Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.1.1k+quic
Browse files Browse the repository at this point in the history
This updates all sources in deps/openssl/openssl by:
    $ git clone https://github.com/quictls/openssl
    $ cd openssl
    $ git checkout OpenSSL_1_1_1k+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ cd openssl && rm -rf .gitattributes .github/ .gitmodules .travis-apt-pin.preferences  .travis-create-release.sh
    $ cd ..
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37916
Fixes: #37913
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
  • Loading branch information
hassaanp authored and gengjiawen committed Mar 31, 2021
1 parent 30fe4ed commit 6f2085d
Show file tree
Hide file tree
Showing 40 changed files with 600 additions and 208 deletions.
44 changes: 44 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,50 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1j and 1.1.1k [25 Mar 2021]

*) Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
of the certificates present in a certificate chain. It is not set by
default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.

An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.

In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
(CVE-2021-3450)
[Tomáš Mráz]

*) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client. If a TLSv1.2
renegotiation ClientHello omits the signature_algorithms extension (where
it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will
result, leading to a crash and a denial of service attack.

A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted
by this issue.
(CVE-2021-3449)
[Peter Kästle and Samuel Sapalski]

Changes between 1.1.1i and 1.1.1j [16 Feb 2021]

*) Fixed the X509_issuer_and_serial_hash() function. It attempts to
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/Configurations/unix-Makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -917,8 +917,8 @@ errors:
done )

ordinals:
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl ssl update )
$(PERL) $(SRCDIR)/util/mkdef.pl crypto update
$(PERL) $(SRCDIR)/util/mkdef.pl ssl update

test_ordinals:
( cd test; \
Expand Down
8 changes: 8 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

o Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
o Fixed an issue where an OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client
(CVE-2021-3449)

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
Expand Down
93 changes: 0 additions & 93 deletions deps/openssl/openssl/README

This file was deleted.

4 changes: 2 additions & 2 deletions deps/openssl/openssl/README-OpenSSL.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

OpenSSL 1.1.1j 16 Feb 2021
OpenSSL 1.1.1k 25 Mar 2021

Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ How are you keeping current with OpenSSL?
-----------------------------------------
(In other words, "What about rebasing?")

Our plan it to always rebase on top of an upstream release tag. In particular:
Our plan is to always rebase on top of an upstream release tag. In particular:
- The changes for QUIC will always be at the tip of the branch -- you will know what
is from the original OpenSSL and what is for QUIC.
- New versions are quickly created once upstream creates a new tag.
Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/apps/s_cb.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -934,7 +934,8 @@ static int set_cert_cb(SSL *ssl, void *arg)
if (!SSL_build_cert_chain(ssl, 0))
return 0;
} else if (exc->chain != NULL) {
SSL_set1_chain(ssl, exc->chain);
if (!SSL_set1_chain(ssl, exc->chain))
return 0;
}
}
exc = exc->prev;
Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/apps/s_time.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -263,7 +263,8 @@ int s_time_main(int argc, char **argv)
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);

/*
* Now loop and time connections using the same session id over and over
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/crypto/asn1/asn1_par.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -325,6 +325,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
}
if (BIO_puts(bp, "]") <= 0)
goto end;
dump_cont = 0;
}

if (!nl) {
Expand Down
4 changes: 3 additions & 1 deletion deps/openssl/openssl/crypto/asn1/bio_ndef.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -113,6 +113,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
ndef_aux = *(NDEF_SUPPORT **)parg;

derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
if (derlen < 0)
return 0;
if ((p = OPENSSL_malloc(derlen)) == NULL) {
ASN1err(ASN1_F_NDEF_PREFIX, ERR_R_MALLOC_FAILURE);
return 0;
Expand Down
17 changes: 15 additions & 2 deletions deps/openssl/openssl/crypto/engine/eng_devcrypto.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -758,15 +758,28 @@ static int devcrypto_unload(ENGINE *e)
void engine_load_devcrypto_int()
{
ENGINE *e = NULL;
int fd;

if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
#ifndef ENGINE_DEVCRYPTO_DEBUG
if (errno != ENOENT)
#endif
fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
return;
}

#ifdef CRIOGET
if (ioctl(fd, CRIOGET, &cfd) < 0) {
fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));
close(fd);
cfd = -1;
return;
}
close(fd);
#else
cfd = fd;
#endif

if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/crypto/evp/evp_enc.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down
8 changes: 5 additions & 3 deletions deps/openssl/openssl/crypto/modes/cbc128.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
in += 16;
out += 16;
}
memcpy(ivec, iv, 16);
if (ivec != iv)
memcpy(ivec, iv, 16);
}

void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
Expand Down Expand Up @@ -114,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
out += 16;
}
}
memcpy(ivec, iv, 16);
if (ivec != iv)
memcpy(ivec, iv, 16);
} else {
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/modes/gcm128.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -1385,8 +1385,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
else
ctx->Yi.d[3] = ctr;
for (i = 0; i < 16 / sizeof(size_t); ++i) {
size_t c = in[i];
out[i] = c ^ ctx->EKi.t[i];
size_t c = in_t[i];
out_t[i] = c ^ ctx->EKi.t[i];
ctx->Xi.t[i] ^= c;
}
GCM_MUL(ctx);
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/o_time.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -133,8 +133,8 @@ int OPENSSL_gmtime_diff(int *pday, int *psec,
static int julian_adj(const struct tm *tm, int off_day, long offset_sec,
long *pday, int *psec)
{
int offset_hms, offset_day;
long time_jd;
int offset_hms;
long offset_day, time_jd;
int time_year, time_month, time_day;
/* split offset into days and day seconds */
offset_day = offset_sec / SECS_PER_DAY;
Expand Down
8 changes: 6 additions & 2 deletions deps/openssl/openssl/crypto/rand/rand_lib.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -432,9 +432,13 @@ int RAND_poll(void)
RAND_POOL *rand_pool_new(int entropy_requested, int secure,
size_t min_len, size_t max_len)
{
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
RAND_POOL *pool;
size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);

if (!RUN_ONCE(&rand_init, do_rand_init))
return NULL;

pool = OPENSSL_zalloc(sizeof(*pool));
if (pool == NULL) {
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/crypto/rsa/rsa_ssl.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down
Loading

0 comments on commit 6f2085d

Please sign in to comment.