Update openssl 1.1.1i #36520
Update openssl 1.1.1i #36520
Conversation
nodejs-github-bot
added
the
openssl
|
If this breaks the quic builds at all in CI those should not be considered blocking for this PR. I'll reconcile those and fix that up after this lands. |
|
Rubber stamp LGTM |
|
looks like the way I applied the git patch put some stuff in the wrong directory... fixing it now and will repush |
|
The patch in the repo is out of date. It's better to cherry pick the commits directly from the akamai repo and hope for the best lol... If they don't apply skip it and the quic builds will just have to fail until I can get in an update things. |
|
@jasnell I updated the patch manually (to keep it for posterity) from the repo. The issue was that I didn't specify directory when running edit: just running the command to update the architecture files then I'll update this PR and re-run CI |
MylesBorins
force-pushed
the
update-openssl-1.1.1i
branch
2 times, most recently
from
fdc5f54
to
18b8a54
Compare
|
ugh, compilation is completely busted and I'm really not sure what's going on. May not have time to get this together tonight edit: spouse is watching bachelorette which is a great opportunity to run some builds 😂 Looks like there was still more of an issue with the |
MylesBorins
force-pushed
the
update-openssl-1.1.1i
branch
from
18b8a54
to
e5758b5
Compare
|
OK! I've managed to get the build working locally, but only with May poke at this a bit more tonight, but just documenting where I'm at for now. edit: I think I got it!!! needed to reapply 69f8290e6f to guard the inclusion of quic when it isn't used. phew. Fingers crossed that tests pass now. |
MylesBorins
force-pushed
the
update-openssl-1.1.1i
branch
from
e5758b5
to
36109a4
Compare
This updates all sources in deps/openssl/openssl by:
$ cd deps/openssl/
$ rm -rf openssl
$ tar zxf ~/tmp/openssl-1.1.1i.tar.gz
$ mv openssl-1.1.1i openssl
$ git add --all openssl
$ git commit openssl
Add support for BoringSSL QUIC APIs This is a cherry-pick of 2a4b03a306439307e0b822b17eda3bdabddfbb68 on the master-quic-support2 branch (2019-10-07) Which was a rebase/squash of master-quic-support: * 5aa62ce Add support for more secrets - Todd Short/Todd Short (master-quic-support) * 58e0643 Tweeks to quic_change_cipher_state() - Todd Short/Todd Short * 8169702 Move QUIC code out of tls13_change_cipher_state() - Todd Short/Todd Short * a08cfe6 Correctly disable middlebox compat - Todd Short/Todd Short * 3a9eabf Add OPENSSL_NO_QUIC wrapper - Todd Short/Todd Short * f550eca Add client early traffic secret storage - Todd Short/Todd Short * 1b787ae Quick fix: s2c to c2s for early secret - Todd Short/Todd Short * f97e6a9 Don't process an incomplete message - Todd Short/Todd Short * 81f0ce2 Reset init state in SSL_process_quic_post_handshake() - Todd Short/Todd Short * 5d59cf9 Fix quic_transport constructors/parsers - Todd Short/Todd Short * 5e5f91c Fix INSTALL nit. - Todd Short/Todd Short * bd290ab Fix duplicate word in docs - Todd Short/Todd Short * 699590b fixup! Handle partial handshake messages - Todd Short/Todd Short * a472a8d Handle partial handshake messages - Todd Short/Todd Short * 363cf3d fixup! Use proper secrets for handshake - Todd Short/Todd Short * b03fee6 Use proper secrets for handshake - Todd Short/Todd Short * 2ab1aa0 Move QUIC transport params to encrypted extensions - Todd Short/Todd Short * 0d16af9 Make temp secret names less confusing - Todd Short/Todd Short * abb6f39 New method to get QUIC secret length - Todd Short/Todd Short * 05fdae9 Add support for BoringSSL QUIC APIs - Todd Short/Todd Short This adds a compatible API for BoringSSL's QUIC support, based on the current |draft-ietf-quic-tls|. Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8 Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81 Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03 Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942 Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 New method to get QUIC secret length Make temp secret names less confusing Move QUIC transport params to encrypted extensions Use proper secrets for handshake fixup! Use proper secrets for handshake Handle partial handshake messages fixup! Handle partial handshake messages Fix duplicate word in docs Fix INSTALL nit. Fix quic_transport constructors/parsers Reset init state in SSL_process_quic_post_handshake() Don't process an incomplete message Quick fix: s2c to c2s for early secret Add client early traffic secret storage Add OPENSSL_NO_QUIC wrapper Correctly disable middlebox compat Move QUIC code out of tls13_change_cipher_state() Create quic_change_cipher_state() that does the minimal required to generate the QUIC secrets. (e.g. encryption contexts are not initialized). Tweeks to quic_change_cipher_state() Add support for more secrets Fix resumption secret (cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d) QUIC: Handle EndOfEarlyData and MaxEarlyData QUIC: Increase HKDF_MAXBUF to 2048 Fall-through for 0RTT Some cleanup for the main QUIC changes Try to reduce unneeded whitespace changes and wrap new code to 80 columns. Reword documentation to attempt to improve clarity. Add some more sanity checks and clarifying comments to the code. Update referenced I-D versions. Prevent KeyUpdate for QUIC QUIC does not use the TLS KeyUpdate message/mechanism, and indeed it is an error to generate or receive such a message. Add the necessary checks (noting that the check for receipt should be redundant since SSL_provide_quic_data() is the only way to provide input to the TLS layer for a QUIC connection). Test KeyUpdate rejection For now, just test that we don't generate any, since we don't really expose the mechanics for encrypting one and the QUIC API is not integrated into the TLSProxy setup. Fix out-of-bounds read when TLS msg is split up into multiple chunks Previously, SSL_provide_quic_data tried to handle this kind of situation, but it failed when the length of input data is less than SSL3_HM_HEADER_LENGTH. If that happens, the code might get wrong message length by reading value from out-of-bounds region. Revert "Fix out-of-bounds read when TLS msg is split up into multiple chunks" This reverts commit 18f993cbdae498111c94a075fd9b115bd8367574. Test HKDF with empty IKM Add an extra EVP test that provides empty input key material. It currently fails, since attempting to set a zero-length key on an EVP_PKEY_CTX results in a call to OPENSSL_memdup() with length zero, which returns NULL and is detected as failure. Allow zero-length HKDF keys When making a copy to keep in the EVP_PKEY_CTX, allocate a single byte for the cached key instead of letting memdup return NULL and cause the call to fail. The length still gets set to zero properly, so we don't end up inspecting the allocated byte, but it's important to have a non-NULL pointer set. Buffer all provided quic data Make all data supplied via SSL_provide_quic_data() pass through an internal buffer, so that we can handle data supplied with arbitrary framing and only parse complete TLS records onto the list of QUIC_DATA managed by quic_input_data_head/quic_input_data_tail. This lets us remove the concept of "incomplete" QUIC_DATA structures, and the 'offset' field needed to support them. However, we've already moved the provided data onto the buffer by the time we can check for KeyUpdate messages, so defer that check to quic_get_message() (where it is adjacent to the preexisting ChangeCipherSpec check). To avoid extra memory copies, we also make the QUIC_DATA structures just store offsets into the consolidated buffer instead of having copies of the TLS handshake messages themselves. enforce consistent encryption level for handshake messages The QUIC-TLS spec requires that TLS handshake messages do not cross encryption level boundaries, but we were not previously enforcing this.
PR-URL: nodejs#34033 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/include/crypto/bn_conf.h $ git add deps/openssl/openssl/include/crypto/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit
MylesBorins
force-pushed
the
update-openssl-1.1.1i
branch
from
36109a4
to
3f77eb7
Compare
|
Looks like make snapshot is failing on sharedlibs_debug |
|
/cc @joyeecheung maybe you know what's going on with make snapshot? edit: looks like the most recent CI was green and just didn't update the GitHub UI |
MylesBorins
added
the
commit-queue
github-actions
bot
removed
the
commit-queue
Commit Queue failed- Loading data for nodejs/node/pull/36520 ✔ Done loading data for nodejs/node/pull/36520 ----------------------------------- PR info ------------------------------------ Title Update openssl 1.1.1i (#36520) ⚠ Could not retrieve the email or name of the PR author's from user's GitHub profile! Branch MylesBorins:update-openssl-1.1.1i -> nodejs:master Labels openssl Commits 5 - deps: update patch and docs for openssl update - deps: upgrade openssl sources to 1.1.1i - deps: various quic patches from akamai/openssl - deps: re-enable OPENSSL_NO_QUIC guards - deps: update archs files for OpenSSL-1.1.1i Committers 1 - Myles Borins PR-URL: https://github.com/nodejs/node/pull/36520 Reviewed-By: James M Snell Reviewed-By: Richard Lau Reviewed-By: Michael Dawson Reviewed-By: Beth Griggs ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/36520 Reviewed-By: James M Snell Reviewed-By: Richard Lau Reviewed-By: Michael Dawson Reviewed-By: Beth Griggs -------------------------------------------------------------------------------- ✔ Last GitHub Actions successful ℹ Last Full PR CI on 2020-12-15T11:20:30Z: https://ci.nodejs.org/job/node-test-pull-request/34946/ - Querying data for job/node-test-pull-request/34946/ ✔ Build data downloaded ✔ Last Jenkins CI successful ℹ This PR was created on Mon, 14 Dec 2020 23:55:42 GMT ✔ Approvals: 4 ✔ - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/36520#pullrequestreview-552635549 ✔ - Richard Lau (@richardlau): https://github.com/nodejs/node/pull/36520#pullrequestreview-552660209 ✔ - Michael Dawson (@mhdawson) (TSC): https://github.com/nodejs/node/pull/36520#pullrequestreview-554086288 ✔ - Beth Griggs (@BethGriggs) (TSC): https://github.com/nodejs/node/pull/36520#pullrequestreview-554176336 -------------------------------------------------------------------------------- ✔ No git cherry-pick in progress ✔ No git am in progress ✔ No git rebase in progress -------------------------------------------------------------------------------- - Bringing origin/master up to date... From https://github.com/nodejs/node * branch master -> FETCH_HEAD ✔ origin/master is now up-to-date - Downloading patch for 36520 From https://github.com/nodejs/node * branch refs/pull/36520/merge -> FETCH_HEAD ✔ Fetched commits as 0e96dc1f95be..3f77eb742ab4 -------------------------------------------------------------------------------- [master 972c4cceda] deps: update patch and docs for openssl update Author: Myles Borins Date: Mon Dec 14 17:10:23 2020 -0500 2 files changed, 1981 insertions(+), 336 deletions(-) Removing deps/openssl/openssl/ssl/statem/statem_quic.c Removing deps/openssl/openssl/ssl/ssl_quic.c Removing deps/openssl/openssl/include/openssl/opensslconf.h Removing deps/openssl/openssl/include/crypto/dso_conf.h Removing deps/openssl/openssl/include/crypto/bn_conf.h Removing deps/openssl/openssl/doc/man3/SSL_CTX_set_quic_method.pod Removing deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl [master c8ad6e4e30] deps: upgrade openssl sources to 1.1.1i Author: Myles Borins Date: Mon Dec 14 17:47:09 2020 -0500 373 files changed, 4265 insertions(+), 5667 deletions(-) mode change 100644 => 100755 deps/openssl/openssl/apps/ca.c delete mode 100755 deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl delete mode 100644 deps/openssl/openssl/doc/man3/SSL_CTX_set_quic_method.pod delete mode 100644 deps/openssl/openssl/include/crypto/bn_conf.h delete mode 100644 deps/openssl/openssl/include/crypto/dso_conf.h delete mode 100644 deps/openssl/openssl/include/openssl/opensslconf.h delete mode 100644 deps/openssl/openssl/ssl/ssl_quic.c delete mode 100644 deps/openssl/openssl/ssl/statem/statem_quic.c create mode 100644 deps/openssl/openssl/test/certs/ca-cert-ec-explicit.pem create mode 100644 deps/openssl/openssl/test/certs/ca-cert-ec-named.pem create mode 100644 deps/openssl/openssl/test/certs/ca-key-ec-explicit.pem create mode 100644 deps/openssl/openssl/test/certs/ca-key-ec-named.pem create mode 100644 deps/openssl/openssl/test/certs/ee-cert-ec-explicit.pem create mode 100644 deps/openssl/openssl/test/certs/ee-cert-ec-named-explicit.pem create mode 100644 deps/openssl/openssl/test/certs/ee-cert-ec-named-named.pem create mode 100644 deps/openssl/openssl/test/certs/ee-key-ec-explicit.pem create mode 100644 deps/openssl/openssl/test/certs/ee-key-ec-named-explicit.pem create mode 100644 deps/openssl/openssl/test/certs/ee-key-ec-named-named.pem create mode 100644 deps/openssl/openssl/test/certs/ee-self-signed.pem create mode 100644 deps/openssl/openssl/test/certs/root-expired.pem create mode 100644 deps/openssl/openssl/test/cmactest.c create mode 100644 deps/openssl/openssl/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem create mode 100644 deps/openssl/openssl/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem create mode 100644 deps/openssl/openssl/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem create mode 100644 deps/openssl/openssl/test/recipes/05-test_cmac.t create mode 100644 deps/openssl/openssl/test/recipes/15-test_genec.t create mode 100644 deps/openssl/openssl/test/recipes/20-test_dgst.t create mode 100644 deps/openssl/openssl/test/tested25519.pem create mode 100644 deps/openssl/openssl/test/tested25519pub.pem create mode 100644 deps/openssl/openssl/test/tested448.pem create mode 100644 deps/openssl/openssl/test/tested448pub.pem [master 4804717d66] deps: various quic patches from akamai/openssl Author: Todd Short Date: Fri Apr 12 11:13:25 2019 -0400 35 files changed, 1532 insertions(+), 33 deletions(-) create mode 100644 deps/openssl/openssl/doc/man3/SSL_CTX_set_quic_method.pod create mode 100644 deps/openssl/openssl/ssl/ssl_quic.c create mode 100644 deps/openssl/openssl/ssl/statem/statem_quic.c [master cd52eda73f] deps: re-enable OPENSSL_NO_QUIC guards Author: James M Snell Date: Tue Jun 23 17:40:53 2020 -0700 2 files changed, 8 insertions(+) [master 3791d5ed7d] deps: update archs files for OpenSSL-1.1.1i Author: Myles Borins Date: Mon Dec 14 22:12:07 2020 -0500 232 files changed, 2134 insertions(+), 471 deletions(-) create mode 100644 deps/openssl/openssl/include/crypto/bn_conf.h create mode 100644 deps/openssl/openssl/include/crypto/dso_conf.h create mode 100644 deps/openssl/openssl/include/openssl/opensslconf.h ✔ Patches applied There are 5 commits in the PR. Attempting autorebase. Rebasing (2/10)
This adds a compatible API for BoringSSL's QUIC support, based Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe New method to get QUIC secret length Make temp secret names less confusing Move QUIC transport params to encrypted extensions Use proper secrets for handshake fixup! Use proper secrets for handshake Handle partial handshake messages fixup! Handle partial handshake messages Fix duplicate word in docs Fix INSTALL nit. Fix quic_transport constructors/parsers Reset init state in SSL_process_quic_post_handshake() Don't process an incomplete message Quick fix: s2c to c2s for early secret Add client early traffic secret storage Add OPENSSL_NO_QUIC wrapper Correctly disable middlebox compat Move QUIC code out of tls13_change_cipher_state() Create quic_change_cipher_state() that does the minimal required Tweeks to quic_change_cipher_state() Add support for more secrets Fix resumption secret (cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d) QUIC: Handle EndOfEarlyData and MaxEarlyData QUIC: Increase HKDF_MAXBUF to 2048 Fall-through for 0RTT Some cleanup for the main QUIC changes Try to reduce unneeded whitespace changes and wrap new code to 80 columns. Prevent KeyUpdate for QUIC QUIC does not use the TLS KeyUpdate message/mechanism, and indeed Test KeyUpdate rejection For now, just test that we don't generate any, since we don't really Fix out-of-bounds read when TLS msg is split up into multiple chunks Previously, SSL_provide_quic_data tried to handle this kind of Revert "Fix out-of-bounds read when TLS msg is split up into multiple chunks" This reverts commit 18f993cbdae498111c94a075fd9b115bd8367574. Test HKDF with empty IKM Add an extra EVP test that provides empty input key material. Allow zero-length HKDF keys When making a copy to keep in the EVP_PKEY_CTX, allocate a single Buffer all provided quic data Make all data supplied via SSL_provide_quic_data() pass through an This lets us remove the concept of "incomplete" QUIC_DATA structures, However, we've already moved the provided data onto the buffer by To avoid extra memory copies, we also make the QUIC_DATA structures enforce consistent encryption level for handshake messages The QUIC-TLS spec requires that TLS handshake messages do not cross PR-URL: #36520
|
github-actions
bot
added
the
commit-queue-failed
PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
This updates all sources in deps/openssl/openssl by:
$ cd deps/openssl/
$ rm -rf openssl
$ tar zxf ~/tmp/openssl-1.1.1i.tar.gz
$ mv openssl-1.1.1i openssl
$ git add --all openssl
$ git commit openssl
PR-URL: #36520
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Add support for BoringSSL QUIC APIs This is a cherry-pick of 2a4b03a306439307e0b822b17eda3bdabddfbb68 on the master-quic-support2 branch (2019-10-07) Which was a rebase/squash of master-quic-support: * 5aa62ce Add support for more secrets - Todd Short/Todd Short (master-quic-support) * 58e0643 Tweeks to quic_change_cipher_state() - Todd Short/Todd Short * 8169702 Move QUIC code out of tls13_change_cipher_state() - Todd Short/Todd Short * a08cfe6 Correctly disable middlebox compat - Todd Short/Todd Short * 3a9eabf Add OPENSSL_NO_QUIC wrapper - Todd Short/Todd Short * f550eca Add client early traffic secret storage - Todd Short/Todd Short * 1b787ae Quick fix: s2c to c2s for early secret - Todd Short/Todd Short * f97e6a9 Don't process an incomplete message - Todd Short/Todd Short * 81f0ce2 Reset init state in SSL_process_quic_post_handshake() - Todd Short/Todd Short * 5d59cf9 Fix quic_transport constructors/parsers - Todd Short/Todd Short * 5e5f91c Fix INSTALL nit. - Todd Short/Todd Short * bd290ab Fix duplicate word in docs - Todd Short/Todd Short * 699590b fixup! Handle partial handshake messages - Todd Short/Todd Short * a472a8d Handle partial handshake messages - Todd Short/Todd Short * 363cf3d fixup! Use proper secrets for handshake - Todd Short/Todd Short * b03fee6 Use proper secrets for handshake - Todd Short/Todd Short * 2ab1aa0 Move QUIC transport params to encrypted extensions - Todd Short/Todd Short * 0d16af9 Make temp secret names less confusing - Todd Short/Todd Short * abb6f39 New method to get QUIC secret length - Todd Short/Todd Short * 05fdae9 Add support for BoringSSL QUIC APIs - Todd Short/Todd Short This adds a compatible API for BoringSSL's QUIC support, based on the current |draft-ietf-quic-tls|. Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8 Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81 Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03 Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942 Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 New method to get QUIC secret length Make temp secret names less confusing Move QUIC transport params to encrypted extensions Use proper secrets for handshake fixup! Use proper secrets for handshake Handle partial handshake messages fixup! Handle partial handshake messages Fix duplicate word in docs Fix INSTALL nit. Fix quic_transport constructors/parsers Reset init state in SSL_process_quic_post_handshake() Don't process an incomplete message Quick fix: s2c to c2s for early secret Add client early traffic secret storage Add OPENSSL_NO_QUIC wrapper Correctly disable middlebox compat Move QUIC code out of tls13_change_cipher_state() Create quic_change_cipher_state() that does the minimal required to generate the QUIC secrets. (e.g. encryption contexts are not initialized). Tweeks to quic_change_cipher_state() Add support for more secrets Fix resumption secret (cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d) QUIC: Handle EndOfEarlyData and MaxEarlyData QUIC: Increase HKDF_MAXBUF to 2048 Fall-through for 0RTT Some cleanup for the main QUIC changes Try to reduce unneeded whitespace changes and wrap new code to 80 columns. Reword documentation to attempt to improve clarity. Add some more sanity checks and clarifying comments to the code. Update referenced I-D versions. Prevent KeyUpdate for QUIC QUIC does not use the TLS KeyUpdate message/mechanism, and indeed it is an error to generate or receive such a message. Add the necessary checks (noting that the check for receipt should be redundant since SSL_provide_quic_data() is the only way to provide input to the TLS layer for a QUIC connection). Test KeyUpdate rejection For now, just test that we don't generate any, since we don't really expose the mechanics for encrypting one and the QUIC API is not integrated into the TLSProxy setup. Fix out-of-bounds read when TLS msg is split up into multiple chunks Previously, SSL_provide_quic_data tried to handle this kind of situation, but it failed when the length of input data is less than SSL3_HM_HEADER_LENGTH. If that happens, the code might get wrong message length by reading value from out-of-bounds region. Revert "Fix out-of-bounds read when TLS msg is split up into multiple chunks" This reverts commit 18f993cbdae498111c94a075fd9b115bd8367574. Test HKDF with empty IKM Add an extra EVP test that provides empty input key material. It currently fails, since attempting to set a zero-length key on an EVP_PKEY_CTX results in a call to OPENSSL_memdup() with length zero, which returns NULL and is detected as failure. Allow zero-length HKDF keys When making a copy to keep in the EVP_PKEY_CTX, allocate a single byte for the cached key instead of letting memdup return NULL and cause the call to fail. The length still gets set to zero properly, so we don't end up inspecting the allocated byte, but it's important to have a non-NULL pointer set. Buffer all provided quic data Make all data supplied via SSL_provide_quic_data() pass through an internal buffer, so that we can handle data supplied with arbitrary framing and only parse complete TLS records onto the list of QUIC_DATA managed by quic_input_data_head/quic_input_data_tail. This lets us remove the concept of "incomplete" QUIC_DATA structures, and the 'offset' field needed to support them. However, we've already moved the provided data onto the buffer by the time we can check for KeyUpdate messages, so defer that check to quic_get_message() (where it is adjacent to the preexisting ChangeCipherSpec check). To avoid extra memory copies, we also make the QUIC_DATA structures just store offsets into the consolidated buffer instead of having copies of the TLS handshake messages themselves. enforce consistent encryption level for handshake messages The QUIC-TLS spec requires that TLS handshake messages do not cross encryption level boundaries, but we were not previously enforcing this. PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
PR-URL: #34033 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/include/crypto/bn_conf.h $ git add deps/openssl/openssl/include/crypto/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
|
landed in b833305...e51267b |
PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
This updates all sources in deps/openssl/openssl by:
$ cd deps/openssl/
$ rm -rf openssl
$ tar zxf ~/tmp/openssl-1.1.1i.tar.gz
$ mv openssl-1.1.1i openssl
$ git add --all openssl
$ git commit openssl
PR-URL: #36520
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Add support for BoringSSL QUIC APIs This is a cherry-pick of 2a4b03a306439307e0b822b17eda3bdabddfbb68 on the master-quic-support2 branch (2019-10-07) Which was a rebase/squash of master-quic-support: * 5aa62ce Add support for more secrets - Todd Short/Todd Short (master-quic-support) * 58e0643 Tweeks to quic_change_cipher_state() - Todd Short/Todd Short * 8169702 Move QUIC code out of tls13_change_cipher_state() - Todd Short/Todd Short * a08cfe6 Correctly disable middlebox compat - Todd Short/Todd Short * 3a9eabf Add OPENSSL_NO_QUIC wrapper - Todd Short/Todd Short * f550eca Add client early traffic secret storage - Todd Short/Todd Short * 1b787ae Quick fix: s2c to c2s for early secret - Todd Short/Todd Short * f97e6a9 Don't process an incomplete message - Todd Short/Todd Short * 81f0ce2 Reset init state in SSL_process_quic_post_handshake() - Todd Short/Todd Short * 5d59cf9 Fix quic_transport constructors/parsers - Todd Short/Todd Short * 5e5f91c Fix INSTALL nit. - Todd Short/Todd Short * bd290ab Fix duplicate word in docs - Todd Short/Todd Short * 699590b fixup! Handle partial handshake messages - Todd Short/Todd Short * a472a8d Handle partial handshake messages - Todd Short/Todd Short * 363cf3d fixup! Use proper secrets for handshake - Todd Short/Todd Short * b03fee6 Use proper secrets for handshake - Todd Short/Todd Short * 2ab1aa0 Move QUIC transport params to encrypted extensions - Todd Short/Todd Short * 0d16af9 Make temp secret names less confusing - Todd Short/Todd Short * abb6f39 New method to get QUIC secret length - Todd Short/Todd Short * 05fdae9 Add support for BoringSSL QUIC APIs - Todd Short/Todd Short This adds a compatible API for BoringSSL's QUIC support, based on the current |draft-ietf-quic-tls|. Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8 Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81 Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03 Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942 Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37 New method to get QUIC secret length Make temp secret names less confusing Move QUIC transport params to encrypted extensions Use proper secrets for handshake fixup! Use proper secrets for handshake Handle partial handshake messages fixup! Handle partial handshake messages Fix duplicate word in docs Fix INSTALL nit. Fix quic_transport constructors/parsers Reset init state in SSL_process_quic_post_handshake() Don't process an incomplete message Quick fix: s2c to c2s for early secret Add client early traffic secret storage Add OPENSSL_NO_QUIC wrapper Correctly disable middlebox compat Move QUIC code out of tls13_change_cipher_state() Create quic_change_cipher_state() that does the minimal required to generate the QUIC secrets. (e.g. encryption contexts are not initialized). Tweeks to quic_change_cipher_state() Add support for more secrets Fix resumption secret (cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d) QUIC: Handle EndOfEarlyData and MaxEarlyData QUIC: Increase HKDF_MAXBUF to 2048 Fall-through for 0RTT Some cleanup for the main QUIC changes Try to reduce unneeded whitespace changes and wrap new code to 80 columns. Reword documentation to attempt to improve clarity. Add some more sanity checks and clarifying comments to the code. Update referenced I-D versions. Prevent KeyUpdate for QUIC QUIC does not use the TLS KeyUpdate message/mechanism, and indeed it is an error to generate or receive such a message. Add the necessary checks (noting that the check for receipt should be redundant since SSL_provide_quic_data() is the only way to provide input to the TLS layer for a QUIC connection). Test KeyUpdate rejection For now, just test that we don't generate any, since we don't really expose the mechanics for encrypting one and the QUIC API is not integrated into the TLSProxy setup. Fix out-of-bounds read when TLS msg is split up into multiple chunks Previously, SSL_provide_quic_data tried to handle this kind of situation, but it failed when the length of input data is less than SSL3_HM_HEADER_LENGTH. If that happens, the code might get wrong message length by reading value from out-of-bounds region. Revert "Fix out-of-bounds read when TLS msg is split up into multiple chunks" This reverts commit 18f993cbdae498111c94a075fd9b115bd8367574. Test HKDF with empty IKM Add an extra EVP test that provides empty input key material. It currently fails, since attempting to set a zero-length key on an EVP_PKEY_CTX results in a call to OPENSSL_memdup() with length zero, which returns NULL and is detected as failure. Allow zero-length HKDF keys When making a copy to keep in the EVP_PKEY_CTX, allocate a single byte for the cached key instead of letting memdup return NULL and cause the call to fail. The length still gets set to zero properly, so we don't end up inspecting the allocated byte, but it's important to have a non-NULL pointer set. Buffer all provided quic data Make all data supplied via SSL_provide_quic_data() pass through an internal buffer, so that we can handle data supplied with arbitrary framing and only parse complete TLS records onto the list of QUIC_DATA managed by quic_input_data_head/quic_input_data_tail. This lets us remove the concept of "incomplete" QUIC_DATA structures, and the 'offset' field needed to support them. However, we've already moved the provided data onto the buffer by the time we can check for KeyUpdate messages, so defer that check to quic_get_message() (where it is adjacent to the preexisting ChangeCipherSpec check). To avoid extra memory copies, we also make the QUIC_DATA structures just store offsets into the consolidated buffer instead of having copies of the TLS handshake messages themselves. enforce consistent encryption level for handshake messages The QUIC-TLS spec requires that TLS handshake messages do not cross encryption level boundaries, but we were not previously enforcing this. PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
PR-URL: #34033 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/include/crypto/bn_conf.h $ git add deps/openssl/openssl/include/crypto/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #36520 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com>
targos
removed
the
commit-queue-failed
Lots of different commits here
tarball for update: https://www.openssl.org/source/openssl-1.1.1i.tar.gz
akamai fork: https://github.com/akamai/openssl/tree/OpenSSL_1_1_1i-quic
/cc @nodejs/crypto