From 3417cc57775fd80a077582b4a4ae320676643e23 Mon Sep 17 00:00:00 2001 From: Hassaan Pasha Date: Tue, 31 Mar 2020 18:04:58 +0500 Subject: [PATCH] deps: upgrade openssl sources to 1.1.1f MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1f.tar.gz $ mv openssl-1.1.0h openssl $ git add --all openssl $ git commit openssl PR-URL: https://github.com/nodejs/node/pull/32583 Reviewed-By: Sam Roberts Reviewed-By: James M Snell Reviewed-By: Tobias Nießen --- deps/openssl/openssl/CHANGES | 18 ++ .../openssl/Configurations/unix-Makefile.tmpl | 200 ++++++++--------- deps/openssl/openssl/NEWS | 6 + deps/openssl/openssl/README | 4 +- deps/openssl/openssl/apps/rehash.c | 14 +- deps/openssl/openssl/apps/s_server.c | 4 +- deps/openssl/openssl/crypto/bn/bn_local.h | 5 +- deps/openssl/openssl/crypto/bn/bn_prime.c | 201 ++++++------------ deps/openssl/openssl/crypto/conf/conf_lib.c | 8 +- deps/openssl/openssl/crypto/err/openssl.txt | 1 - deps/openssl/openssl/crypto/ex_data.c | 6 +- deps/openssl/openssl/crypto/pkcs12/p12_crt.c | 5 +- deps/openssl/openssl/crypto/ts/ts_rsp_sign.c | 5 +- .../openssl/openssl/crypto/ts/ts_rsp_verify.c | 10 +- deps/openssl/openssl/crypto/x509/x509_cmp.c | 9 +- deps/openssl/openssl/crypto/x509/x509_trs.c | 7 +- deps/openssl/openssl/crypto/x509/x509_vfy.c | 10 +- deps/openssl/openssl/crypto/x509/x_all.c | 8 +- deps/openssl/openssl/crypto/x509/x_crl.c | 37 ++-- deps/openssl/openssl/crypto/x509v3/v3_purp.c | 97 ++++++--- .../openssl/doc/man3/BN_generate_prime.pod | 10 +- .../openssl/doc/man3/SSL_get_error.pod | 14 +- .../doc/man3/X509_get_extension_flags.pod | 13 +- deps/openssl/openssl/include/crypto/bn_conf.h | 1 - .../openssl/openssl/include/crypto/dso_conf.h | 1 - .../openssl/include/openssl/opensslconf.h | 1 - .../openssl/include/openssl/opensslv.h | 6 +- deps/openssl/openssl/include/openssl/sslerr.h | 1 - .../openssl/openssl/ssl/record/rec_layer_s3.c | 6 - deps/openssl/openssl/ssl/ssl_err.c | 4 +- 30 files changed, 367 insertions(+), 345 deletions(-) delete mode 100644 deps/openssl/openssl/include/crypto/bn_conf.h delete mode 100644 deps/openssl/openssl/include/crypto/dso_conf.h delete mode 100644 deps/openssl/openssl/include/openssl/opensslconf.h diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES index 0250e4ef026bf7..f4230aaac03185 100644 --- a/deps/openssl/openssl/CHANGES +++ b/deps/openssl/openssl/CHANGES @@ -7,6 +7,24 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1e and 1.1.1f [31 Mar 2020] + + *) Revert the change of EOF detection while reading in libssl to avoid + regressions in applications depending on the current way of reporting + the EOF. As the existing method is not fully accurate the change to + reporting the EOF via SSL_ERROR_SSL is kept on the current development + branch and will be present in the 3.0 release. + [Tomas Mraz] + + *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 + when primes for RSA keys are computed. + Since we previously always generated primes == 2 (mod 3) for RSA keys, + the 2-prime and 3-prime RSA modules were easy to distinguish, since + N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting + 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. + This avoids possible fingerprinting of newly generated RSA modules. + [Bernd Edlinger] + Changes between 1.1.1d and 1.1.1e [17 Mar 2020] *) Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the diff --git a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl index 9bf54f21277fcb..3a24d551359bd0 100644 --- a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl +++ b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl @@ -547,78 +547,78 @@ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev install_docs: install_man_docs install_html_docs uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r $(DESTDIR)$(DOCDIR) + $(RM) -r "$(DESTDIR)$(DOCDIR)" install_ssldirs: - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/certs" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/private" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/misc" @set -e; for x in dummy $(MISC_SCRIPTS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ x1=`echo "$$x" | cut -f1 -d:`; \ x2=`echo "$$x" | cut -f2 -d:`; \ fn=`basename $$x1`; \ $(ECHO) "install $$x1 -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ - cp $$x1 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \ - chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \ - mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \ - $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \ + cp $$x1 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \ + mv -f "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new" \ + "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ if [ "$$x1" != "$$x2" ]; then \ ln=`basename "$$x2"`; \ : {- output_off() unless windowsdll(); "" -}; \ $(ECHO) "copy $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ - cp $(DESTDIR)$(OPENSSLDIR)/misc/$$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \ + cp "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn" "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \ : {- output_on() unless windowsdll(); output_off() if windowsdll(); "" -}; \ $(ECHO) "link $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \ - ln -sf $$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \ + ln -sf $$fn "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \ : {- output_on() if windowsdll(); "" -}; \ fi; \ done @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" - @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new - @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new - @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist + @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" + @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" + @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ - cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ - chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ + cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ + chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ fi @$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" - @cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new - @chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new - @mv -f $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist + @cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" + @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" + @mv -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf" ]; then \ $(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \ - cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \ - chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \ + cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \ + chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \ fi install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/include/openssl" @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} @$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" - @cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c + @cp $(SRCDIR)/ms/applink.c "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" + @chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ $(ECHO) "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ - cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \ - chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \ + cp $$i "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ + chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ done - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)" @set -e; for l in $(INSTALL_LIBS); do \ fn=`basename $$l`; \ $(ECHO) "install $$l -> $(DESTDIR)$(libdir)/$$fn"; \ - cp $$l $(DESTDIR)$(libdir)/$$fn.new; \ - $(RANLIB) $(DESTDIR)$(libdir)/$$fn.new; \ - chmod 644 $(DESTDIR)$(libdir)/$$fn.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn.new \ - $(DESTDIR)$(libdir)/$$fn; \ + cp $$l "$(DESTDIR)$(libdir)/$$fn.new"; \ + $(RANLIB) "$(DESTDIR)$(libdir)/$$fn.new"; \ + chmod 644 "$(DESTDIR)$(libdir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(libdir)/$$fn.new" \ + "$(DESTDIR)$(libdir)/$$fn"; \ done @ : {- output_off() if $disabled{shared}; "" -} @set -e; for s in $(INSTALL_SHLIB_INFO); do \ @@ -629,61 +629,61 @@ install_dev: install_runtime_libs : {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \ if [ "$$fn1" != "$$fn2" ]; then \ $(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \ - ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \ + ln -sf $$fn1 "$(DESTDIR)$(libdir)/$$fn2"; \ fi; \ : {- output_off() unless windowsdll() or sharedaix(); output_on() if windowsdll(); "" -}; \ $(ECHO) "install $$s2 -> $(DESTDIR)$(libdir)/$$fn2"; \ - cp $$s2 $(DESTDIR)$(libdir)/$$fn2.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn2.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn2.new \ - $(DESTDIR)$(libdir)/$$fn2; \ + cp $$s2 "$(DESTDIR)$(libdir)/$$fn2.new"; \ + chmod 755 "$(DESTDIR)$(libdir)/$$fn2.new"; \ + mv -f "$(DESTDIR)$(libdir)/$$fn2.new" \ + "$(DESTDIR)$(libdir)/$$fn2"; \ : {- output_off() if windowsdll(); output_on() if sharedaix(); "" -}; \ - a=$(DESTDIR)$(libdir)/$$fn2; \ + a="$(DESTDIR)$(libdir)/$$fn2"; \ $(ECHO) "install $$s1 -> $$a"; \ - if [ -f $$a ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \ + if [ -f "$$a" ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \ mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \ - cp -f $$a $$a.new; \ - for so in `$(AR) t $$a`; do \ - $(AR) x $$a $$so; \ - chmod u+w $$so; \ - strip -X32_64 -e $$so; \ - $(AR) r $$a.new $$so; \ + cp -f "$$a" "$$a.new"; \ + for so in `$(AR) t "$$a"`; do \ + $(AR) x "$$a" "$$so"; \ + chmod u+w "$$so"; \ + strip -X32_64 -e "$$so"; \ + $(AR) r "$$a.new" "$$so"; \ done; \ )); fi; \ - $(AR) r $$a.new $$s1; \ - mv -f $$a.new $$a; \ + $(AR) r "$$a.new" "$$s1"; \ + mv -f "$$a.new" "$$a"; \ : {- output_off() if sharedaix(); output_on(); "" -}; \ done @ : {- output_on() if $disabled{shared}; "" -} - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)/pkgconfig + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)/pkgconfig" @$(ECHO) "install libcrypto.pc -> $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc" - @cp libcrypto.pc $(DESTDIR)$(libdir)/pkgconfig - @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc + @cp libcrypto.pc "$(DESTDIR)$(libdir)/pkgconfig" + @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc" @$(ECHO) "install libssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/libssl.pc" - @cp libssl.pc $(DESTDIR)$(libdir)/pkgconfig - @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libssl.pc + @cp libssl.pc "$(DESTDIR)$(libdir)/pkgconfig" + @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc" @$(ECHO) "install openssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/openssl.pc" - @cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig - @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc + @cp openssl.pc "$(DESTDIR)$(libdir)/pkgconfig" + @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc" uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" - @$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c + @$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ - $(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \ + $(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include + -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include/openssl" + -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include" @set -e; for l in $(INSTALL_LIBS); do \ fn=`basename $$l`; \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn"; \ done @ : {- output_off() if $disabled{shared}; "" -} @set -e; for s in $(INSTALL_SHLIB_INFO); do \ @@ -693,35 +693,35 @@ uninstall_dev: uninstall_runtime_libs fn2=`basename $$s2`; \ : {- output_off() if windowsdll(); "" -}; \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn2; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn2"; \ if [ "$$fn1" != "$$fn2" -a -f "$(DESTDIR)$(libdir)/$$fn1" ]; then \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn1; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn1"; \ fi; \ : {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \ $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn2; \ + $(RM) "$(DESTDIR)$(libdir)/$$fn2"; \ : {- output_on() unless windowsdll(); "" -}; \ done @ : {- output_on() if $disabled{shared}; "" -} - $(RM) $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc - $(RM) $(DESTDIR)$(libdir)/pkgconfig/libssl.pc - $(RM) $(DESTDIR)$(libdir)/pkgconfig/openssl.pc - -$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig - -$(RMDIR) $(DESTDIR)$(libdir) + $(RM) "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc" + $(RM) "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc" + $(RM) "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc" + -$(RMDIR) "$(DESTDIR)$(libdir)/pkgconfig" + -$(RMDIR) "$(DESTDIR)$(libdir)" install_engines: install_runtime_libs build_engines @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/ + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)/" @$(ECHO) "*** Installing engines" @set -e; for e in dummy $(INSTALL_ENGINES); do \ if [ "$$e" = "dummy" ]; then continue; fi; \ fn=`basename $$e`; \ $(ECHO) "install $$e -> $(DESTDIR)$(ENGINESDIR)/$$fn"; \ - cp $$e $(DESTDIR)$(ENGINESDIR)/$$fn.new; \ - chmod 755 $(DESTDIR)$(ENGINESDIR)/$$fn.new; \ - mv -f $(DESTDIR)$(ENGINESDIR)/$$fn.new \ - $(DESTDIR)$(ENGINESDIR)/$$fn; \ + cp $$e "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \ + mv -f "$(DESTDIR)$(ENGINESDIR)/$$fn.new" \ + "$(DESTDIR)$(ENGINESDIR)/$$fn"; \ done uninstall_engines: @@ -733,18 +733,18 @@ uninstall_engines: continue; \ fi; \ $(ECHO) "$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn"; \ - $(RM) $(DESTDIR)$(ENGINESDIR)/$$fn; \ + $(RM) "$(DESTDIR)$(ENGINESDIR)/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(ENGINESDIR) + -$(RMDIR) "$(DESTDIR)$(ENGINESDIR)" install_runtime: install_programs install_runtime_libs: build_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @ : {- output_off() if windowsdll(); "" -} - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)" @ : {- output_on() if windowsdll(); output_off() unless windowsdll(); "" -} - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin" @ : {- output_on() unless windowsdll(); "" -} @$(ECHO) "*** Installing runtime libraries" @set -e; for s in dummy $(INSTALL_SHLIBS); do \ @@ -752,40 +752,40 @@ install_runtime_libs: build_libs fn=`basename $$s`; \ : {- output_off() unless windowsdll(); "" -}; \ $(ECHO) "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ - cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \ - chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \ - mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \ - $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ + cp $$s "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \ + mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \ + "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ : {- output_on() unless windowsdll(); "" -}{- output_off() if windowsdll(); "" -}; \ $(ECHO) "install $$s -> $(DESTDIR)$(libdir)/$$fn"; \ - cp $$s $(DESTDIR)$(libdir)/$$fn.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn.new \ - $(DESTDIR)$(libdir)/$$fn; \ + cp $$s "$(DESTDIR)$(libdir)/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(libdir)/$$fn.new"; \ + mv -f "$(DESTDIR)$(libdir)/$$fn.new" \ + "$(DESTDIR)$(libdir)/$$fn"; \ : {- output_on() if windowsdll(); "" -}; \ done install_programs: install_runtime_libs build_programs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin" @$(ECHO) "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ - cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \ - chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \ - mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \ - $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ + cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \ + mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \ + "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ done @set -e; for x in dummy $(BIN_SCRIPTS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ - cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \ - chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \ - mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \ - $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ + cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \ + chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \ + mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \ + "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ done uninstall_runtime: uninstall_programs uninstall_runtime_libs @@ -797,16 +797,16 @@ uninstall_programs: if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ - $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ + $(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ done; @set -e; for x in dummy $(BIN_SCRIPTS); \ do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ - $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ + $(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ done - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin + -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/bin" uninstall_runtime_libs: @$(ECHO) "*** Uninstalling runtime libraries" @@ -815,7 +815,7 @@ uninstall_runtime_libs: if [ "$$s" = "dummy" ]; then continue; fi; \ fn=`basename $$s`; \ $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ - $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ + $(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ done @ : {- output_on() unless windowsdll(); "" -} @@ -824,24 +824,24 @@ install_man_docs: @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing manpages" $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) + "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) uninstall_man_docs: @$(ECHO) "*** Uninstalling manpages" $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) \ + "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) \ --remove install_html_docs: @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing HTML manpages" $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(HTMLDIR) --type=html + "--destdir=$(DESTDIR)$(HTMLDIR)" --type=html uninstall_html_docs: @$(ECHO) "*** Uninstalling manpages" $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(HTMLDIR) --type=html --remove + "--destdir=$(DESTDIR)$(HTMLDIR)" --type=html --remove # Developer targets (note: these are only available on Unix) ######### diff --git a/deps/openssl/openssl/NEWS b/deps/openssl/openssl/NEWS index eba6c3b6d93fc2..85470793b20996 100644 --- a/deps/openssl/openssl/NEWS +++ b/deps/openssl/openssl/NEWS @@ -5,10 +5,16 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020] + + o Revert the unexpected EOF reporting via SSL_ERROR_SSL + Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] o Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) + o Properly detect unexpected EOF while reading in libssl and report + it via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] diff --git a/deps/openssl/openssl/README b/deps/openssl/openssl/README index 8e9ce75a335d74..d7d44aa3a01b13 100644 --- a/deps/openssl/openssl/README +++ b/deps/openssl/openssl/README @@ -1,7 +1,7 @@ - OpenSSL 1.1.1e 17 Mar 2020 + OpenSSL 1.1.1f 31 Mar 2020 - Copyright (c) 1998-2019 The OpenSSL Project + Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/deps/openssl/openssl/apps/rehash.c b/deps/openssl/openssl/apps/rehash.c index 2b769fbceb87ef..fc1dffe974976d 100644 --- a/deps/openssl/openssl/apps/rehash.c +++ b/deps/openssl/openssl/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2013-2014 Timo Teräs * * Licensed under the OpenSSL license (the "License"). You may not use @@ -274,11 +274,19 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) if (x->x509 != NULL) { type = TYPE_CERT; name = X509_get_subject_name(x->x509); - X509_digest(x->x509, evpmd, digest, NULL); + if (!X509_digest(x->x509, evpmd, digest, NULL)) { + BIO_printf(bio_err, "out of memory\n"); + ++errs; + goto end; + } } else if (x->crl != NULL) { type = TYPE_CRL; name = X509_CRL_get_issuer(x->crl); - X509_CRL_digest(x->crl, evpmd, digest, NULL); + if (!X509_CRL_digest(x->crl, evpmd, digest, NULL)) { + BIO_printf(bio_err, "out of memory\n"); + ++errs; + goto end; + } } else { ++errs; goto end; diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index 2248a432e26814..0ba75999fd286e 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1904,7 +1904,7 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); + ssl_ctx_security_debug(ctx2, sdebug); if (session_id_prefix) { if (strlen(session_id_prefix) >= 32) diff --git a/deps/openssl/openssl/crypto/bn/bn_local.h b/deps/openssl/openssl/crypto/bn/bn_local.h index 37228104c640f4..8ad69ccd3639ed 100644 --- a/deps/openssl/openssl/crypto/bn/bn_local.h +++ b/deps/openssl/openssl/crypto/bn/bn_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -654,9 +654,6 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, int *noinv); -int bn_probable_prime_dh(BIGNUM *rnd, int bits, - const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); - static ossl_inline BIGNUM *bn_expand(BIGNUM *a, int bits) { if (bits > (INT_MAX - BN_BITS2 + 1)) diff --git a/deps/openssl/openssl/crypto/bn/bn_prime.c b/deps/openssl/openssl/crypto/bn/bn_prime.c index 6d74da26d3c702..d0cf3779fa50d8 100644 --- a/deps/openssl/openssl/crypto/bn/bn_prime.c +++ b/deps/openssl/openssl/crypto/bn/bn_prime.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,10 +22,12 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont); -static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods); -static int probable_prime_dh_safe(BIGNUM *rnd, int bits, - const BIGNUM *add, const BIGNUM *rem, - BN_CTX *ctx); +static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods); +static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods, + const BIGNUM *add, const BIGNUM *rem, + BN_CTX *ctx); + +#define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x)) int BN_GENCB_call(BN_GENCB *cb, int a, int b) { @@ -87,16 +89,11 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, loop: /* make a random number and set the top and bottom bits */ if (add == NULL) { - if (!probable_prime(ret, bits, mods)) + if (!probable_prime(ret, bits, safe, mods)) goto err; } else { - if (safe) { - if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) - goto err; - } else { - if (!bn_probable_prime_dh(ret, bits, add, rem, ctx)) - goto err; - } + if (!probable_prime_dh(ret, bits, safe, mods, add, rem, ctx)) + goto err; } if (!BN_GENCB_call(cb, 0, c1++)) @@ -272,17 +269,18 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, return 1; } -static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) +static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods) { int i; BN_ULONG delta; BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1]; - char is_single_word = bits <= BN_BITS2; again: /* TODO: Not all primes are private */ if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) return 0; + if (safe && !BN_set_bit(rnd, 1)) + return 0; /* we now have a random number 'rnd' to test. */ for (i = 1; i < NUMPRIMES; i++) { BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); @@ -290,61 +288,25 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) return 0; mods[i] = (prime_t) mod; } - /* - * If bits is so small that it fits into a single word then we - * additionally don't want to exceed that many bits. - */ - if (is_single_word) { - BN_ULONG size_limit; - - if (bits == BN_BITS2) { - /* - * Shifting by this much has undefined behaviour so we do it a - * different way - */ - size_limit = ~((BN_ULONG)0) - BN_get_word(rnd); - } else { - size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1; - } - if (size_limit < maxdelta) - maxdelta = size_limit; - } delta = 0; loop: - if (is_single_word) { - BN_ULONG rnd_word = BN_get_word(rnd); - - /*- - * In the case that the candidate prime is a single word then - * we check that: - * 1) It's greater than primes[i] because we shouldn't reject - * 3 as being a prime number because it's a multiple of - * three. - * 2) That it's not a multiple of a known prime. We don't - * check that rnd-1 is also coprime to all the known - * primes because there aren't many small primes where - * that's true. + for (i = 1; i < NUMPRIMES; i++) { + /* + * check that rnd is a prime and also that + * gcd(rnd-1,primes) == 1 (except for 2) + * do the second check only if we are interested in safe primes + * in the case that the candidate prime is a single word then + * we check only the primes up to sqrt(rnd) */ - for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) { - if ((mods[i] + delta) % primes[i] == 0) { - delta += 2; - if (delta > maxdelta) - goto again; - goto loop; - } - } - } else { - for (i = 1; i < NUMPRIMES; i++) { - /* - * check that rnd is not a prime and also that gcd(rnd-1,primes) - * == 1 (except for 2) - */ - if (((mods[i] + delta) % primes[i]) <= 1) { - delta += 2; - if (delta > maxdelta) - goto again; - goto loop; - } + if (bits <= 31 && delta <= 0x7fffffff + && square(primes[i]) > BN_get_word(rnd) + delta) + break; + if (safe ? (mods[i] + delta) % primes[i] <= 1 + : (mods[i] + delta) % primes[i] == 0) { + delta += safe ? 4 : 2; + if (delta > maxdelta) + goto again; + goto loop; } } if (!BN_add_word(rnd, delta)) @@ -355,16 +317,23 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) return 1; } -int bn_probable_prime_dh(BIGNUM *rnd, int bits, - const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx) +static int probable_prime_dh(BIGNUM *rnd, int bits, int safe, prime_t *mods, + const BIGNUM *add, const BIGNUM *rem, + BN_CTX *ctx) { int i, ret = 0; BIGNUM *t1; + BN_ULONG delta; + BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1]; BN_CTX_start(ctx); if ((t1 = BN_CTX_get(ctx)) == NULL) goto err; + if (maxdelta > BN_MASK2 - BN_get_word(add)) + maxdelta = BN_MASK2 - BN_get_word(add); + + again: if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) goto err; @@ -375,98 +344,48 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits, if (!BN_sub(rnd, rnd, t1)) goto err; if (rem == NULL) { - if (!BN_add_word(rnd, 1)) + if (!BN_add_word(rnd, safe ? 3u : 1u)) goto err; } else { if (!BN_add(rnd, rnd, rem)) goto err; } - /* we now have a random number 'rand' to test. */ + if (BN_num_bits(rnd) < bits + || BN_get_word(rnd) < (safe ? 5u : 3u)) { + if (!BN_add(rnd, rnd, add)) + goto err; + } - loop: + /* we now have a random number 'rnd' to test. */ for (i = 1; i < NUMPRIMES; i++) { - /* check that rnd is a prime */ BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); if (mod == (BN_ULONG)-1) goto err; - if (mod <= 1) { - if (!BN_add(rnd, rnd, add)) - goto err; - goto loop; - } - } - ret = 1; - - err: - BN_CTX_end(ctx); - bn_check_top(rnd); - return ret; -} - -static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, - const BIGNUM *rem, BN_CTX *ctx) -{ - int i, ret = 0; - BIGNUM *t1, *qadd, *q; - - bits--; - BN_CTX_start(ctx); - t1 = BN_CTX_get(ctx); - q = BN_CTX_get(ctx); - qadd = BN_CTX_get(ctx); - if (qadd == NULL) - goto err; - - if (!BN_rshift1(qadd, padd)) - goto err; - - if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) - goto err; - - /* we need ((rnd-rem) % add) == 0 */ - if (!BN_mod(t1, q, qadd, ctx)) - goto err; - if (!BN_sub(q, q, t1)) - goto err; - if (rem == NULL) { - if (!BN_add_word(q, 1)) - goto err; - } else { - if (!BN_rshift1(t1, rem)) - goto err; - if (!BN_add(q, q, t1)) - goto err; + mods[i] = (prime_t) mod; } - - /* we now have a random number 'rand' to test. */ - if (!BN_lshift1(p, q)) - goto err; - if (!BN_add_word(p, 1)) - goto err; - + delta = 0; loop: for (i = 1; i < NUMPRIMES; i++) { - /* check that p and q are prime */ - /* - * check that for p and q gcd(p-1,primes) == 1 (except for 2) - */ - BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]); - BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]); - if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) - goto err; - if (pmod == 0 || qmod == 0) { - if (!BN_add(p, p, padd)) - goto err; - if (!BN_add(q, q, qadd)) - goto err; + /* check that rnd is a prime */ + if (bits <= 31 && delta <= 0x7fffffff + && square(primes[i]) > BN_get_word(rnd) + delta) + break; + /* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */ + if (safe ? (mods[i] + delta) % primes[i] <= 1 + : (mods[i] + delta) % primes[i] == 0) { + delta += BN_get_word(add); + if (delta > maxdelta) + goto again; goto loop; } } + if (!BN_add_word(rnd, delta)) + goto err; ret = 1; err: BN_CTX_end(ctx); - bn_check_top(p); + bn_check_top(rnd); return ret; } diff --git a/deps/openssl/openssl/crypto/conf/conf_lib.c b/deps/openssl/openssl/crypto/conf/conf_lib.c index 0b7dd26d63b0a0..add1dfa1c18132 100644 --- a/deps/openssl/openssl/crypto/conf/conf_lib.c +++ b/deps/openssl/openssl/crypto/conf/conf_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void) { OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret)); - if (ret != NULL) - memset(ret, 0, sizeof(*ret)); + if (ret == NULL) + return NULL; + + memset(ret, 0, sizeof(*ret)); ret->flags = DEFAULT_CONF_MFLAGS; return ret; diff --git a/deps/openssl/openssl/crypto/err/openssl.txt b/deps/openssl/openssl/crypto/err/openssl.txt index f5324c6819d8e2..35512f9caf96b0 100644 --- a/deps/openssl/openssl/crypto/err/openssl.txt +++ b/deps/openssl/openssl/crypto/err/openssl.txt @@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data -SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading SSL_R_UNEXPECTED_MESSAGE:244:unexpected message SSL_R_UNEXPECTED_RECORD:245:unexpected record SSL_R_UNINITIALIZED:276:uninitialized diff --git a/deps/openssl/openssl/crypto/ex_data.c b/deps/openssl/openssl/crypto/ex_data.c index 22f3b70edf14e3..0f5a9295056abe 100644 --- a/deps/openssl/openssl/crypto/ex_data.c +++ b/deps/openssl/openssl/crypto/ex_data.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -235,7 +235,7 @@ int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad) return 0; } for (i = 0; i < mx; i++) { - if (storage[i] && storage[i]->new_func) { + if (storage[i] != NULL && storage[i]->new_func != NULL) { ptr = CRYPTO_get_ex_data(ad, i); storage[i]->new_func(obj, ptr, ad, i, storage[i]->argl, storage[i]->argp); @@ -299,7 +299,7 @@ int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to, for (i = 0; i < mx; i++) { ptr = CRYPTO_get_ex_data(from, i); - if (storage[i] && storage[i]->dup_func) + if (storage[i] != NULL && storage[i]->dup_func != NULL) if (!storage[i]->dup_func(to, from, &ptr, i, storage[i]->argl, storage[i]->argp)) goto err; diff --git a/deps/openssl/openssl/crypto/pkcs12/p12_crt.c b/deps/openssl/openssl/crypto/pkcs12/p12_crt.c index d43dc3b30cf3a6..bfcae3f697e950 100644 --- a/deps/openssl/openssl/crypto/pkcs12/p12_crt.c +++ b/deps/openssl/openssl/crypto/pkcs12/p12_crt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -62,7 +62,8 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * if (pkey && cert) { if (!X509_check_private_key(cert, pkey)) return NULL; - X509_digest(cert, EVP_sha1(), keyid, &keyidlen); + if (!X509_digest(cert, EVP_sha1(), keyid, &keyidlen)) + return NULL; } if (cert) { diff --git a/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c b/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c index a584ae5f5edde0..041a187da68c6a 100644 --- a/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c +++ b/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -771,7 +771,8 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) X509_check_purpose(cert, -1, 0); if ((cid = ESS_CERT_ID_new()) == NULL) goto err; - X509_digest(cert, EVP_sha1(), cert_sha1, NULL); + if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL)) + goto err; if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH)) goto err; diff --git a/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c b/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c index 086021247c01ca..c2e7abd67f5096 100644 --- a/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c +++ b/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -289,11 +289,12 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) if (!cert_ids || !cert) return -1; - X509_digest(cert, EVP_sha1(), cert_sha1, NULL); - /* Recompute SHA1 hash of certificate if necessary (side effect). */ X509_check_purpose(cert, -1, 0); + if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL)) + return -1; + /* Look for cert in the cert_ids vector. */ for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) { ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); @@ -326,7 +327,8 @@ static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert) else md = EVP_sha256(); - X509_digest(cert, md, cert_digest, &len); + if (!X509_digest(cert, md, cert_digest, &len)) + return -1; if (cid->hash->length != (int)len) return -1; diff --git a/deps/openssl/openssl/crypto/x509/x509_cmp.c b/deps/openssl/openssl/crypto/x509/x509_cmp.c index e06489c3347b94..d1600e1e8ddab4 100644 --- a/deps/openssl/openssl/crypto/x509/x509_cmp.c +++ b/deps/openssl/openssl/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -134,9 +134,12 @@ unsigned long X509_subject_name_hash_old(X509 *x) int X509_cmp(const X509 *a, const X509 *b) { int rv; + /* ensure hash is valid */ - X509_check_purpose((X509 *)a, -1, 0); - X509_check_purpose((X509 *)b, -1, 0); + if (X509_check_purpose((X509 *)a, -1, 0) != 1) + return -2; + if (X509_check_purpose((X509 *)b, -1, 0) != 1) + return -2; rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); if (rv) diff --git a/deps/openssl/openssl/crypto/x509/x509_trs.c b/deps/openssl/openssl/crypto/x509/x509_trs.c index 9e199d63e46a31..a10d437735b8df 100644 --- a/deps/openssl/openssl/crypto/x509/x509_trs.c +++ b/deps/openssl/openssl/crypto/x509/x509_trs.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -240,8 +240,9 @@ static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, 0); - if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS) + if (X509_check_purpose(x, -1, 0) != 1) + return X509_TRUST_UNTRUSTED; + if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && (x->ex_flags & EXFLAG_SS)) return X509_TRUST_TRUSTED; else return X509_TRUST_UNTRUSTED; diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index 361954c62ee785..f28f2d2610f6db 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -107,12 +107,8 @@ static int null_callback(int ok, X509_STORE_CTX *e) /* Return 1 is a certificate is self signed */ static int cert_self_signed(X509 *x) { - /* - * FIXME: x509v3_cache_extensions() needs to detect more failures and not - * set EXFLAG_SET when that happens. Especially, if the failures are - * parse errors, rather than memory pressure! - */ - X509_check_purpose(x, -1, 0); + if (X509_check_purpose(x, -1, 0) != 1) + return 0; if (x->ex_flags & EXFLAG_SS) return 1; else diff --git a/deps/openssl/openssl/crypto/x509/x_all.c b/deps/openssl/openssl/crypto/x509/x_all.c index 6cccfa99d1a62e..aa5ccba448997d 100644 --- a/deps/openssl/openssl/crypto/x509/x_all.c +++ b/deps/openssl/openssl/crypto/x509/x_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -362,7 +362,8 @@ int X509_pubkey_digest(const X509 *data, const EVP_MD *type, int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0) { + if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0 + && (data->ex_flags & EXFLAG_INVALID) == 0) { /* Asking for SHA1 and we already computed it. */ if (len != NULL) *len = sizeof(data->sha1_hash); @@ -376,7 +377,8 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) { + if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0 + && (data->flags & EXFLAG_INVALID) == 0) { /* Asking for SHA1; always computed in CRL d2i. */ if (len != NULL) *len = sizeof(data->sha1_hash); diff --git a/deps/openssl/openssl/crypto/x509/x_crl.c b/deps/openssl/openssl/crypto/x509/x_crl.c index e864126fef3726..c9762f9e2394af 100644 --- a/deps/openssl/openssl/crypto/x509/x_crl.c +++ b/deps/openssl/openssl/crypto/x509/x_crl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,7 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a, const X509_REVOKED *const *b); -static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp); +static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp); ASN1_SEQUENCE(X509_REVOKED) = { ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER), @@ -155,7 +155,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, X509_CRL *crl = (X509_CRL *)*pval; STACK_OF(X509_EXTENSION) *exts; X509_EXTENSION *ext; - int idx; + int idx, i; switch (operation) { case ASN1_OP_D2I_PRE: @@ -184,23 +184,35 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_D2I_POST: - X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); + if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) + crl->flags |= EXFLAG_INVALID; crl->idp = X509_CRL_get_ext_d2i(crl, - NID_issuing_distribution_point, NULL, + NID_issuing_distribution_point, &i, NULL); - if (crl->idp) - setup_idp(crl, crl->idp); + if (crl->idp != NULL) { + if (!setup_idp(crl, crl->idp)) + crl->flags |= EXFLAG_INVALID; + } + else if (i != -1) { + crl->flags |= EXFLAG_INVALID; + } crl->akid = X509_CRL_get_ext_d2i(crl, - NID_authority_key_identifier, NULL, + NID_authority_key_identifier, &i, NULL); + if (crl->akid == NULL && i != -1) + crl->flags |= EXFLAG_INVALID; crl->crl_number = X509_CRL_get_ext_d2i(crl, - NID_crl_number, NULL, NULL); + NID_crl_number, &i, NULL); + if (crl->crl_number == NULL && i != -1) + crl->flags |= EXFLAG_INVALID; crl->base_crl_number = X509_CRL_get_ext_d2i(crl, - NID_delta_crl, NULL, + NID_delta_crl, &i, NULL); + if (crl->base_crl_number == NULL && i != -1) + crl->flags |= EXFLAG_INVALID; /* Delta CRLs must have CRL number */ if (crl->base_crl_number && !crl->crl_number) crl->flags |= EXFLAG_INVALID; @@ -259,9 +271,10 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, /* Convert IDP into a more convenient form */ -static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) +static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { int idp_only = 0; + /* Set various flags according to IDP */ crl->idp_flags |= IDP_PRESENT; if (idp->onlyuser > 0) { @@ -292,7 +305,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) crl->idp_reasons &= CRLDP_ALL_REASONS; } - DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); + return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); } ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = { diff --git a/deps/openssl/openssl/crypto/x509v3/v3_purp.c b/deps/openssl/openssl/crypto/x509v3/v3_purp.c index 3f60c2ea1da336..2bc8253d2dab3a 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_purp.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_purp.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -81,6 +81,8 @@ int X509_check_purpose(X509 *x, int id, int ca) const X509_PURPOSE *pt; x509v3_cache_extensions(x); + if (x->ex_flags & EXFLAG_INVALID) + return -1; /* Return if side-effect only call */ if (id == -1) @@ -300,10 +302,11 @@ int X509_supported_extension(X509_EXTENSION *ex) return 0; } -static void setup_dp(X509 *x, DIST_POINT *dp) +static int setup_dp(X509 *x, DIST_POINT *dp) { X509_NAME *iname = NULL; int i; + if (dp->reasons) { if (dp->reasons->length > 0) dp->dp_reasons = dp->reasons->data[0]; @@ -313,7 +316,7 @@ static void setup_dp(X509 *x, DIST_POINT *dp) } else dp->dp_reasons = CRLDP_ALL_REASONS; if (!dp->distpoint || (dp->distpoint->type != 1)) - return; + return 1; for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); if (gen->type == GEN_DIRNAME) { @@ -324,16 +327,21 @@ static void setup_dp(X509 *x, DIST_POINT *dp) if (!iname) iname = X509_get_issuer_name(x); - DIST_POINT_set_dpname(dp->distpoint, iname); - + return DIST_POINT_set_dpname(dp->distpoint, iname); } -static void setup_crldp(X509 *x) +static int setup_crldp(X509 *x) { int i; - x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) - setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); + + x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL); + if (x->crldp == NULL && i != -1) + return 0; + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { + if (!setup_dp(x, sk_DIST_POINT_value(x->crldp, i))) + return 0; + } + return 1; } #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -366,12 +374,13 @@ static void x509v3_cache_extensions(X509 *x) return; } - X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); + if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) + x->ex_flags |= EXFLAG_INVALID; /* V1 should mean no extensions ... */ if (!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ - if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { + if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { if (bs->ca) x->ex_flags |= EXFLAG_CA; if (bs->pathlen) { @@ -385,9 +394,11 @@ static void x509v3_cache_extensions(X509 *x) x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } /* Handle proxy certificates */ - if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { if (x->ex_flags & EXFLAG_CA || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { @@ -399,9 +410,11 @@ static void x509v3_cache_extensions(X509 *x) x->ex_pcpathlen = -1; PROXY_CERT_INFO_EXTENSION_free(pci); x->ex_flags |= EXFLAG_PROXY; + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } /* Handle key usage */ - if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { + if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { if (usage->length > 0) { x->ex_kusage = usage->data[0]; if (usage->length > 1) @@ -410,9 +423,11 @@ static void x509v3_cache_extensions(X509 *x) x->ex_kusage = 0; x->ex_flags |= EXFLAG_KUSAGE; ASN1_BIT_STRING_free(usage); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } x->ex_xkusage = 0; - if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { + if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) { x->ex_flags |= EXFLAG_XKUSAGE; for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { @@ -455,18 +470,26 @@ static void x509v3_cache_extensions(X509 *x) } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } - if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { + if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) { if (ns->length > 0) x->ex_nscert = ns->data[0]; else x->ex_nscert = 0; x->ex_flags |= EXFLAG_NSCERT; ASN1_BIT_STRING_free(ns); + } else if (i != -1) { + x->ex_flags |= EXFLAG_INVALID; } - x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); - x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL); + if (x->skid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; + x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL); + if (x->akid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; /* Does subject name match issuer ? */ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { x->ex_flags |= EXFLAG_SI; @@ -475,16 +498,22 @@ static void x509v3_cache_extensions(X509 *x) !ku_reject(x, KU_KEY_CERT_SIGN)) x->ex_flags |= EXFLAG_SS; } - x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); + if (x->altname == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); - if (!x->nc && (i != -1)) + if (x->nc == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; + if (!setup_crldp(x)) x->ex_flags |= EXFLAG_INVALID; - setup_crldp(x); #ifndef OPENSSL_NO_RFC3779 - x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); - x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, - NULL, NULL); + x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL); + if (x->rfc3779_addr == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; + x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL); + if (x->rfc3779_asid == NULL && i != -1) + x->ex_flags |= EXFLAG_INVALID; #endif for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); @@ -777,7 +806,11 @@ int X509_check_issued(X509 *issuer, X509 *subject) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); + if (issuer->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; x509v3_cache_extensions(subject); + if (subject->ex_flags & EXFLAG_INVALID) + return X509_V_ERR_UNSPECIFIED; if (subject->akid) { int ret = X509_check_akid(issuer, subject->akid); @@ -842,7 +875,8 @@ uint32_t X509_get_extension_flags(X509 *x) uint32_t X509_get_key_usage(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + if (X509_check_purpose(x, -1, -1) != 1) + return 0; if (x->ex_flags & EXFLAG_KUSAGE) return x->ex_kusage; return UINT32_MAX; @@ -851,7 +885,8 @@ uint32_t X509_get_key_usage(X509 *x) uint32_t X509_get_extended_key_usage(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + if (X509_check_purpose(x, -1, -1) != 1) + return 0; if (x->ex_flags & EXFLAG_XKUSAGE) return x->ex_xkusage; return UINT32_MAX; @@ -860,28 +895,32 @@ uint32_t X509_get_extended_key_usage(X509 *x) const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + if (X509_check_purpose(x, -1, -1) != 1) + return NULL; return x->skid; } const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + if (X509_check_purpose(x, -1, -1) != 1) + return NULL; return (x->akid != NULL ? x->akid->keyid : NULL); } const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + if (X509_check_purpose(x, -1, -1) != 1) + return NULL; return (x->akid != NULL ? x->akid->issuer : NULL); } const ASN1_INTEGER *X509_get0_authority_serial(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(x, -1, -1); + if (X509_check_purpose(x, -1, -1) != 1) + return NULL; return (x->akid != NULL ? x->akid->serial : NULL); } diff --git a/deps/openssl/openssl/doc/man3/BN_generate_prime.pod b/deps/openssl/openssl/doc/man3/BN_generate_prime.pod index 31fbc1ffa1743f..f1e63f3b3c4aa9 100644 --- a/deps/openssl/openssl/doc/man3/BN_generate_prime.pod +++ b/deps/openssl/openssl/doc/man3/BN_generate_prime.pod @@ -52,7 +52,9 @@ Deprecated: BN_generate_prime_ex() generates a pseudo-random prime number of at least bit length B. The returned number is probably prime -with a negligible error. +with a negligible error. If B is B the returned prime +number will have exact bit length B with the top most two +bits set. If B is not B, it will be used to store the number. @@ -89,7 +91,9 @@ If B is not B, the prime will fulfill the condition p % B generator. If B is true, it will be a safe prime (i.e. a prime p so -that (p-1)/2 is also prime). +that (p-1)/2 is also prime). If B is true, and B == B +the condition will be p % B == 3. +It is recommended that B is a multiple of 4. The random generator must be seeded prior to calling BN_generate_prime_ex(). If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to @@ -206,7 +210,7 @@ and BN_GENCB_get_arg() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_get_error.pod b/deps/openssl/openssl/doc/man3/SSL_get_error.pod index 97320a6c153f6f..5221ccfe18049a 100644 --- a/deps/openssl/openssl/doc/man3/SSL_get_error.pod +++ b/deps/openssl/openssl/doc/man3/SSL_get_error.pod @@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called. =back +=head1 BUGS + +The B with B value of 0 indicates unexpected EOF from +the peer. This will be properly reported as B with reason +code B in the OpenSSL 3.0 release because +it is truly a TLS protocol error to terminate the connection without +a SSL_shutdown(). + +The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications +which choose to ignore this protocol error depend on the existing way of +reporting the error. + =head1 SEE ALSO L @@ -166,7 +178,7 @@ The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod b/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod index 2dfe2ef3727582..43c9c952c6b770 100644 --- a/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod +++ b/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod @@ -80,6 +80,17 @@ The certificate contains an unhandled critical extension. Some certificate extension values are invalid or inconsistent. The certificate should be rejected. +This bit may also be raised after an out-of-memory error while +processing the X509 object, so it may not be related to the processed +ASN1 object itself. + +=item B + +The NID_certificate_policies certificate extension is invalid or +inconsistent. The certificate should be rejected. +This bit may also be raised after an out-of-memory error while +processing the X509 object, so it may not be related to the processed +ASN1 object itself. =item B @@ -183,7 +194,7 @@ X509_get_proxy_pathlen() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/include/crypto/bn_conf.h b/deps/openssl/openssl/include/crypto/bn_conf.h deleted file mode 100644 index 79400c6472a49c..00000000000000 --- a/deps/openssl/openssl/include/crypto/bn_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bn_conf.h" diff --git a/deps/openssl/openssl/include/crypto/dso_conf.h b/deps/openssl/openssl/include/crypto/dso_conf.h deleted file mode 100644 index e7f2afa9872320..00000000000000 --- a/deps/openssl/openssl/include/crypto/dso_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/dso_conf.h" diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h deleted file mode 100644 index 76c99d433ab886..00000000000000 --- a/deps/openssl/openssl/include/openssl/opensslconf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../config/opensslconf.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h index dd8ef3df722f81..8c697f5f7acc85 100644 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ b/deps/openssl/openssl/include/openssl/opensslv.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010105fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1e 17 Mar 2020" +# define OPENSSL_VERSION_NUMBER 0x1010106fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f 31 Mar 2020" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/deps/openssl/openssl/include/openssl/sslerr.h b/deps/openssl/openssl/include/openssl/sslerr.h index 0ef684f3c13192..82983d3c1e99fd 100644 --- a/deps/openssl/openssl/include/openssl/sslerr.h +++ b/deps/openssl/openssl/include/openssl/sslerr.h @@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 -# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 # define SSL_R_UNEXPECTED_MESSAGE 244 # define SSL_R_UNEXPECTED_RECORD 245 # define SSL_R_UNINITIALIZED 276 diff --git a/deps/openssl/openssl/ssl/record/rec_layer_s3.c b/deps/openssl/openssl/ssl/record/rec_layer_s3.c index 1c885a664f35e3..b2a7a47eb07529 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_s3.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_s3.c @@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, ret = BIO_read(s->rbio, pkt + len + left, max - left); if (ret >= 0) bioread = ret; - if (ret <= 0 - && !BIO_should_retry(s->rbio) - && BIO_eof(s->rbio)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, - SSL_R_UNEXPECTED_EOF_WHILE_READING); - } } else { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET); diff --git a/deps/openssl/openssl/ssl/ssl_err.c b/deps/openssl/openssl/ssl/ssl_err.c index a0c7b79659d4d7..4b12ed1485d985 100644 --- a/deps/openssl/openssl/ssl/ssl_err.c +++ b/deps/openssl/openssl/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "unexpected ccs message"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), "unexpected end of early data"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), - "unexpected eof while reading"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},