Skip to content
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
Prev Previous commit
Next Next commit
deps: upgrade openssl sources to quictls/openssl-3.0.1+quic
This updates all sources in deps/openssl/openssl by:
    $ git clone git@github.com:quictls/openssl.git
    $ cd openssl
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl
  • Loading branch information
richardlau committed Dec 15, 2021
commit ebaf1bed207b63774beace60ae3b706cdd92d9b9
90 changes: 90 additions & 0 deletions deps/openssl/openssl/CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,80 @@ breaking changes, and mappings for the large list of deprecated functions.

*Todd Short*

### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]

* Fixed invalid handling of X509_verify_cert() internal errors in libssl
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
verify a certificate supplied by a server. That function may return a
negative return value to indicate an internal error (for example out of
memory). Such a negative return value is mishandled by OpenSSL and will cause
an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate
success and a subsequent call to SSL_get_error() to return the value
SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be
returned by OpenSSL if the application has previously called
SSL_CTX_set_cert_verify_callback(). Since most applications do not do this
the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
totally unexpected and applications may not behave correctly as a result. The
exact behaviour will depend on the application but it could result in
crashes, infinite loops or other similar incorrect responses.

This issue is made more serious in combination with a separate bug in OpenSSL
3.0 that will cause X509_verify_cert() to indicate an internal error when
processing a certificate chain. This will occur where a certificate does not
include the Subject Alternative Name extension but where a Certificate
Authority has enforced name constraints. This issue can occur even with valid
chains.
([CVE-2021-4044])

*Matt Caswell*

* Corrected a few file name and file reference bugs in the build,
installation and setup scripts, which lead to installation verification
failures. Slightly enhanced the installation verification script.

*Richard Levitte*

* Fixed EVP_PKEY_eq() to make it possible to use it with strictly private
keys.

*Richard Levitte*

* Fixed PVK encoder to properly query for the passphrase.

*Tomáš Mráz*

* Multiple fixes in the OSSL_HTTP API functions.

*David von Oheimb*

* Allow sign extension in OSSL_PARAM_allocate_from_text() for the
OSSL_PARAM_INTEGER data type and return error on negative numbers
used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make
OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.

*Richard Levitte*

* Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.

*Tomáš Mráz*

* Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.

*Allan Jude*

* Multiple threading fixes.

*Matt Caswell*

* Added NULL digest implementation to keep compatibility with 1.1.1 version.

*Tomáš Mráz*

* Allow fetching an operation from the provider that owns an unexportable key
as a fallback if that is still allowed by the property query.

*Richard Levitte*

### Changes between 1.1.1 and 3.0.0 [7 sep 2021]

* TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
Expand Down Expand Up @@ -1459,6 +1533,22 @@ breaking changes, and mappings for the large list of deprecated functions.
OpenSSL 1.1.1
-------------

### Changes between 1.1.1l and 1.1.1m [xx XXX xxxx]

* Avoid loading of a dynamic engine twice.

*Bernd Edlinger*

* Prioritise DANE TLSA issuer certs over peer certs

*Viktor Dukhovni*

* Fixed random API for MacOS prior to 10.12

These MacOS versions don't support the CommonCrypto APIs

*Lenny Primak*

### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]

* Fixed an SM2 Decryption Buffer Overflow.
Expand Down
1 change: 1 addition & 0 deletions deps/openssl/openssl/Configurations/10-main.conf
Original file line number Diff line number Diff line change
Expand Up @@ -857,6 +857,7 @@ my %targets = (
inherit_from => [ "linux-x86" ],
CC => "clang",
CXX => "clang++",
ex_libs => add(threads("-latomic")),
},
"linux-x86_64" => {
inherit_from => [ "linux-generic64" ],
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Configurations/15-ios.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ my %targets = (
template => 1,
inherit_from => [ "darwin-common" ],
sys_id => "iOS",
disable => [ "engine", "async" ],
disable => [ "shared", "async" ],
},
"ios-xcrun" => {
inherit_from => [ "ios-common" ],
Expand Down
36 changes: 22 additions & 14 deletions deps/openssl/openssl/Configurations/descrip.mms.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
(our $osslprefix_q = platform->osslprefix()) =~ s/\$/\\\$/;

our $sover_dirname = platform->shlib_version_as_filename();
our $osslver = sprintf "%02d%02d", split(/\./, $config{version});
our $osslver = sprintf "%02d", split(/\./, $config{version});

our $sourcedir = $config{sourcedir};
our $builddir = $config{builddir};
Expand Down Expand Up @@ -110,9 +110,9 @@
@cnf_defines,
'OPENSSLDIR="""$(OPENSSLDIR_C)"""',
'ENGINESDIR="""$(ENGINESDIR_C)"""',
'MODULESDIR="""$(MODULESDIR_C)"""',
#'$(DEFINES)'
'MODULESDIR="""$(MODULESDIR_C)"""'
)
. '$(DEFINES)'
. "'extradefines'";
our $lib_asflags =
join(' ', $target{lib_asflags} || (), @{$config{lib_asflags}},
Expand Down Expand Up @@ -144,8 +144,8 @@
join(',', @{$target{dso_defines}}, @{$target{module_defines}},
@{$config{dso_defines}}, @{$config{module_defines}},
@cnf_defines,
#'$(DEFINES)'
)
. '$(DEFINES)'
. "'extradefines'";
our $dso_asflags =
join(' ', $target{dso_asflags} || (), $target{module_asflags} || (),
Expand Down Expand Up @@ -180,8 +180,8 @@
join(',', @{$target{bin_defines}},
@{$config{bin_defines}},
@cnf_defines,
#'$(DEFINES)'
)
. '$(DEFINES)'
. "'extradefines'";
our $bin_asflags =
join(' ', $target{bin_asflags} || (),
Expand Down Expand Up @@ -267,6 +267,7 @@ VERBOSE=$(V)
VERBOSE_FAILURE=$(VF)

VERSION={- "$config{full_version}" -}
VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
Expand Down Expand Up @@ -355,7 +356,7 @@ OPENSSLDIR_C={- platform->osslprefix() -}DATAROOT:[000000]
# Where installed ENGINE modules reside, for C
ENGINESDIR_C={- platform->osslprefix() -}ENGINES{- $sover_dirname.$target{pointer_size} -}:
# Where modules reside, for C
MODULESDIR_C={- platform->osslprefix() -}MODULES{- $sover_dirname.$target{pointer_size} -}:
MODULESDIR_C={- platform->osslprefix() -}MODULES{- $target{pointer_size} -}:

##### User defined commands and flags ################################

Expand Down Expand Up @@ -428,7 +429,9 @@ NODEBUG=@
$(NODEBUG) ! them, so we create it instead. This is an unfortunate
$(NODEBUG) ! necessity.
$(NODEBUG) !
$(NODEBUG) DEFINE openssl "{- sourcedir('include/openssl') -}
$(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;"
$(NODEBUG) openssl_inc2 = F$PARSE("sourcetop:[include.openssl]","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2'
$(NODEBUG) !
$(NODEBUG) ! Figure out the architecture
$(NODEBUG) !
Expand All @@ -441,9 +444,10 @@ NODEBUG=@

.LAST :
$(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } @shlibs) || "!" -}
$(NODEBUG) DEASSIGN openssl
$(NODEBUG) DEASSIGN ossl_dataroot
$(NODEBUG) DEASSIGN ossl_installroot
$(NODEBUG) DEASSIGN openssl
$(NODEBUG) DEASSIGN ossl_sourceroot
.DEFAULT :
@ ! MMS cannot handle no actions...

Expand Down Expand Up @@ -569,16 +573,18 @@ uninstall_docs : uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
install_fips : build_sw $(INSTALL_FIPSMODULECONF)
@ WRITE SYS$OUTPUT "*** Installing FIPS module"
- CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
- CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
COPY/PROT=W:RE $(INSTALL_FIPSMODULES) -
ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME)
ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']$(FIPSMODULENAME)
@ WRITE SYS$OUTPUT "*** Installing FIPS module configuration"
COPY/PROT=W:RE $(INSTALL_FIPSMODULECONF) OSSL_DATAROOT:[000000]

uninstall_fips :
@ WRITE SYS$OUTPUT "*** Uninstalling FIPS module configuration"
DELETE OSSL_DATAROOT:[000000]fipsmodule.cnf;*
@ WRITE SYS$OUTPUT "*** Uninstalling FIPS module"
DELETE ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME);*
DELETE ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']$(FIPSMODULENAME);*
{- output_on() if $disabled{fips}; "" -}

install_ssldirs : check_INSTALLTOP
Expand Down Expand Up @@ -607,7 +613,9 @@ install_dev : check_INSTALLTOP install_runtime_libs
@ WRITE SYS$OUTPUT "*** Installing development files"
@ ! Install header files
- CREATE/DIR ossl_installroot:[include.openssl]
COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl]
COPY/PROT=W:R ossl_sourceroot:[include.openssl]*.h -
ossl_installroot:[include.openssl]
COPY/PROT=W:R [.include.openssl]*.h ossl_installroot:[include.openssl]
@ ! Install static (development) libraries
- CREATE/DIR ossl_installroot:[LIB.'arch']
{- join("\n ",
Expand All @@ -626,9 +634,9 @@ install_engines : check_INSTALLTOP install_runtime_libs build_modules
install_modules : check_INSTALLTOP install_runtime_libs build_modules
@ {- output_off() unless scalar @install_modules; "" -} !
@ WRITE SYS$OUTPUT "*** Installing modules"
- CREATE/DIR ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']
- CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
{- join("\n ",
map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[MODULES$sover_dirname$target{pointer_size}.'arch']" }
map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[MODULES$target{pointer_size}.'arch']" }
@install_modules) -}
@ {- output_on() unless scalar @install_modules; "" -} !

Expand Down Expand Up @@ -904,7 +912,7 @@ EOF
#
my $target = platform->def($args{src});
my $mkdef = sourcefile('util', 'mkdef.pl');
my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name =
$args{generator}->[1] || basename($args{product}, '.EXE');
my $case_insensitive =
Expand Down
18 changes: 15 additions & 3 deletions deps/openssl/openssl/Configurations/platform/Unix.pm
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,21 @@ sub sharedname_simple {
}

sub sharedlib_simple {
return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple();
return platform::BASE::__concat($_[0]->sharedname_simple($_[1]),
$_[0]->shlibextsimple());
# This function returns the simplified shared library name (no version
# or variant in the shared library file name) if the simple variants of
# the base name or the suffix differ from the full variants of the same.

# Note: if $_[1] isn't a shared library name, then $_[0]->sharedname()
# and $_[0]->sharedname_simple() will return undef. This needs being
# accounted for.
my $name = $_[0]->sharedname($_[1]);
my $simplename = $_[0]->sharedname_simple($_[1]);
my $ext = $_[0]->shlibext();
my $simpleext = $_[0]->shlibextsimple();

return undef unless defined $simplename && defined $name;
return undef if ($name eq $simplename && $ext eq $simpleext);
return platform::BASE::__concat($simplename, $simpleext);
}

sub sharedlib_import {
Expand Down
20 changes: 11 additions & 9 deletions deps/openssl/openssl/Configurations/unix-Makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ BLDDIR={- $config{builddir} -}
FIPSKEY={- $config{FIPSKEY} -}

VERSION={- "$config{full_version}" -}
VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
Expand Down Expand Up @@ -618,6 +619,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs
install_fips: build_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)
@$(ECHO) "*** Installing FIPS module"
@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
@cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
Expand Down Expand Up @@ -691,11 +693,11 @@ install_dev: install_runtime_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
@ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
Expand Down Expand Up @@ -765,10 +767,10 @@ install_dev: install_runtime_libs

uninstall_dev: uninstall_runtime_libs
@$(ECHO) "*** Uninstalling development files"
@ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
Expand Down Expand Up @@ -1305,23 +1307,23 @@ SSLHEADERS={- join(" \\\n" . ' ' x 11,
fill_lines(" ", $COLUMNS - 11, sort keys %sslheaders)) -}

renumber: build_generated
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libcrypto.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
--renumber \
$(CRYPTOHEADERS)
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libssl.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
--renumber \
$(SSLHEADERS)

ordinals: build_generated
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libcrypto.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
$(CRYPTOHEADERS)
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libssl.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
$(SSLHEADERS)
Expand Down Expand Up @@ -1529,7 +1531,7 @@ EOF
#
my $target = platform->def($args{src});
(my $mkdef_os = $target{shared_target}) =~ s|-shared$||;
my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name = $args{generator}->[1] || $args{product};
return <<"EOF";
$target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl
Expand Down
Loading