diff --git a/deps/openssl/doc/UPGRADING.md b/deps/openssl/doc/UPGRADING.md index 81f129c4326cb0..54940425ac26ae 100644 --- a/deps/openssl/doc/UPGRADING.md +++ b/deps/openssl/doc/UPGRADING.md @@ -1,7 +1,7 @@ ## How to upgrade openssl library in io.js -This document describes the procedure to upgrade openssl from 1.0.1m -to 1.0.2a in io.js. +This document describes the procedure to upgrade openssl from 1.0.2a +to 1.0.2c in io.js. ### Build System and Upgrading Overview @@ -91,16 +91,16 @@ https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha5 otherwise asm_obsolete are used. The following is the detail instruction steps how to upgrade openssl -version from 1.0.1m to 1.0.2a in iojs. +version from 1.0.2a to 1.0.2c in iojs. ### 1. Replace openssl source in `deps/openssl/openssl` Remove old openssl sources in `deps/openssl/openssl` . Get original openssl sources from -https://www.openssl.org/source/openssl-1.0.2a.tar.gz and extract all +https://www.openssl.org/source/openssl-1.0.2c.tar.gz and extract all files into `deps/openssl/openssl` . ### 2. Apply private patches -There are three kinds of private patches to be applied in openssl-1.0.2a. +There are three kinds of private patches to be applied in openssl-1.0.2c. - The two fixes of assembly error on ia32 win32. masm is no longer supported in openssl. We should move to use nasm or yasm in future @@ -109,13 +109,8 @@ There are three kinds of private patches to be applied in openssl-1.0.2a. - The fix of openssl-cli built on win. Key press requirement of openssl-cli in win causes timeout failures of several tests. -- Backport patches for alt cert feature from openssl-1.1.x. Root certs - of 1024bit RSA key length were deprecated in io.js. When a tls - server has a cross root cert, io.js client leads CERT_UNTRUSTED - error because openssl does not find alternate cert chains. This fix - supports its feature but was made the current master which is - openssl-1.1.x. We backported them privately into openssl-1.0.2 on - iojs. +- A new `-no_rand_screen` option to openssl s_client. This makes test + time of test-tls-server-verify be much faster. ### 3. Replace openssl header files in `deps/openssl/openssl/include/openssl` all header files in `deps/openssl/openssl/include/openssl/*.h` are @@ -126,35 +121,10 @@ file such as #include "../../crypto/aes/aes.h" ```` ### 4. Change `opensslconf.h` so as to fit each platform. -The opensslconf.h in each target was created in advance by typing -`deps/openssl/openssl/Configure {target}` and copied -into `deps/openssl/conf/archs/{target}/opensslconf.h`. -`deps/openssl/conf/openssconf.h` includes each file according to its -target by checking pre-defined compiler macros. These can be generated -by using `deps/openssl/conf/Makefile` - -We should remove OPENSSL_CPUID_OBJ define in opensslconf.h because it -causes build error when --openss-no-asm option is specified. Instead, -the OPENSSL_CPUID_OBJ is defined in `deps/openssl/openssl.gypi` -according to the configure options. - -One fix of opensslconf.h is needed in 64-bit MacOS. -The current openssl release does not use RC4 asm since it explicitly -specified as `$asm=~s/rc4\-[^:]+//;` in -https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/Configure#L584 -But iojs has used RC4 asm on MacOS for long time. Fix type of RC4_INT -into `unsigned int` in opensslconf.h of darwin64-x86_64-cc to work on -the RC4 asm. +No change. ### 5. Update openssl.gyp and openssl.gypi -Sources, cflags and define parameters that depends on each target can -be obtained via `Configure TABLE`. Its list is put in the table of -[define and cflags changes in openssl-1.0.2a](openssl_define_list.pdf) - -There is no way to verify all necessary sources automatically. We can -only carefully look at the source list and compiled objects in -Makefile of openssl and compare the compiled objects that stored -stored under `out/Release/obj.target/openssl/deps/openssl/' in iojs. +No change. ### 6. ASM files for openssl We provide two sets of asm files. One is for the latest assembler @@ -163,7 +133,7 @@ and the other is the older one. ### 6.1. asm files for the latest compiler This was made in `deps/openssl/asm/Makefile` - Updated asm files for each platforms which are required in - openssl-1.0.2a. + openssl-1.0.2c. - Some perl files need CC and ASM envs. Added a check if these envs exist. Followed asm files are to be generated with CC=gcc and ASM=nasm on Linux. See diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES index 84e076411be153..4cbf61ddf6b4ef 100644 --- a/deps/openssl/openssl/CHANGES +++ b/deps/openssl/openssl/CHANGES @@ -2,6 +2,12 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + Changes between 1.0.2a and 1.0.2b [11 Jun 2015] *) Malformed ECParameters causes infinite loop diff --git a/deps/openssl/openssl/Makefile b/deps/openssl/openssl/Makefile index 271bef164349d6..56b43c600e0363 100644 --- a/deps/openssl/openssl/Makefile +++ b/deps/openssl/openssl/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2b +VERSION=1.0.2c MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 diff --git a/deps/openssl/openssl/Makefile.bak b/deps/openssl/openssl/Makefile.bak index 71c8d9fc6cd98a..8f9fd251aa3593 100644 --- a/deps/openssl/openssl/Makefile.bak +++ b/deps/openssl/openssl/Makefile.bak @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2b-dev +VERSION=1.0.2c-dev MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 diff --git a/deps/openssl/openssl/NEWS b/deps/openssl/openssl/NEWS index e6147935b28f89..f3574cf4c40060 100644 --- a/deps/openssl/openssl/NEWS +++ b/deps/openssl/openssl/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] + + o Fix HMAC ABI incompatibility + Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] o Malformed ECParameters causes infinite loop (CVE-2015-1788) diff --git a/deps/openssl/openssl/README b/deps/openssl/openssl/README index 8de5c74d8ed46c..ae0443199c953a 100644 --- a/deps/openssl/openssl/README +++ b/deps/openssl/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2b 11 Jun 2015 + OpenSSL 1.0.2c 12 Jun 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/deps/openssl/openssl/crypto/hmac/hmac.c b/deps/openssl/openssl/crypto/hmac/hmac.c index 15a9a21299157d..51a0a3efcd672d 100644 --- a/deps/openssl/openssl/crypto/hmac/hmac.c +++ b/deps/openssl/openssl/crypto/hmac/hmac.c @@ -97,6 +97,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return FIPS_hmac_init_ex(ctx, key, len, md, NULL); } #endif + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) + return 0; if (md != NULL) { reset = 1; @@ -107,9 +110,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return 0; } - if (!ctx->key_init && key == NULL) - return 0; - if (key != NULL) { reset = 1; j = EVP_MD_block_size(md); @@ -131,7 +131,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (ctx->key_length != HMAC_MAX_MD_CBLOCK) memset(&ctx->key[ctx->key_length], 0, HMAC_MAX_MD_CBLOCK - ctx->key_length); - ctx->key_init = 1; } if (reset) { @@ -169,7 +168,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) if (FIPS_mode() && !ctx->i_ctx.engine) return FIPS_hmac_update(ctx, data, len); #endif - if (!ctx->key_init) + if (!ctx->md) return 0; return EVP_DigestUpdate(&ctx->md_ctx, data, len); @@ -184,7 +183,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) return FIPS_hmac_final(ctx, md, len); #endif - if (!ctx->key_init) + if (!ctx->md) goto err; if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) @@ -205,7 +204,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx) EVP_MD_CTX_init(&ctx->i_ctx); EVP_MD_CTX_init(&ctx->o_ctx); EVP_MD_CTX_init(&ctx->md_ctx); - ctx->key_init = 0; ctx->md = NULL; } @@ -217,11 +215,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) goto err; if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx)) goto err; - dctx->key_init = sctx->key_init; - if (sctx->key_init) { - memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); - dctx->key_length = sctx->key_length; - } + memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); + dctx->key_length = sctx->key_length; dctx->md = sctx->md; return 1; err: diff --git a/deps/openssl/openssl/crypto/hmac/hmac.h b/deps/openssl/openssl/crypto/hmac/hmac.h index f8e9f5e4f3c261..b8b55cda7d73d9 100644 --- a/deps/openssl/openssl/crypto/hmac/hmac.h +++ b/deps/openssl/openssl/crypto/hmac/hmac.h @@ -79,7 +79,6 @@ typedef struct hmac_ctx_st { EVP_MD_CTX o_ctx; unsigned int key_length; unsigned char key[HMAC_MAX_MD_CBLOCK]; - int key_init; } HMAC_CTX; # define HMAC_size(e) (EVP_MD_size((e)->md)) diff --git a/deps/openssl/openssl/crypto/hmac/hmactest.c b/deps/openssl/openssl/crypto/hmac/hmactest.c index 86b6c2529fe29c..271d0ebf264c27 100644 --- a/deps/openssl/openssl/crypto/hmac/hmactest.c +++ b/deps/openssl/openssl/crypto/hmac/hmactest.c @@ -233,7 +233,12 @@ int main(int argc, char *argv[]) err++; goto test6; } - if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + printf("Should disallow changing MD without a new key (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) { printf("Failed to reinitialise HMAC (test 5)\n"); err++; goto test6; diff --git a/deps/openssl/openssl/crypto/opensslv.h b/deps/openssl/openssl/crypto/opensslv.h index e6f991cfb82c73..7cc19dc510686f 100644 --- a/deps/openssl/openssl/crypto/opensslv.h +++ b/deps/openssl/openssl/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000202fL +# define OPENSSL_VERSION_NUMBER 0x1000203fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2b-fips 11 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2b 11 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/deps/openssl/openssl/openssl.spec b/deps/openssl/openssl/openssl.spec index 01f06171ccd337..e6c75843305470 100644 --- a/deps/openssl/openssl/openssl.spec +++ b/deps/openssl/openssl/openssl.spec @@ -6,7 +6,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2b +Version: 1.0.2c Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index d811d3fdb88f11..210a5e87430f26 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -2016,12 +2016,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, s->srtp_profile = NULL; - if (data >= (d + n - 2)) { - if (data != d + n) - goto err; - else - goto ri_check; - } + if (data == d + n) + goto ri_check; + + if (data > (d + n - 2)) + goto err; + n2s(data, len); if (data > (d + n - len))