deps: upgrade openssl sources to 1.0.2n

This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Daniel Bevenius <[email protected]>

deps/openssl/openssl/CHANGES

@@ -7,6 +7,51 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
+
+  *) Read/write after SSL object in error state
+
+     OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
+     mechanism. The intent was that if a fatal error occurred during a handshake
+     then OpenSSL would move into the error state and would immediately fail if
+     you attempted to continue the handshake. This works as designed for the
+     explicit handshake functions (SSL_do_handshake(), SSL_accept() and
+     SSL_connect()), however due to a bug it does not work correctly if
+     SSL_read() or SSL_write() is called directly. In that scenario, if the
+     handshake fails then a fatal error will be returned in the initial function
+     call. If SSL_read()/SSL_write() is subsequently called by the application
+     for the same SSL object then it will succeed and the data is passed without
+     being decrypted/encrypted directly from the SSL/TLS record layer.
+
+     In order to exploit this issue an application bug would have to be present
+     that resulted in a call to SSL_read()/SSL_write() being issued after having
+     already received a fatal error.
+
+     This issue was reported to OpenSSL by David Benjamin (Google).
+     (CVE-2017-3737)
+     [Matt Caswell]
+
+  *) rsaz_1024_mul_avx2 overflow bug on x86_64
+
+     There is an overflow bug in the AVX2 Montgomery multiplication procedure
+     used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+     Analysis suggests that attacks against RSA and DSA as a result of this
+     defect would be very difficult to perform and are not believed likely.
+     Attacks against DH1024 are considered just feasible, because most of the
+     work necessary to deduce information about a private key may be performed
+     offline. The amount of resources required for such an attack would be
+     significant. However, for an attack on TLS to be meaningful, the server
+     would have to share the DH1024 private key among multiple clients, which is
+     no longer an option since CVE-2016-0701.
+
+     This only affects processors that support the AVX2 but not ADX extensions
+     like Intel Haswell (4th generation).
+
+     This issue was reported to OpenSSL by David Benjamin (Google). The issue
+     was originally found via the OSS-Fuzz project.
+     (CVE-2017-3738)
+     [Andy Polyakov]
+
  Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
 
   *) bn_sqrx8x_internal carry bug on x86_64

deps/openssl/openssl/Configure

@@ -592,9 +592,9 @@ my %table=(
 "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
 # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
-"VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+"VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 # Unified CE target
-"debug-VC-WIN32","cl:-W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+"debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 
 # Borland C++ 4.5

deps/openssl/openssl/Makefile

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2m
+VERSION=1.0.2n
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/Makefile.bak

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2m
+VERSION=1.0.2n
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/NEWS

@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]
+
+      o Read/write after SSL object in error state (CVE-2017-3737)
+      o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
+
   Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]
 
       o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2m 2 Nov 2017
+ OpenSSL 1.0.2n 7 Dec 2017
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

deps/openssl/openssl/apps/app_rand.c

@@ -124,16 +124,7 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
     char buffer[200];
 
 #ifdef OPENSSL_SYS_WINDOWS
-    /*
-     * allocate 2 to dont_warn not to use RAND_screen() via
-     * -no_rand_screen option in s_client
-     */
-    if (dont_warn != 2) {
-      BIO_printf(bio_e, "Loading 'screen' into random state -");
-      BIO_flush(bio_e);
-      RAND_screen();
-      BIO_printf(bio_e, " done\n");
-    }
+    RAND_screen();
 #endif
 
     if (file == NULL)

deps/openssl/openssl/apps/apps.c

@@ -148,6 +148,10 @@
 #ifdef _WIN32
 static int WIN32_rename(const char *from, const char *to);
 # define rename(from,to) WIN32_rename((from),(to))
+# ifdef fileno
+#  undef fileno
+# endif
+# define fileno(a) (int)_fileno(a)
 #endif
 
 typedef struct {
@@ -2788,13 +2792,13 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
                 OPENSSL_free(out);
                 return NULL;
             }
-            out[start] = i - start;
+            out[start] = (unsigned char)(i - start);
             start = i + 1;
         } else
             out[i + 1] = in[i];
     }
 
-    *outlen = len + 1;
+    *outlen = (unsigned char)(len + 1);
     return out;
 }
 #endif                          /* ndef OPENSSL_NO_TLSEXT */

deps/openssl/openssl/apps/dsa.c

@@ -327,6 +327,9 @@ int MAIN(int argc, char **argv)
     } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
         EVP_PKEY *pk;
         pk = EVP_PKEY_new();
+        if (pk == NULL)
+           goto end;
+
         EVP_PKEY_set1_DSA(pk, dsa);
         if (outformat == FORMAT_PVK)
             i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);

deps/openssl/openssl/apps/s_client.c

@@ -180,13 +180,6 @@ typedef unsigned int u_int;
 # include <fcntl.h>
 #endif
 
-/* Use Windows API with STD_INPUT_HANDLE when checking for input?
-   Don't look at OPENSSL_SYS_MSDOS for this, since it is always defined if
-   OPENSSL_SYS_WINDOWS is defined */
-#if defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WINCE) && defined(STD_INPUT_HANDLE)
-#define OPENSSL_USE_STD_INPUT_HANDLE
-#endif
-
 #undef PROG
 #define PROG    s_client_main
 
@@ -236,7 +229,6 @@ static BIO *bio_c_msg = NULL;
 static int c_quiet = 0;
 static int c_ign_eof = 0;
 static int c_brief = 0;
-static int c_no_rand_screen = 0;
 
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -452,10 +444,6 @@ static void sc_usage(void)
                " -keymatexport label   - Export keying material using label\n");
     BIO_printf(bio_err,
                " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
-#ifdef OPENSSL_SYS_WINDOWS
-    BIO_printf(bio_err,
-               " -no_rand_screen  - Do not use RAND_screen() to initialize random state\n");
-#endif
 }
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -642,10 +630,11 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
     unsigned char ext_buf[4 + 65536];
 
     /* Reconstruct the type/len fields prior to extension data */
-    ext_buf[0] = ext_type >> 8;
-    ext_buf[1] = ext_type & 0xFF;
-    ext_buf[2] = inlen >> 8;
-    ext_buf[3] = inlen & 0xFF;
+    inlen &= 0xffff; /* for formal memcpy correctness */
+    ext_buf[0] = (unsigned char)(ext_type >> 8);
+    ext_buf[1] = (unsigned char)(ext_type);
+    ext_buf[2] = (unsigned char)(inlen >> 8);
+    ext_buf[3] = (unsigned char)(inlen);
     memcpy(ext_buf + 4, in, inlen);
 
     BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
@@ -1148,10 +1137,6 @@ int MAIN(int argc, char **argv)
             keymatexportlen = atoi(*(++argv));
             if (keymatexportlen == 0)
                 goto bad;
-#ifdef OPENSSL_SYS_WINDOWS
-        } else if (strcmp(*argv, "-no_rand_screen") == 0) {
-          c_no_rand_screen = 1;
-#endif
         } else {
             BIO_printf(bio_err, "unknown option %s\n", *argv);
             badop = 1;
@@ -1268,7 +1253,7 @@ int MAIN(int argc, char **argv)
     if (!load_excert(&exc, bio_err))
         goto end;
 
-    if (!app_RAND_load_file(NULL, bio_err, ++c_no_rand_screen) && inrand == NULL
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
         && !RAND_status()) {
         BIO_printf(bio_err,
                    "warning, not much extra random data, consider using the -rand option\n");
@@ -1808,16 +1793,17 @@ int MAIN(int argc, char **argv)
                     tv.tv_usec = 0;
                     i = select(width, (void *)&readfds, (void *)&writefds,
                                NULL, &tv);
-#if defined(OPENSSL_USE_STD_INPUT_HANDLE)
+# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
+                    if (!i && (!_kbhit() || !read_tty))
+                        continue;
+# else
                     if (!i && (!((_kbhit())
                                  || (WAIT_OBJECT_0 ==
                                      WaitForSingleObject(GetStdHandle
                                                          (STD_INPUT_HANDLE),
                                                          0)))
                                || !read_tty))
                         continue;
-#else
-                    if(!i && (!_kbhit() || !read_tty) ) continue;
 # endif
                 } else
                     i = select(width, (void *)&readfds, (void *)&writefds,
@@ -2019,12 +2005,12 @@ int MAIN(int argc, char **argv)
             }
         }
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-#if defined(OPENSSL_USE_STD_INPUT_HANDLE)
+# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
+        else if (_kbhit())
+# else
         else if ((_kbhit())
                  || (WAIT_OBJECT_0 ==
                      WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
-#else
-        else if (_kbhit())
 # endif
 #elif defined (OPENSSL_SYS_NETWARE)
         else if (_kbhit())

deps/openssl/openssl/apps/speed.c

@@ -2829,8 +2829,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)
 
                 RAND_bytes(out, 16);
                 len += 16;
-                aad[11] = len >> 8;
-                aad[12] = len;
+                aad[11] = (unsigned char)(len >> 8);
+                aad[12] = (unsigned char)(len);
                 pad = EVP_CIPHER_CTX_ctrl(&ctx,
                                           EVP_CTRL_AEAD_TLS1_AAD,
                                           EVP_AEAD_TLS1_AAD_LEN, aad);

deps/openssl/openssl/crypto/aes/asm/aes-armv4.pl

@@ -184,7 +184,7 @@
 #if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_encrypt
 #else
-	adr	r3,AES_encrypt
+	adr	r3,.
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
@@ -430,7 +430,7 @@
 #if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_set_encrypt_key
 #else
-	adr	r3,private_AES_set_encrypt_key
+	adr	r3,.
 #endif
 	teq	r0,#0
 #if __ARM_ARCH__>=7
@@ -952,7 +952,7 @@
 #if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_decrypt
 #else
-	adr	r3,AES_decrypt
+	adr	r3,.
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp

deps/openssl/openssl/crypto/aes/asm/bsaes-armv7.pl

@@ -724,7 +724,7 @@ sub bitslice {
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
-	adr	$const,_bsaes_decrypt8
+	adr	$const,.
 	vldmia	$key!, {@XMM[9]}		@ round 0 key
 	add	$const,$const,#.LM0ISR-_bsaes_decrypt8
 
@@ -819,7 +819,7 @@ sub bitslice {
 .type	_bsaes_encrypt8,%function
 .align	4
 _bsaes_encrypt8:
-	adr	$const,_bsaes_encrypt8
+	adr	$const,.
 	vldmia	$key!, {@XMM[9]}		@ round 0 key
 	sub	$const,$const,#_bsaes_encrypt8-.LM0SR
 
@@ -923,7 +923,7 @@ sub bitslice_key {
 .type	_bsaes_key_convert,%function
 .align	4
 _bsaes_key_convert:
-	adr	$const,_bsaes_key_convert
+	adr	$const,.
 	vld1.8	{@XMM[7]},  [$inp]!		@ load round 0 key
 	sub	$const,$const,#_bsaes_key_convert-.LM0
 	vld1.8	{@XMM[15]}, [$inp]!		@ load round 1 key

deps/openssl/openssl/crypto/asn1/a_i2d_fp.c

@@ -87,6 +87,9 @@ int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x)
     int i, j = 0, n, ret = 1;
 
     n = i2d(x, NULL);
+    if (n <= 0)
+        return 0;
+
     b = (char *)OPENSSL_malloc(n);
     if (b == NULL) {
         ASN1err(ASN1_F_ASN1_I2D_BIO, ERR_R_MALLOC_FAILURE);

deps/openssl/openssl/crypto/bio/b_print.c

@@ -385,7 +385,7 @@ _dopr(char **sbuffer,
                 if (cflags == DP_C_SHORT) {
                     short int *num;
                     num = va_arg(args, short int *);
-                    *num = currlen;
+                    *num = (short int)currlen;
                 } else if (cflags == DP_C_LONG) { /* XXX */
                     long int *num;
                     num = va_arg(args, long int *);
@@ -502,7 +502,7 @@ fmtint(char **sbuffer,
     if (!(flags & DP_F_UNSIGNED)) {
         if (value < 0) {
             signvalue = '-';
-            uvalue = -(unsigned LLONG)value;
+            uvalue = 0 - (unsigned LLONG)value;
         } else if (flags & DP_F_PLUS)
             signvalue = '+';
         else if (flags & DP_F_SPACE)