deps: upgrade openssl sources to 1.1.1g

This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1g.tar.gz $ mv openssl-1.1.1g openssl $ git add --all openssl $ git commit openssl PR-URL: #32971 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
nodejs · Apr 28, 2020 · 29d7202 · 29d7202
1 parent f6274af
commit 29d7202
Show file tree

Hide file tree

Showing 48 changed files with 1,842 additions and 636 deletions.
diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES
@@ -7,6 +7,27 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+  *) Fixed segmentation fault in SSL_check_chain()
+     Server or client applications that call the SSL_check_chain() function
+     during or after a TLS 1.3 handshake may crash due to a NULL pointer
+     dereference as a result of incorrect handling of the
+     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+     or unrecognised signature algorithm is received from the peer. This could
+     be exploited by a malicious peer in a Denial of Service attack.
+     (CVE-2020-1967)
+     [Benjamin Kaduk]
+
+  *) Added AES consttime code for no-asm configurations
+     an optional constant time support for AES was added
+     when building openssl for no-asm.
+     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+     At this time this feature is by default disabled.
+     It will be enabled by default in 3.0.
+     [Bernd Edlinger]
+
  Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
 
   *) Revert the change of EOF detection while reading in libssl to avoid

diff --git a/deps/openssl/openssl/INSTALL b/deps/openssl/openssl/INSTALL
@@ -535,9 +535,9 @@
                    conjunction with the "-DPEDANTIC" option (or the
                    --strict-warnings option).
 
-  no-ui
-                   Don't build with the "UI" capability (i.e. the set of
-                   features enabling text based prompts).
+  no-ui-console
+                   Don't build with the "UI" console method (i.e. the "UI"
+                   method that enables text based console prompts).
 
   enable-unit-test
                    Enable additional unit test APIs. This should not typically

diff --git a/deps/openssl/openssl/NEWS b/deps/openssl/openssl/NEWS
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
+
+      o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
+
   Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
 
       o Revert the unexpected EOF reporting via SSL_ERROR_SSL

diff --git a/deps/openssl/openssl/README b/deps/openssl/openssl/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1f 31 Mar 2020
+ OpenSSL 1.1.1g 21 Apr 2020
 
  Copyright (c) 1998-2020 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

diff --git a/deps/openssl/openssl/apps/build.info b/deps/openssl/openssl/apps/build.info
@@ -1,16 +1,17 @@
 {- our @apps_openssl_src =
        qw(openssl.c
-          asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c
-          dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c
-          genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c
-          pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c
+          asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
+          enc.c errstr.c
+          genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
+          pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
           s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
-          srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c);
+          verify.c version.c x509.c rehash.c storeutl.c);
    our @apps_lib_src =
        ( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
          split(/\s+/, $target{apps_aux_src}) );
    our @apps_init_src = split(/\s+/, $target{apps_init_src});
    "" -}
+
 IF[{- !$disabled{apps} -}]
   LIBS_NO_INST=libapps.a
   SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
@@ -21,11 +22,51 @@ IF[{- !$disabled{apps} -}]
   SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
   INCLUDE[openssl]=.. ../include
   DEPEND[openssl]=libapps.a ../libssl
-
-IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
-  GENERATE[openssl.rc]=../util/mkrc.pl openssl
-  SOURCE[openssl]=openssl.rc
-ENDIF
+  IF[{- !$disabled{'des'} -}]
+    SOURCE[openssl]=pkcs12.c
+    DEPEND[pkcs12.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'ec'} -}]
+    SOURCE[openssl]=ec.c ecparam.c
+    DEPEND[ec.o]=progs.h
+    DEPEND[ecparam.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'ocsp'} -}]
+    SOURCE[openssl]=ocsp.c
+    DEPEND[ocsp.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'srp'} -}]
+    SOURCE[openssl]=srp.c
+    DEPEND[srp.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'ts'} -}]
+    SOURCE[openssl]=ts.c
+    DEPEND[ts.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'dh'} -}]
+    SOURCE[openssl]=dhparam.c
+    DEPEND[dhparam.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'dsa'} -}]
+    SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
+    DEPEND[dsa.o]=progs.h
+    DEPEND[dsaparam.o]=progs.h
+    DEPEND[gendsa.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'engine'} -}]
+    SOURCE[openssl]=engine.c
+    DEPEND[engine.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'rsa'} -}]
+    SOURCE[openssl]=rsa.c rsautl.c genrsa.c
+    DEPEND[rsa.o]=progs.h
+    DEPEND[rsautl.o]=progs.h
+    DEPEND[genrsa.o]=progs.h
+  ENDIF
+  IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
+    GENERATE[openssl.rc]=../util/mkrc.pl openssl
+    SOURCE[openssl]=openssl.rc
+  ENDIF
 
   {- join("\n  ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
                   @apps_openssl_src) -}

diff --git a/deps/openssl/openssl/apps/dhparam.c b/deps/openssl/openssl/apps/dhparam.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -8,28 +8,24 @@
  */
 
 #include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DH
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-
-# ifndef OPENSSL_NO_DSA
-#  include <openssl/dsa.h>
-# endif
-
-# define DEFBITS 2048
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+
+#define DEFBITS 2048
 
 static int dh_cb(int p, int n, BN_GENCB *cb);
 
@@ -56,13 +52,13 @@ const OPTIONS dhparam_options[] = {
     {"C", OPT_C, '-', "Print C code"},
     {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
     {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
     {"dsaparam", OPT_DSAPARAM, '-',
      "Read or generate DSA parameters, convert to DH"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
     {NULL}
 };
 
@@ -146,13 +142,13 @@ int dhparam_main(int argc, char **argv)
     if (g && !num)
         num = DEFBITS;
 
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
     if (dsaparam && g) {
         BIO_printf(bio_err,
                    "generator may not be chosen for DSA parameters\n");
         goto end;
     }
-# endif
+#endif
 
     out = bio_open_default(outfile, 'w', outformat);
     if (out == NULL)
@@ -173,7 +169,7 @@ int dhparam_main(int argc, char **argv)
 
         BN_GENCB_set(cb, dh_cb, bio_err);
 
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (dsaparam) {
             DSA *dsa = DSA_new();
 
@@ -196,7 +192,7 @@ int dhparam_main(int argc, char **argv)
                 goto end;
             }
         } else
-# endif
+#endif
         {
             dh = DH_new();
             BIO_printf(bio_err,
@@ -217,7 +213,7 @@ int dhparam_main(int argc, char **argv)
         if (in == NULL)
             goto end;
 
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (dsaparam) {
             DSA *dsa;
 
@@ -239,7 +235,7 @@ int dhparam_main(int argc, char **argv)
                 goto end;
             }
         } else
-# endif
+#endif
         {
             if (informat == FORMAT_ASN1) {
                 /*
@@ -376,4 +372,3 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
     (void)BIO_flush(BN_GENCB_get_arg(cb));
     return 1;
 }
-#endif
diff --git a/deps/openssl/openssl/apps/dsa.c b/deps/openssl/openssl/apps/dsa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -8,23 +8,19 @@
  */
 
 #include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/dsa.h>
-# include <openssl/evp.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-# include <openssl/bn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/bn.h>
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -49,14 +45,14 @@ const OPTIONS dsa_options[] = {
     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
     {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
     {"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_RC4
+#ifndef OPENSSL_NO_RC4
     {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
     {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
     {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
     {NULL}
 };
 
@@ -71,9 +67,9 @@ int dsa_main(int argc, char **argv)
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
     int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-# ifndef OPENSSL_NO_RC4
+#ifndef OPENSSL_NO_RC4
     int pvk_encr = 2;
-# endif
+#endif
     int private = 0;
 
     prog = opt_init(argc, argv, dsa_options);
@@ -214,7 +210,7 @@ int dsa_main(int argc, char **argv)
             i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
                                             NULL, 0, NULL, passout);
         }
-# ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_RSA
     } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
         EVP_PKEY *pk;
         pk = EVP_PKEY_new();
@@ -229,21 +225,21 @@ int dsa_main(int argc, char **argv)
                 goto end;
             }
             assert(private);
-#  ifdef OPENSSL_NO_RC4
+# ifdef OPENSSL_NO_RC4
             BIO_printf(bio_err, "PVK format not supported\n");
             EVP_PKEY_free(pk);
             goto end;
-#  else
+# else
             i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-#  endif
+# endif
         } else if (pubin || pubout) {
             i = i2b_PublicKey_bio(out, pk);
         } else {
             assert(private);
             i = i2b_PrivateKey_bio(out, pk);
         }
         EVP_PKEY_free(pk);
-# endif
+#endif
     } else {
         BIO_printf(bio_err, "bad output format specified for outfile\n");
         goto end;
@@ -262,4 +258,3 @@ int dsa_main(int argc, char **argv)
     OPENSSL_free(passout);
     return ret;
 }
-#endif