and-add-ALPN.patch
+Patch75:     backport-CVE-2024-5535-Fix-SSL_select_next_proto-and-add-ALPN.patch
+Patch76:     backport-Pipeline-output-input-buf-arrays-must-live-until-the.patch
+Patch77:     backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch 
--- a/dependency/psutil/build.sh
+++ b/dependency/psutil/build.sh
@ -31,7 +31,7 @@ cp -r build/lib*/* $TARGET_PATH
 cp ../_psutil_linux.py $TARGET_PATH/psutil/
 cp ../_psutil_posix.py $TARGET_PATH/psutil/

-version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
+version_num=("3.6" "3.7" "3.8" "3.9" "3.10" "3.11")
 for (( i=0;i<${#version_num[*]};i++ ))
 do
    if [[ $(python3 -V | awk '{print $2}') =~ ${version_num[$i]} ]]; then
--- a/dependency/pynacl/build.sh
+++ b/dependency/pynacl/build.sh
@ -27,7 +27,7 @@ fi
 sed -i "s/\"wheel\"//g" setup.py
 CFLAGS="-fstack-protector-strong -Wl,-z,relro,-z,now" python3 setup.py build

-version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
+version_num=("3.6" "3.7" "3.8" "3.9" "3.10" "3.11")
 lib_dir=""
 for (( i=0;i<${#version_num[*]};i++ ))
 do
Author	SHA1	Message	Date
opengauss_bot	684e893ce7	!279 修改cmake推荐版本 Merge pull request !279 from zzh/fix3	2024-11-21 11:05:43 +00:00
opengauss_bot	090cccf811	!278 fix CVE-2024-9143 Merge pull request !278 from 蒋宏博/dev	2024-11-21 11:00:00 +00:00
zzh	1718ce4702	修改cmake编译版本	2024-11-20 17:47:30 +08:00
蒋宏博	839863f3cd	fix CVE-2024-9143	2024-11-20 11:45:03 +08:00
opengauss_bot	4b9e32f242	!276 支持openEuler24.03LTS编译、运行 Merge pull request !276 from zzh/fix2	2024-11-12 09:35:04 +00:00
opengauss_bot	8515f03762	!277 aws编译指定使用社区openssl/zlib Merge pull request !277 from lukeman/master	2024-11-12 01:55:23 +00:00
lukeman	345ddcb638	aws编译指定使用社区openssl/zlib	2024-11-11 22:02:57 +08:00
zzh	4fe1bbb503	添加python3.11版本	2024-11-08 18:23:28 +08:00
opengauss_bot	f95b22a890	!275 kerberos编译指定使用社区openssl Merge pull request !275 from 蒋宏博/dev	2024-11-04 07:33:12 +00:00
蒋宏博	fbfee5a3d3	kerberos编译指定使用社区openssl	2024-11-04 11:40:31 +08:00
zhangxubo	5eec8b0969	!240 解决build_obs.sh中OPENSSL_DIR路径错误 Merge pull request !240 from zhangfei/master	2024-11-02 09:18:59 +00:00
opengauss_bot	3a6f927bec	!274 更新readme Merge pull request !274 from 李锦波/master	2024-10-31 01:46:51 +00:00
李锦波	2536bbef00	更新readme	2024-10-30 18:20:27 +08:00
zhangfei	621518ced0	解决build_obs.sh中OPENSSL_DIR路径错误 Signed-off-by: zhangfei <zhangfei@njis.ac.cn>	2024-02-27 00:48:05 -05:00