Upgrade to openssl-1.0.2c

deps/openssl/doc/UPGRADING.md

@@ -1,7 +1,7 @@
 ## How to upgrade openssl library in io.js
 
-This document describes the procedure to upgrade openssl from 1.0.1m
-to 1.0.2a in io.js.
+This document describes the procedure to upgrade openssl from 1.0.2a
+to 1.0.2c in io.js.
 
 
 ### Build System and Upgrading Overview
@@ -91,16 +91,16 @@ https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha5
 otherwise asm_obsolete are used.
 
 The following is the detail instruction steps how to upgrade openssl
-version from 1.0.1m to 1.0.2a in iojs.
+version from 1.0.2a to 1.0.2c in iojs.
 
 ### 1. Replace openssl source in `deps/openssl/openssl`
 Remove old openssl sources in `deps/openssl/openssl` .
 Get original openssl sources from
-https://www.openssl.org/source/openssl-1.0.2a.tar.gz and extract all
+https://www.openssl.org/source/openssl-1.0.2c.tar.gz and extract all
 files into `deps/openssl/openssl` .
 
 ### 2. Apply private patches
-There are three kinds of private patches to be applied in openssl-1.0.2a.
+There are three kinds of private patches to be applied in openssl-1.0.2c.
 
 - The two fixes of assembly error on ia32 win32. masm is no longer
  supported in openssl. We should move to use nasm or yasm in future
@@ -109,13 +109,8 @@ There are three kinds of private patches to be applied in openssl-1.0.2a.
 - The fix of openssl-cli built on win. Key press requirement of
  openssl-cli in win causes timeout failures of several tests.
 
-- Backport patches for alt cert feature from openssl-1.1.x. Root certs
- of 1024bit RSA key length were deprecated in io.js. When a tls
- server has a cross root cert, io.js client leads CERT_UNTRUSTED
- error because openssl does not find alternate cert chains. This fix
- supports its feature but was made the current master which is
- openssl-1.1.x. We backported them privately into openssl-1.0.2 on
- iojs.
+- A new `-no_rand_screen` option to openssl s_client. This makes test
+ time of test-tls-server-verify be much faster.
 
 ### 3. Replace openssl header files in `deps/openssl/openssl/include/openssl`
 all header files in `deps/openssl/openssl/include/openssl/*.h` are
@@ -126,35 +121,10 @@ file such as
 #include "../../crypto/aes/aes.h"
 ````
 ### 4. Change `opensslconf.h` so as to fit each platform.
-The opensslconf.h in each target was created in advance by typing
-`deps/openssl/openssl/Configure {target}` and copied
-into `deps/openssl/conf/archs/{target}/opensslconf.h`.
-`deps/openssl/conf/openssconf.h` includes each file according to its
-target by checking pre-defined compiler macros. These can be generated
-by using `deps/openssl/conf/Makefile`
-
-We should remove OPENSSL_CPUID_OBJ define in opensslconf.h because it
-causes build error when --openss-no-asm option is specified. Instead,
-the OPENSSL_CPUID_OBJ is defined in `deps/openssl/openssl.gypi`
-according to the configure options.
-
-One fix of opensslconf.h is needed in 64-bit MacOS.
-The current openssl release does not use RC4 asm since it explicitly
-specified as `$asm=~s/rc4\-[^:]+//;` in
-https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/Configure#L584
-But iojs has used RC4 asm on MacOS for long time. Fix type of RC4_INT
-into `unsigned int` in opensslconf.h of darwin64-x86_64-cc to work on
-the RC4 asm.
+No change.
 
 ### 5. Update openssl.gyp and openssl.gypi
-Sources, cflags and define parameters that depends on each target can
-be obtained via `Configure TABLE`. Its list is put in the table of
-[define and cflags changes in openssl-1.0.2a](openssl_define_list.pdf)
-
-There is no way to verify all necessary sources automatically. We can
-only carefully look at the source list and compiled objects in
-Makefile of openssl and compare the compiled objects that stored
-stored under `out/Release/obj.target/openssl/deps/openssl/' in iojs.
+No change.
 
 ### 6. ASM files for openssl
 We provide two sets of asm files. One is for the latest assembler
@@ -163,7 +133,7 @@ and the other is the older one.
 ### 6.1. asm files for the latest compiler
 This was made in `deps/openssl/asm/Makefile`
 - Updated asm files for each platforms which are required in
- openssl-1.0.2a.
+ openssl-1.0.2c.
 - Some perl files need CC and ASM envs. Added a check if these envs
  exist. Followed asm files are to be generated with CC=gcc and
  ASM=nasm on Linux. See

deps/openssl/openssl/CHANGES

@@ -2,6 +2,12 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
+
+ *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
+ incompatibility in the handling of HMAC. The previous ABI has now been
+ restored.
+
  Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
 
  *) Malformed ECParameters causes infinite loop

deps/openssl/openssl/Makefile

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2b
+VERSION=1.0.2c
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/Makefile.bak

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2b-dev
+VERSION=1.0.2c-dev
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/NEWS

@@ -5,6 +5,10 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
 
+ Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
+
+ o Fix HMAC ABI incompatibility
+
  Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
 
  o Malformed ECParameters causes infinite loop (CVE-2015-1788)

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2b 11 Jun 2015
+ OpenSSL 1.0.2c 12 Jun 2015
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

deps/openssl/openssl/crypto/hmac/hmac.c

@@ -97,6 +97,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
  return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
  }
 #endif
+ /* If we are changing MD then we must have a key */
+ if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+ return 0;
 
  if (md != NULL) {
  reset = 1;
@@ -107,9 +110,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
  return 0;
  }
 
- if (!ctx->key_init && key == NULL)
- return 0;
-
  if (key != NULL) {
  reset = 1;
  j = EVP_MD_block_size(md);
@@ -131,7 +131,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
  if (ctx->key_length != HMAC_MAX_MD_CBLOCK)
  memset(&ctx->key[ctx->key_length], 0,
  HMAC_MAX_MD_CBLOCK - ctx->key_length);
- ctx->key_init = 1;
  }
 
  if (reset) {
@@ -169,7 +168,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
  if (FIPS_mode() && !ctx->i_ctx.engine)
  return FIPS_hmac_update(ctx, data, len);
 #endif
- if (!ctx->key_init)
+ if (!ctx->md)
  return 0;
 
  return EVP_DigestUpdate(&ctx->md_ctx, data, len);
@@ -184,7 +183,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
  return FIPS_hmac_final(ctx, md, len);
 #endif
 
- if (!ctx->key_init)
+ if (!ctx->md)
  goto err;
 
  if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
@@ -205,7 +204,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx)
  EVP_MD_CTX_init(&ctx->i_ctx);
  EVP_MD_CTX_init(&ctx->o_ctx);
  EVP_MD_CTX_init(&ctx->md_ctx);
- ctx->key_init = 0;
  ctx->md = NULL;
 }
 
@@ -217,11 +215,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
  goto err;
  if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx))
  goto err;
- dctx->key_init = sctx->key_init;
- if (sctx->key_init) {
- memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
- dctx->key_length = sctx->key_length;
- }
+ memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
+ dctx->key_length = sctx->key_length;
  dctx->md = sctx->md;
  return 1;
  err:

deps/openssl/openssl/crypto/hmac/hmac.h

@@ -79,7 +79,6 @@ typedef struct hmac_ctx_st {
  EVP_MD_CTX o_ctx;
  unsigned int key_length;
  unsigned char key[HMAC_MAX_MD_CBLOCK];
- int key_init;
 } HMAC_CTX;
 
 # define HMAC_size(e) (EVP_MD_size((e)->md))

deps/openssl/openssl/crypto/hmac/hmactest.c

@@ -233,7 +233,12 @@ int main(int argc, char *argv[])
  err++;
  goto test6;
  }
- if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
+ if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
+ printf("Should disallow changing MD without a new key (test 5)\n");
+ err++;
+ goto test6;
+ }
+ if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) {
  printf("Failed to reinitialise HMAC (test 5)\n");
  err++;
  goto test6;

deps/openssl/openssl/crypto/opensslv.h

@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  * major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER 0x1000202fL
+# define OPENSSL_VERSION_NUMBER 0x1000203fL
 # ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2b-fips 11 Jun 2015"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015"
 # else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2b 11 Jun 2015"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015"
 # endif
 # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
 

deps/openssl/openssl/openssl.spec

@@ -6,7 +6,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 1.0.2b
+Version: 1.0.2c
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries

deps/openssl/openssl/ssl/t1_lib.c

@@ -2016,12 +2016,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 
  s->srtp_profile = NULL;
 
- if (data >= (d + n - 2)) {
- if (data != d + n)
- goto err;
-  else
-  goto ri_check;
- }
+ if (data == d + n)
+ goto ri_check;
+
+ if (data > (d + n - 2))
+ goto err;
+
  n2s(data, len);
 
  if (data > (d + n - len))