Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to openssl-1.0.2c #1958

Closed
wants to merge 7 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 10 additions & 40 deletions deps/openssl/doc/UPGRADING.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
## How to upgrade openssl library in io.js

This document describes the procedure to upgrade openssl from 1.0.1m
to 1.0.2a in io.js.
This document describes the procedure to upgrade openssl from 1.0.2a
to 1.0.2c in io.js.


### Build System and Upgrading Overview
Expand Down Expand Up @@ -91,16 +91,16 @@ https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha5
otherwise asm_obsolete are used.

The following is the detail instruction steps how to upgrade openssl
version from 1.0.1m to 1.0.2a in iojs.
version from 1.0.2a to 1.0.2c in iojs.

### 1. Replace openssl source in `deps/openssl/openssl`
Remove old openssl sources in `deps/openssl/openssl` .
Get original openssl sources from
https://www.openssl.org/source/openssl-1.0.2a.tar.gz and extract all
https://www.openssl.org/source/openssl-1.0.2c.tar.gz and extract all
files into `deps/openssl/openssl` .

### 2. Apply private patches
There are three kinds of private patches to be applied in openssl-1.0.2a.
There are three kinds of private patches to be applied in openssl-1.0.2c.

- The two fixes of assembly error on ia32 win32. masm is no longer
supported in openssl. We should move to use nasm or yasm in future
Expand All @@ -109,13 +109,8 @@ There are three kinds of private patches to be applied in openssl-1.0.2a.
- The fix of openssl-cli built on win. Key press requirement of
openssl-cli in win causes timeout failures of several tests.

- Backport patches for alt cert feature from openssl-1.1.x. Root certs
of 1024bit RSA key length were deprecated in io.js. When a tls
server has a cross root cert, io.js client leads CERT_UNTRUSTED
error because openssl does not find alternate cert chains. This fix
supports its feature but was made the current master which is
openssl-1.1.x. We backported them privately into openssl-1.0.2 on
iojs.
- A new `-no_rand_screen` option to openssl s_client. This makes test
time of test-tls-server-verify be much faster.

### 3. Replace openssl header files in `deps/openssl/openssl/include/openssl`
all header files in `deps/openssl/openssl/include/openssl/*.h` are
Expand All @@ -126,35 +121,10 @@ file such as
#include "../../crypto/aes/aes.h"
````
### 4. Change `opensslconf.h` so as to fit each platform.
The opensslconf.h in each target was created in advance by typing
`deps/openssl/openssl/Configure {target}` and copied
into `deps/openssl/conf/archs/{target}/opensslconf.h`.
`deps/openssl/conf/openssconf.h` includes each file according to its
target by checking pre-defined compiler macros. These can be generated
by using `deps/openssl/conf/Makefile`

We should remove OPENSSL_CPUID_OBJ define in opensslconf.h because it
causes build error when --openss-no-asm option is specified. Instead,
the OPENSSL_CPUID_OBJ is defined in `deps/openssl/openssl.gypi`
according to the configure options.

One fix of opensslconf.h is needed in 64-bit MacOS.
The current openssl release does not use RC4 asm since it explicitly
specified as `$asm=~s/rc4\-[^:]+//;` in
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/Configure#L584
But iojs has used RC4 asm on MacOS for long time. Fix type of RC4_INT
into `unsigned int` in opensslconf.h of darwin64-x86_64-cc to work on
the RC4 asm.
No change.

### 5. Update openssl.gyp and openssl.gypi
Sources, cflags and define parameters that depends on each target can
be obtained via `Configure TABLE`. Its list is put in the table of
[define and cflags changes in openssl-1.0.2a](openssl_define_list.pdf)

There is no way to verify all necessary sources automatically. We can
only carefully look at the source list and compiled objects in
Makefile of openssl and compare the compiled objects that stored
stored under `out/Release/obj.target/openssl/deps/openssl/' in iojs.
No change.

### 6. ASM files for openssl
We provide two sets of asm files. One is for the latest assembler
Expand All @@ -163,7 +133,7 @@ and the other is the older one.
### 6.1. asm files for the latest compiler
This was made in `deps/openssl/asm/Makefile`
- Updated asm files for each platforms which are required in
openssl-1.0.2a.
openssl-1.0.2c.
- Some perl files need CC and ASM envs. Added a check if these envs
exist. Followed asm files are to be generated with CC=gcc and
ASM=nasm on Linux. See
Expand Down
6 changes: 6 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@
OpenSSL CHANGES
_______________

Changes between 1.0.2b and 1.0.2c [12 Jun 2015]

*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.

Changes between 1.0.2a and 1.0.2b [11 Jun 2015]

*) Malformed ECParameters causes infinite loop
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2b
VERSION=1.0.2c
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Makefile.bak
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2b-dev
VERSION=1.0.2c-dev
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
Expand Down
4 changes: 4 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]

o Fix HMAC ABI incompatibility

Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]

o Malformed ECParameters causes infinite loop (CVE-2015-1788)
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

OpenSSL 1.0.2b 11 Jun 2015
OpenSSL 1.0.2c 12 Jun 2015

Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Expand Down
19 changes: 7 additions & 12 deletions deps/openssl/openssl/crypto/hmac/hmac.c
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
}
#endif
/* If we are changing MD then we must have a key */
if (md != NULL && md != ctx->md && (key == NULL || len < 0))
return 0;

if (md != NULL) {
reset = 1;
Expand All @@ -107,9 +110,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
return 0;
}

if (!ctx->key_init && key == NULL)
return 0;

if (key != NULL) {
reset = 1;
j = EVP_MD_block_size(md);
Expand All @@ -131,7 +131,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
if (ctx->key_length != HMAC_MAX_MD_CBLOCK)
memset(&ctx->key[ctx->key_length], 0,
HMAC_MAX_MD_CBLOCK - ctx->key_length);
ctx->key_init = 1;
}

if (reset) {
Expand Down Expand Up @@ -169,7 +168,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
if (FIPS_mode() && !ctx->i_ctx.engine)
return FIPS_hmac_update(ctx, data, len);
#endif
if (!ctx->key_init)
if (!ctx->md)
return 0;

return EVP_DigestUpdate(&ctx->md_ctx, data, len);
Expand All @@ -184,7 +183,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
return FIPS_hmac_final(ctx, md, len);
#endif

if (!ctx->key_init)
if (!ctx->md)
goto err;

if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
Expand All @@ -205,7 +204,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx)
EVP_MD_CTX_init(&ctx->i_ctx);
EVP_MD_CTX_init(&ctx->o_ctx);
EVP_MD_CTX_init(&ctx->md_ctx);
ctx->key_init = 0;
ctx->md = NULL;
}

Expand All @@ -217,11 +215,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
goto err;
if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx))
goto err;
dctx->key_init = sctx->key_init;
if (sctx->key_init) {
memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
dctx->key_length = sctx->key_length;
}
memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
dctx->key_length = sctx->key_length;
dctx->md = sctx->md;
return 1;
err:
Expand Down
1 change: 0 additions & 1 deletion deps/openssl/openssl/crypto/hmac/hmac.h
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ typedef struct hmac_ctx_st {
EVP_MD_CTX o_ctx;
unsigned int key_length;
unsigned char key[HMAC_MAX_MD_CBLOCK];
int key_init;
} HMAC_CTX;

# define HMAC_size(e) (EVP_MD_size((e)->md))
Expand Down
7 changes: 6 additions & 1 deletion deps/openssl/openssl/crypto/hmac/hmactest.c
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,12 @@ int main(int argc, char *argv[])
err++;
goto test6;
}
if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
printf("Should disallow changing MD without a new key (test 5)\n");
err++;
goto test6;
}
if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) {
printf("Failed to reinitialise HMAC (test 5)\n");
err++;
goto test6;
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/opensslv.h
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1000202fL
# define OPENSSL_VERSION_NUMBER 0x1000203fL
# ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2b-fips 11 Jun 2015"
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015"
# else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2b 11 Jun 2015"
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/openssl.spec
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Release: 1

Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
Version: 1.0.2b
Version: 1.0.2c
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
Expand Down
12 changes: 6 additions & 6 deletions deps/openssl/openssl/ssl/t1_lib.c
Original file line number Diff line number Diff line change
Expand Up @@ -2016,12 +2016,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,

s->srtp_profile = NULL;

if (data >= (d + n - 2)) {
if (data != d + n)
goto err;
else
goto ri_check;
}
if (data == d + n)
goto ri_check;

if (data > (d + n - 2))
goto err;

n2s(data, len);

if (data > (d + n - len))
Expand Down