packages/nodejs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!117 Update to 18.16.0 LTS

Browse Source 
From: @misaka00251 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2023-07-12 06:45:31 +00:00 committed by Gitee
commit 681df3da76
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
15 changed files with 63 additions and 1776 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
0001-Disable-running-gyp-on-shared-deps.patch
View File

@ -1,29 +0,0 @@
From dd952f69bcbf0a9947a0629e44c49003dcb9f77f Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH 1/2] Disable running gyp on shared deps
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 688ebc550e9d6677f468bb791b5d06d5507d3ab5..b34b49db53a4b0cb4a3867921f5c6fb71ae34bf1 100644
--- a/Makefile
+++ b/Makefile
@@ -145,11 +145,11 @@ endif
.PHONY: test-code-cache
with-code-cache test-code-cache:
$(warning '$@' target is a noop)
out/Makefile: config.gypi common.gypi node.gyp \
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
+ deps/llhttp/llhttp.gyp \
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
# node_version.h is listed because the N-API version is taken from there
--
2.34.1

25
0001-Use-system-uv-zlib.patch Normal file
View File

@ -0,0 +1,25 @@
From 114ef2bb6ce7712a9b6be0593d38e6a8874f8b67 Mon Sep 17 00:00:00 2001
From: misaka00251 <liuxin@iscas.ac.cn>
Date: Mon, 22 May 2023 21:44:32 +0800
Subject: [PATCH] Use system uv & zlib
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 0be0659d..3c442014 100644
--- a/Makefile
+++ b/Makefile
@@ -169,7 +169,7 @@ with-code-cache test-code-cache:
$(warning '$@' target is a noop)
out/Makefile: config.gypi common.gypi node.gyp \
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
+ deps/llhttp/llhttp.gyp \
deps/simdutf/simdutf.gyp deps/ada/ada.gyp \
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
--
2.39.2 (Apple Git-143)

91
0002-Install-both-binaries-and-use-libdir.patch
View File

@ -1,91 +0,0 @@
From a1c35106e7e9ab3d4a01779079cf9788a2fe777a Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Tue, 19 Mar 2019 23:22:40 -0400
Subject: [PATCH 2/2] Install both binaries and use libdir.
This allows us to build with a shared library for other users while
still providing the normal executable.
Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
configure.py | 7 +++++++
tools/install.py | 21 +++++++++------------
2 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/configure.py b/configure.py
index 47137d8912dd1439962127a3c1f417eb78572021..c59037a39fcefdfe173d16a7aa9622a32a3c29e7 100755
--- a/configure.py
+++ b/configure.py
@@ -731,10 +731,16 @@ parser.add_argument('--shared',
dest='shared',
default=None,
help='compile shared library for embedding node in another project. ' +
'(This mode is not officially supported for regular applications)')
+parser.add_argument('--libdir',
+ action='store',
+ dest='libdir',
+ default='lib',
+ help='a directory to install the shared library into')
+
parser.add_argument('--without-v8-platform',
action='store_true',
dest='without_v8_platform',
default=False,
help='do not initialize v8 platform during node.js startup. ' +
@@ -1332,10 +1338,11 @@ def configure_node(o):
o['variables']['debug_nghttp2'] = 'false'
o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
o['variables']['node_shared'] = b(options.shared)
+ o['variables']['libdir'] = options.libdir
node_module_version = getmoduleversion.get_version()
if options.dest_os == 'android':
shlib_suffix = 'so'
elif sys.platform == 'darwin':
diff --git a/tools/install.py b/tools/install.py
index eafcb19bf8b29f87c39b0fe7d3c3fd2d175a7b7b..71b5371578711fcc9a1b80069850f0b61bdfebe2 100755
--- a/tools/install.py
+++ b/tools/install.py
@@ -128,26 +128,23 @@ def subdir_files(path, dest, action):
for subdir, files_in_path in ret.items():
action(files_in_path, subdir + '/')
def files(action):
is_windows = sys.platform == 'win32'
- output_file = 'node'
output_prefix = 'out/Release/'
+ output_libprefix = output_prefix
- if 'false' == variables.get('node_shared'):
- if is_windows:
- output_file += '.exe'
+ if is_windows:
+ output_bin = 'node.exe'
+ output_lib = 'node.dll'
else:
- if is_windows:
- output_file += '.dll'
- else:
- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix')
+ output_bin = 'node'
+ output_lib = 'libnode.' + variables.get('shlib_suffix')
- if 'false' == variables.get('node_shared'):
- action([output_prefix + output_file], 'bin/' + output_file)
- else:
- action([output_prefix + output_file], 'lib/' + output_file)
+ action([output_prefix + output_bin], 'bin/' + output_bin)
+ if 'true' == variables.get('node_shared'):
+ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
if 'true' == variables.get('node_use_dtrace'):
action(['out/Release/node.d'], 'lib/dtrace/node.d')
# behave similarly for systemtap
--
2.34.1

25
0003-Make-AARCH64-compile-on-64KB-physical-pages.patch
View File

@ -1,25 +0,0 @@
From 5505740fae0a3fae384d8dec817ecd8c43c6dd23 Mon Sep 17 00:00:00 2001
From: hht8 <huanghaitao12138@163.com>
Date: Mon, 4 Jan 2021 09:14:35 +0800
Subject: [PATCH] Make AARCH64 compile on 64KB physical pages
---
deps/v8/src/base/build_config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deps/v8/src/base/build_config.h b/deps/v8/src/base/build_config.h
index d7a0c9f3..1625cfe5 100644
--- a/deps/v8/src/base/build_config.h
+++ b/deps/v8/src/base/build_config.h
@@ -227,7 +227,7 @@ constexpr int kReturnAddressStackSlotCount =
V8_TARGET_ARCH_STORES_RETURN_ADDRESS_ON_STACK ? 1 : 0;
// Number of bits to represent the page size for paged spaces.
-#if defined(V8_TARGET_ARCH_PPC) || defined(V8_TARGET_ARCH_PPC64)
+#if defined(V8_TARGET_ARCH_PPC) || defined(V8_TARGET_ARCH_PPC64) || defined(V8_TARGET_ARCH_ARM64)
// PPC has large (64KB) physical pages.
const int kPageSizeBits = 19;
#elif defined(ENABLE_HUGEPAGE)
--
2.31.1

168
0004-Support-openssl3.patch
View File

@ -1,168 +0,0 @@
From 219e4f9e635a3cba0650f9f985b645c67f83d332 Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Sat, 16 Oct 2021 08:50:16 +0200
Subject: [PATCH] src: add --openssl-legacy-provider option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.
Building:
$ ./configure --shared-openssl \
--shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
--shared-openssl-includes=/path/openssl_quic-3.0/include \
--shared-openssl-libname=crypto,ssl
$ make -j8
Verify options is available:
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Fixes: https://github.com/nodejs/node/issues/40948
Refs: https://github.com/nodejs/node/issues/40455
PR-URL: https://github.com/nodejs/node/pull/40478
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
---
doc/api/cli.md | 11 +++++++++++
src/crypto/crypto_util.cc | 10 ++++++++++
src/node_options.cc | 3 +++
src/node_options.h | 7 +++++++
.../test-process-env-allowed-flags-are-documented.js | 5 +++++
5 files changed, 36 insertions(+)
diff --git a/doc/api/cli.md b/doc/api/cli.md
index 475894d7c0e4..380a220b7cf8 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -732,6 +732,15 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.
+### `--openssl-legacy-provider`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Enable OpenSSL 3.0 legacy provider when dynamically linking to OpenSSL 3.x.
+For more information please see [OSSL\_PROVIDER-legacy][OSSL_PROVIDER-legacy].
+
### `--pending-deprecation`
<!-- YAML
@@ -1592,6 +1601,7 @@ Node.js options that are allowed are:
* `--no-warnings`
* `--node-memory-debug`
* `--openssl-config`
+* `--openssl-legacy-provider`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
@@ -1952,6 +1962,7 @@ $ node --max-old-space-size=1536 index.js
[ECMAScript module loader]: esm.md#loaders
[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
[Modules loaders]: packages.md#modules-loaders
+[OSSL_PROVIDER-legacy]: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
[REPL]: repl.md
[ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
[Source Map]: https://sourcemaps.info/spec.html
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index e1ef170a9f17..e93edd4b2fc9 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -148,6 +148,16 @@ void InitCryptoOnce() {
}
#endif
+#if OPENSSL_VERSION_MAJOR >= 3
+ // --openssl-legacy-provider
+ if (per_process::cli_options->openssl_legacy_provider) {
+ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
+ if (legacy_provider == nullptr) {
+ fprintf(stderr, "Unable to load legacy provider.\n");
+ }
+ }
+#endif
+
OPENSSL_init_ssl(0, settings);
OPENSSL_INIT_free(settings);
settings = nullptr;
diff --git a/src/node_options.cc b/src/node_options.cc
index 3192faaddaf4..296fed02b8d4 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -5,6 +5,9 @@
#include "node_binding.h"
#include "node_external_reference.h"
#include "node_internals.h"
+#if HAVE_OPENSSL
+#include "openssl/opensslv.h"
+#endif
#include <errno.h>
#include <sstream>
diff --git a/src/node_options.h b/src/node_options.h
index 40d1c0260581..07bf24489874 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -11,6 +11,10 @@
#include "node_mutex.h"
#include "util.h"
+#if HAVE_OPENSSL
+#include "openssl/opensslv.h"
+#endif
+
namespace node {
class HostPort {
@@ -252,6 +256,9 @@ class PerProcessOptions : public Options {
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
#endif
+#if OPENSSL_VERSION_MAJOR >= 3
+ bool openssl_legacy_provider = false;
+#endif
// Per-process because reports can be triggered outside a known V8 context.
bool report_on_fatalerror = false;
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
index a2738f08e2fd..f4dd77e075b8 100644
--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
}
}
+if (!common.hasOpenSSL3) {
+ documented.delete('--openssl-legacy-provider');
+}
+
// Filter out options that are conditionally present.
const conditionalOpts = [
{
@@ -50,6 +54,7 @@ const conditionalOpts = [
filter: (opt) => {
return [
'--openssl-config',
+ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',

805
CVE-2022-4304.patch
View File

@ -1,805 +0,0 @@
From 4fb3bad1bc80e46aa8a6e873f8888e5f1137eca4 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 22 Feb 2023 19:25:11 +0800
Subject: [PATCH 1/1] Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
deps/openssl/openssl/crypto/bn/bn_blind.c | 14 -
deps/openssl/openssl/crypto/bn/bn_err.c | 2 +
deps/openssl/openssl/crypto/bn/bn_local.h | 14 +
deps/openssl/openssl/crypto/bn/build.info | 3 +-
deps/openssl/openssl/crypto/bn/rsa_sup_mul.c | 614 +++++++++++++++++++
deps/openssl/openssl/crypto/err/openssl.txt | 3 +-
deps/openssl/openssl/crypto/rsa/rsa_ossl.c | 17 +-
deps/openssl/openssl/include/crypto/bn.h | 5 +
deps/openssl/openssl/include/openssl/bnerr.h | 1 +
9 files changed, 653 insertions(+), 20 deletions(-)
create mode 100644 deps/openssl/openssl/crypto/bn/rsa_sup_mul.c
diff --git a/deps/openssl/openssl/crypto/bn/bn_blind.c b/deps/openssl/openssl/crypto/bn/bn_blind.c
index 76fc7ebc..6e9d2393 100644
--- a/deps/openssl/openssl/crypto/bn/bn_blind.c
+++ b/deps/openssl/openssl/crypto/bn/bn_blind.c
@@ -13,20 +13,6 @@
#define BN_BLINDING_COUNTER 32
-struct bn_blinding_st {
- BIGNUM *A;
- BIGNUM *Ai;
- BIGNUM *e;
- BIGNUM *mod; /* just a reference */
- CRYPTO_THREAD_ID tid;
- int counter;
- unsigned long flags;
- BN_MONT_CTX *m_ctx;
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
- CRYPTO_RWLOCK *lock;
-};
-
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
{
BN_BLINDING *ret = NULL;
diff --git a/deps/openssl/openssl/crypto/bn/bn_err.c b/deps/openssl/openssl/crypto/bn/bn_err.c
index dd87c152..3dd8d9a5 100644
--- a/deps/openssl/openssl/crypto/bn/bn_err.c
+++ b/deps/openssl/openssl/crypto/bn/bn_err.c
@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
+ "ossl_bn_rsa_do_unblind"},
{0, NULL}
};
diff --git a/deps/openssl/openssl/crypto/bn/bn_local.h b/deps/openssl/openssl/crypto/bn/bn_local.h
index 8ad69ccd..09651353 100644
--- a/deps/openssl/openssl/crypto/bn/bn_local.h
+++ b/deps/openssl/openssl/crypto/bn/bn_local.h
@@ -263,6 +263,20 @@ struct bn_gencb_st {
} cb;
};
+struct bn_blinding_st {
+ BIGNUM *A;
+ BIGNUM *Ai;
+ BIGNUM *e;
+ BIGNUM *mod; /* just a reference */
+ CRYPTO_THREAD_ID tid;
+ int counter;
+ unsigned long flags;
+ BN_MONT_CTX *m_ctx;
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+ CRYPTO_RWLOCK *lock;
+};
+
/*-
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
*
diff --git a/deps/openssl/openssl/crypto/bn/build.info b/deps/openssl/openssl/crypto/bn/build.info
index b9ed5322..c9fe2fda 100644
--- a/deps/openssl/openssl/crypto/bn/build.info
+++ b/deps/openssl/openssl/crypto/bn/build.info
@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
{- $target{bn_asm_src} -} \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
+ rsa_sup_mul.c
INCLUDE[bn_exp.o]=..
diff --git a/deps/openssl/openssl/crypto/bn/rsa_sup_mul.c b/deps/openssl/openssl/crypto/bn/rsa_sup_mul.c
new file mode 100644
index 00000000..acafefd5
--- /dev/null
+++ b/deps/openssl/openssl/crypto/bn/rsa_sup_mul.c
@@ -0,0 +1,614 @@
+#include <openssl/e_os2.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/rsaerr.h>
+#include "internal/numbers.h"
+#include "internal/constant_time.h"
+#include "bn_local.h"
+
+# if BN_BYTES == 8
+typedef uint64_t limb_t;
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
+/* nonstandard; implemented by gcc on 64-bit platforms */
+typedef __uint128_t limb2_t;
+# define HAVE_LIMB2_T
+# endif
+# define LIMB_BIT_SIZE 64
+# define LIMB_BYTE_SIZE 8
+# elif BN_BYTES == 4
+typedef uint32_t limb_t;
+typedef uint64_t limb2_t;
+# define LIMB_BIT_SIZE 32
+# define LIMB_BYTE_SIZE 4
+# define HAVE_LIMB2_T
+# else
+# error "Not supported"
+# endif
+
+/*
+ * For multiplication we're using schoolbook multiplication,
+ * so if we have two numbers, each with 6 "digits" (words)
+ * the multiplication is calculated as follows:
+ * A B C D E F
+ * x I J K L M N
+ * --------------
+ * N*F
+ * N*E
+ * N*D
+ * N*C
+ * N*B
+ * N*A
+ * M*F
+ * M*E
+ * M*D
+ * M*C
+ * M*B
+ * M*A
+ * L*F
+ * L*E
+ * L*D
+ * L*C
+ * L*B
+ * L*A
+ * K*F
+ * K*E
+ * K*D
+ * K*C
+ * K*B
+ * K*A
+ * J*F
+ * J*E
+ * J*D
+ * J*C
+ * J*B
+ * J*A
+ * I*F
+ * I*E
+ * I*D
+ * I*C
+ * I*B
+ * + I*A
+ * ==========================
+ * N*B N*D N*F
+ * + N*A N*C N*E
+ * + M*B M*D M*F
+ * + M*A M*C M*E
+ * + L*B L*D L*F
+ * + L*A L*C L*E
+ * + K*B K*D K*F
+ * + K*A K*C K*E
+ * + J*B J*D J*F
+ * + J*A J*C J*E
+ * + I*B I*D I*F
+ * + I*A I*C I*E
+ *
+ * 1+1 1+3 1+5
+ * 1+0 1+2 1+4
+ * 0+1 0+3 0+5
+ * 0+0 0+2 0+4
+ *
+ * 0 1 2 3 4 5 6
+ * which requires n^2 multiplications and 2n full length additions
+ * as we can keep every other result of limb multiplication in two separate
+ * limbs
+ */
+
+#if defined HAVE_LIMB2_T
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
+{
+ limb2_t t;
+ /*
+ * this is idiomatic code to tell compiler to use the native mul
+ * those three lines will actually compile to single instruction
+ */
+
+ t = (limb2_t)a * b;
+ *hi = t >> LIMB_BIT_SIZE;
+ *lo = (limb_t)t;
+}
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
+#pragma intrinsic(_umul128)
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
+{
+ *lo = _umul128(a, b, hi);
+}
+#else
+/*
+ * if the compiler doesn't have either a 128bit data type nor a "return
+ * high 64 bits of multiplication"
+ */
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
+{
+ limb_t a_low = (limb_t)(uint32_t)a;
+ limb_t a_hi = a >> 32;
+ limb_t b_low = (limb_t)(uint32_t)b;
+ limb_t b_hi = b >> 32;
+
+ limb_t p0 = a_low * b_low;
+ limb_t p1 = a_low * b_hi;
+ limb_t p2 = a_hi * b_low;
+ limb_t p3 = a_hi * b_hi;
+
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
+
+ *lo = p0 + (p1 << 32) + (p2 << 32);
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
+}
+#endif
+
+/* add two limbs with carry in, return carry out */
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
+{
+ limb_t carry1, carry2, t;
+ /*
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
+ * use add with carry on assembly level
+ */
+
+ *ret = a + carry;
+ if (*ret < a)
+ carry1 = 1;
+ else
+ carry1 = 0;
+
+ t = *ret;
+ *ret = t + b;
+ if (*ret < t)
+ carry2 = 1;
+ else
+ carry2 = 0;
+
+ return carry1 + carry2;
+}
+
+/*
+ * add two numbers of the same size, return overflow
+ *
+ * add a to b, place result in ret; all arrays need to be n limbs long
+ * return overflow from addition (0 or 1)
+ */
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
+{
+ limb_t c = 0;
+ ossl_ssize_t i;
+
+ for(i = n - 1; i > -1; i--)
+ c = _add_limb(&ret[i], a[i], b[i], c);
+
+ return c;
+}
+
+/*
+ * return number of limbs necessary for temporary values
+ * when multiplying numbers n limbs large
+ */
+static ossl_inline size_t mul_limb_numb(size_t n)
+{
+ return 2 * n * 2;
+}
+
+/*
+ * multiply two numbers of the same size
+ *
+ * multiply a by b, place result in ret; a and b need to be n limbs long
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
+ * long
+ */
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
+{
+ limb_t *r_odd, *r_even;
+ size_t i, j, k;
+
+ r_odd = tmp;
+ r_even = &tmp[2 * n];
+
+ memset(ret, 0, 2 * n * sizeof(limb_t));
+
+ for (i = 0; i < n; i++) {
+ for (k = 0; k < i + n + 1; k++) {
+ r_even[k] = 0;
+ r_odd[k] = 0;
+ }
+ for (j = 0; j < n; j++) {
+ /*
+ * place results from even and odd limbs in separate arrays so that
+ * we don't have to calculate overflow every time we get individual
+ * limb multiplication result
+ */
+ if (j % 2 == 0)
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
+ else
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
+ }
+ /*
+ * skip the least significant limbs when adding multiples of
+ * more significant limbs (they're zero anyway)
+ */
+ add(ret, ret, r_even, n + i + 1);
+ add(ret, ret, r_odd, n + i + 1);
+ }
+}
+
+/* modifies the value in place by performing a right shift by one bit */
+static ossl_inline void rshift1(limb_t *val, size_t n)
+{
+ limb_t shift_in = 0, shift_out = 0;
+ size_t i;
+
+ for (i = 0; i < n; i++) {
+ shift_out = val[i] & 1;
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
+ shift_in = shift_out;
+ }
+}
+
+/* extend the LSB of flag to all bits of limb */
+static ossl_inline limb_t mk_mask(limb_t flag)
+{
+ flag |= flag << 1;
+ flag |= flag << 2;
+ flag |= flag << 4;
+ flag |= flag << 8;
+ flag |= flag << 16;
+#if (LIMB_BYTE_SIZE == 8)
+ flag |= flag << 32;
+#endif
+ return flag;
+}
+
+/*
+ * copy from either a or b to ret based on flag
+ * when flag == 0, then copies from b
+ * when flag == 1, then copies from a
+ */
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
+{
+ /*
+ * would be more efficient with non volatile mask, but then gcc
+ * generates code with jumps
+ */
+ volatile limb_t mask;
+ size_t i;
+
+ mask = mk_mask(flag);
+ for (i = 0; i < n; i++) {
+#if (LIMB_BYTE_SIZE == 8)
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
+#else
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
+#endif
+ }
+}
+
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
+{
+ limb_t borrow1, borrow2, t;
+ /*
+ * while it doesn't look constant-time, this is idiomatic code
+ * to tell compilers to use the carry bit from subtraction
+ */
+
+ *ret = a - borrow;
+ if (*ret > a)
+ borrow1 = 1;
+ else
+ borrow1 = 0;
+
+ t = *ret;
+ *ret = t - b;
+ if (*ret > t)
+ borrow2 = 1;
+ else
+ borrow2 = 0;
+
+ return borrow1 + borrow2;
+}
+
+/*
+ * place the result of a - b into ret, return the borrow bit.
+ * All arrays need to be n limbs long
+ */
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
+{
+ limb_t borrow = 0;
+ ossl_ssize_t i;
+
+ for (i = n - 1; i > -1; i--)
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
+
+ return borrow;
+}
+
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
+{
+ return (anum + modnum) * 3;
+}
+
+/*
+ * calculate a % mod, place the result in ret
+ * size of a is defined by anum, size of ret and mod is modnum,
+ * size of tmp is returned by mod_limb_numb()
+ */
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
+ size_t modnum, limb_t *tmp)
+{
+ limb_t *atmp, *modtmp, *rettmp;
+ limb_t res;
+ size_t i;
+
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
+
+ atmp = tmp;
+ modtmp = &tmp[anum + modnum];
+ rettmp = &tmp[(anum + modnum) * 2];
+
+ for (i = modnum; i <modnum + anum; i++)
+ atmp[i] = a[i-modnum];
+
+ for (i = 0; i < modnum; i++)
+ modtmp[i] = mod[i];
+
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
+ rshift1(modtmp, anum + modnum);
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
+ }
+
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
+}
+
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
+{
+ return 2 * (anum + 1);
+}
+
+/* multiply a by m, add to ret, return carry */
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
+ limb_t m, limb_t *tmp)
+{
+ limb_t carry = 0;
+ limb_t *r_odd, *r_even;
+ size_t i;
+
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
+
+ r_odd = tmp;
+ r_even = &tmp[anum + 1];
+
+ for (i = 0; i < anum; i++) {
+ /*
+ * place the results from even and odd limbs in separate arrays
+ * so that we have to worry about carry just once
+ */
+ if (i % 2 == 0)
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
+ else
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
+ }
+ /* assert: add() carry here will be equal zero */
+ add(r_even, r_even, r_odd, anum + 1);
+ /*
+ * while here it will not overflow as the max value from multiplication
+ * is -2 while max overflow from addition is 1, so the max value of
+ * carry is -1 (i.e. max int)
+ */
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
+
+ return carry;
+}
+
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
+{
+ return modnum * 2 + _mul_add_limb_numb(modnum);
+}
+
+/*
+ * calculate a % mod, place result in ret
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
+ * smallest power of two big enough to fit mod and that's also a power
+ * of the count of number of bits in limb_t (B).
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
+ * anum must be <= 2 * modnum
+ * ret needs to be modnum words long
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
+ */
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
+ size_t modnum, limb_t ni0, limb_t *tmp)
+{
+ limb_t carry, v;
+ limb_t *res, *rp, *tmp2;
+ ossl_ssize_t i;
+
+ res = tmp;
+ /*
+ * for intermediate result we need an integer twice as long as modulus
+ * but keep the input in the least significant limbs
+ */
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
+ rp = &res[modnum];
+ tmp2 = &res[modnum * 2];
+
+ carry = 0;
+
+ /* add multiples of the modulus to the value until R divides it cleanly */
+ for (i = modnum; i > 0; i--, rp--) {
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
+ v = v + carry + rp[-1];
+ carry |= (v != rp[-1]);
+ carry &= (v <= rp[-1]);
+ rp[-1] = v;
+ }
+
+ /* perform the final reduction by mod... */
+ carry -= sub(ret, rp, mod, modnum);
+
+ /* ...conditionally */
+ cselect(carry, ret, rp, ret, modnum);
+}
+
+/* allocated buffer should be freed afterwards */
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
+{
+ int i;
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+ limb_t *ptr = buf + (limbs - real_limbs);
+
+ for (i = 0; i < real_limbs; i++)
+ ptr[i] = bn->d[real_limbs - i - 1];
+}
+
+#if LIMB_BYTE_SIZE == 8
+static ossl_inline uint64_t be64(uint64_t host)
+{
+ const union {
+ long one;
+ char little;
+ } is_endian = { 1 };
+
+ if (is_endian.little) {
+ uint64_t big = 0;
+
+ big |= (host & 0xff00000000000000) >> 56;
+ big |= (host & 0x00ff000000000000) >> 40;
+ big |= (host & 0x0000ff0000000000) >> 24;
+ big |= (host & 0x000000ff00000000) >> 8;
+ big |= (host & 0x00000000ff000000) << 8;
+ big |= (host & 0x0000000000ff0000) << 24;
+ big |= (host & 0x000000000000ff00) << 40;
+ big |= (host & 0x00000000000000ff) << 56;
+ return big;
+ } else {
+ return host;
+ }
+}
+
+#else
+/* Not all platforms have htobe32(). */
+static ossl_inline uint32_t be32(uint32_t host)
+{
+ const union {
+ long one;
+ char little;
+ } is_endian = { 1 };
+
+ if (is_endian.little) {
+ uint32_t big = 0;
+
+ big |= (host & 0xff000000) >> 24;
+ big |= (host & 0x00ff0000) >> 8;
+ big |= (host & 0x0000ff00) << 8;
+ big |= (host & 0x000000ff) << 24;
+ return big;
+ } else {
+ return host;
+ }
+}
+#endif
+
+/*
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
+ * similar to BN_BLINDING_invert_ex() arguments.
+ * to_mod is RSA modulus.
+ * buf and num is the serialization buffer and its length.
+ *
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
+ */
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
+ const BN_BLINDING *blinding,
+ const BIGNUM *possible_arg2,
+ const BIGNUM *to_mod, BN_CTX *ctx,
+ unsigned char *buf, int num)
+{
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
+ size_t l_tmp_count = 0;
+ int ret = 0;
+ size_t i;
+ unsigned char *tmp;
+ const BIGNUM *arg1 = intermediate;
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
+
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
+
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
+ goto err;
+
+ BN_to_limb(arg1, l_im, l_size);
+ BN_to_limb(arg2, l_mul, l_size);
+ BN_to_limb(to_mod, l_mod, l_mod_count);
+
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
+
+ if (blinding->m_ctx != NULL) {
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
+ } else {
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
+ }
+
+ if ((l_ret == NULL) || (l_tmp == NULL))
+ goto err;
+
+ if (blinding->m_ctx != NULL) {
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
+ blinding->m_ctx->n0[0], l_tmp);
+ } else {
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
+ }
+
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
+ if (num < BN_num_bytes(to_mod)) {
+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
+ goto err;
+ }
+
+ memset(buf, 0, num);
+ tmp = buf + num - BN_num_bytes(to_mod);
+ for (i = 0; i < l_mod_count; i++) {
+#if LIMB_BYTE_SIZE == 8
+ l_buf = be64(l_ret[i]);
+#else
+ l_buf = be32(l_ret[i]);
+#endif
+ if (i == 0) {
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
+
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
+ tmp += delta;
+ } else {
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
+ tmp += LIMB_BYTE_SIZE;
+ }
+ }
+ ret = num;
+
+ err:
+ OPENSSL_free(l_im);
+ OPENSSL_free(l_mul);
+ OPENSSL_free(l_mod);
+ OPENSSL_free(l_tmp);
+ OPENSSL_free(l_ret);
+
+ return ret;
+}
diff --git a/deps/openssl/openssl/crypto/err/openssl.txt b/deps/openssl/openssl/crypto/err/openssl.txt
index 902e97b8..e0f0ab7c 100644
--- a/deps/openssl/openssl/crypto/err/openssl.txt
+++ b/deps/openssl/openssl/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
BN_F_BN_SET_WORDS:144:bn_set_words
BN_F_BN_STACK_PUSH:148:BN_STACK_push
BN_F_BN_USUB:115:BN_usub
+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c
index b52a66f6..6c3c0cf7 100644
--- a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c
+++ b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c
@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BN_free(d);
}
- if (blinding)
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
+ if (blinding) {
+ /*
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
+ * 0-padded BN BE serialization
+ */
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
+ buf, num);
+ if (j == 0)
goto err;
-
- j = BN_bn2binpad(ret, buf, num);
+ } else {
+ j = BN_bn2binpad(ret, buf, num);
+ if (j < 0)
+ goto err;
+ }
switch (padding) {
case RSA_PKCS1_PADDING:
diff --git a/deps/openssl/openssl/include/crypto/bn.h b/deps/openssl/openssl/include/crypto/bn.h
index 60afda1d..b5f36fb2 100644
--- a/deps/openssl/openssl/include/crypto/bn.h
+++ b/deps/openssl/openssl/include/crypto/bn.h
@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
const BIGNUM *d, BN_CTX *ctx);
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
+ const BN_BLINDING *blinding,
+ const BIGNUM *possible_arg2,
+ const BIGNUM *to_mod, BN_CTX *ctx,
+ unsigned char *buf, int num);
#endif
diff --git a/deps/openssl/openssl/include/openssl/bnerr.h b/deps/openssl/openssl/include/openssl/bnerr.h
index 9f3c7cfa..a0752cea 100644
--- a/deps/openssl/openssl/include/openssl/bnerr.h
+++ b/deps/openssl/openssl/include/openssl/bnerr.h
@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
# define BN_F_BN_SET_WORDS 144
# define BN_F_BN_STACK_PUSH 148
# define BN_F_BN_USUB 115
+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
/*
* BN reason codes.
--
2.30.0

131
CVE-2022-43548-pre-1.patch
View File

@ -1,131 +0,0 @@
From 1aa5036c31ac2a9b2a2528af454675ad412f1464 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Fri, 27 May 2022 21:18:49 +0000
Subject: [PATCH] src: fix IPv4 validation in inspector_socket
Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/320
CVE-ID: CVE-2022-32212
---
src/inspector_socket.cc | 18 +++++--
test/cctest/test_inspector_socket.cc | 74 ++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 5 deletions(-)
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index 1650c3fe01de..79b50e6a452d 100644
--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
@@ -164,14 +164,22 @@ static std::string TrimPort(const std::string& host) {
static bool IsIPAddress(const std::string& host) {
if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
return true;
- int quads = 0;
+ uint_fast16_t accum = 0;
+ uint_fast8_t quads = 0;
+ bool empty = true;
+ auto endOctet = [&accum, &quads, &empty](bool final = false) {
+ return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) &&
+ (empty = true) && !(accum = 0);
+ };
for (char c : host) {
- if (c == '.')
- quads++;
- else if (!isdigit(c))
+ if (isdigit(c)) {
+ if ((accum = (accum * 10) + (c - '0')) > 0xff) return false;
+ empty = false;
+ } else if (c != '.' || !endOctet()) {
return false;
+ }
}
- return quads == 3;
+ return endOctet(true);
}
// Constants for hybi-10 frame format.
diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
index dc8cd962141e..c740d961d9b7 100644
--- a/test/cctest/test_inspector_socket.cc
+++ b/test/cctest/test_inspector_socket.cc
@@ -851,4 +851,78 @@ TEST_F(InspectorSocketTest, HostCheckedForUPGRADE) {
expect_failure_no_delegate(UPGRADE_REQUEST);
}
+TEST_F(InspectorSocketTest, HostIPChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 10.0.2.555:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostNegativeIPChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 10.0.-23.255:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpOctetOutOfIntRangeChecked) {
+ const std::string INVALID_HOST_IP_REQUEST =
+ "GET /json HTTP/1.1\r\n"
+ "Host: 127.0.0.4294967296:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpOctetFarOutOfIntRangeChecked) {
+ const std::string INVALID_HOST_IP_REQUEST =
+ "GET /json HTTP/1.1\r\n"
+ "Host: 127.0.0.18446744073709552000:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetStartChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: .0.0.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetMidChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 127..0.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetEndChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 127.0.0.:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpTooFewOctetsChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 127.0.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 127.0.0.0.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
} // anonymous namespace

48
CVE-2022-43548-pre-2.patch
View File

@ -1,48 +0,0 @@
From b358fb27a4253c6827378a64163448c04301e19c Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 13 Jul 2022 13:20:22 -0300
Subject: [PATCH] src: fix IPv4 non routable validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/337
CVE-ID: CVE-2022-32212, CVE-2018-7160
---
src/inspector_socket.cc | 1 +
test/cctest/test_inspector_socket.cc | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index 79b50e6a452d..ab1cdf1fa5bd 100644
--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
@@ -164,6 +164,7 @@ static std::string TrimPort(const std::string& host) {
static bool IsIPAddress(const std::string& host) {
if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
return true;
+ if (host.front() == '0') return false;
uint_fast16_t accum = 0;
uint_fast8_t quads = 0;
bool empty = true;
diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
index c740d961d9b7..6ae92c4b27e2 100644
--- a/test/cctest/test_inspector_socket.cc
+++ b/test/cctest/test_inspector_socket.cc
@@ -925,4 +925,12 @@ TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
expect_handshake_failure();
}
+TEST_F(InspectorSocketTest, HostIPNonRoutable) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 0.0.0.0:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
} // anonymous namespace

216
CVE-2022-43548.patch
View File

@ -1,216 +0,0 @@
From 2b433af094fb79cf80f086038b7f36342cb6826f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Sun, 25 Sep 2022 12:34:05 +0000
Subject: [PATCH] inspector: harden IP address validation again
Use inet_pton() to parse IP addresses, which restricts IP addresses
to a small number of well-defined formats. In particular, octal and
hexadecimal number formats are not allowed, and neither are leading
zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable.
Refs: https://hackerone.com/reports/1710652
CVE-ID: CVE-2022-43548
PR-URL: https://github.com/nodejs-private/node-private/pull/354
Reviewed-by: Michael Dawson <midawson@redhat.com>
Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-by: Rich Trott <rtrott@gmail.com>
---
src/inspector_socket.cc | 78 +++++++++++++++++++++------
test/cctest/test_inspector_socket.cc | 80 ++++++++++++++++++++++++++++
2 files changed, 142 insertions(+), 16 deletions(-)
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index 8cabdaec2821..a28bd557c8ab 100644
--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
@@ -6,6 +6,7 @@
#include "openssl/sha.h" // Sha-1 hash
+#include <algorithm>
#include <cstring>
#include <map>
@@ -162,25 +163,70 @@ static std::string TrimPort(const std::string& host) {
}
static bool IsIPAddress(const std::string& host) {
- if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
- return true;
- if (host.front() == '0') return false;
- uint_fast16_t accum = 0;
- uint_fast8_t quads = 0;
- bool empty = true;
- auto endOctet = [&accum, &quads, &empty](bool final = false) {
- return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) &&
- (empty = true) && !(accum = 0);
- };
- for (char c : host) {
- if (isdigit(c)) {
- if ((accum = (accum * 10) + (c - '0')) > 0xff) return false;
- empty = false;
- } else if (c != '.' || !endOctet()) {
+ // TODO(tniessen): add CVEs to the following bullet points
+ // To avoid DNS rebinding attacks, we are aware of the following requirements:
+ // * the host name must be an IP address,
+ // * the IP address must be routable, and
+ // * the IP address must be formatted unambiguously.
+
+ // The logic below assumes that the string is null-terminated, so ensure that
+ // we did not somehow end up with null characters within the string.
+ if (host.find('\0') != std::string::npos) return false;
+
+ // All IPv6 addresses must be enclosed in square brackets, and anything
+ // enclosed in square brackets must be an IPv6 address.
+ if (host.length() >= 4 && host.front() == '[' && host.back() == ']') {
+ // INET6_ADDRSTRLEN is the maximum length of the dual format (including the
+ // terminating null character), which is the longest possible representation
+ // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd
+ if (host.length() - 2 >= INET6_ADDRSTRLEN) return false;
+
+ // Annoyingly, libuv's implementation of inet_pton() deviates from other
+ // implementations of the function in that it allows '%' in IPv6 addresses.
+ if (host.find('%') != std::string::npos) return false;
+
+ // Parse the IPv6 address to ensure it is syntactically valid.
+ char ipv6_str[INET6_ADDRSTRLEN];
+ std::copy(host.begin() + 1, host.end() - 1, ipv6_str);
+ ipv6_str[host.length()] = '\0';
+ unsigned char ipv6[sizeof(struct in6_addr)];
+ if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false;
+
+ // The only non-routable IPv6 address is ::/128. It should not be necessary
+ // to explicitly reject it because it will still be enclosed in square
+ // brackets and not even macOS should make DNS requests in that case, but
+ // history has taught us that we cannot be careful enough.
+ // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and
+ // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses
+ // (other than ::/128) that represent non-routable IPv4 addresses. However,
+ // this translation assumes that the host is interpreted as an IPv6 address
+ // in the first place, at which point DNS rebinding should not be an issue.
+ if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; })) {
return false;
}
+
+ // It is a syntactically valid and routable IPv6 address enclosed in square
+ // brackets. No client should be able to misinterpret this.
+ return true;
}
- return endOctet(true);
+
+ // Anything not enclosed in square brackets must be an IPv4 address. It is
+ // important here that inet_pton() accepts only the so-called dotted-decimal
+ // notation, which is a strict subset of the so-called numbers-and-dots
+ // notation that is allowed by inet_aton() and inet_addr(). This subset does
+ // not allow hexadecimal or octal number formats.
+ unsigned char ipv4[sizeof(struct in_addr)];
+ if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false;
+
+ // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will make
+ // DNS requests for this IP address, so we need to explicitly reject it. In
+ // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791 and
+ // Section 3.2.1.3 of RFC 1122).
+ // Note that inet_pton() stores the IPv4 address in network byte order.
+ if (ipv4[0] == 0) return false;
+
+ // It is a routable IPv4 address in dotted-decimal notation.
+ return true;
}
// Constants for hybi-10 frame format.
diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
index 6ae92c4b27e2..b351a23002c9 100644
--- a/test/cctest/test_inspector_socket.cc
+++ b/test/cctest/test_inspector_socket.cc
@@ -925,6 +925,54 @@ TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
expect_handshake_failure();
}
+TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetStartChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 08.1.1.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetMidChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 1.09.1.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetEndChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 1.1.1.009:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpLeadingZeroStartChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 01.1.1.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpLeadingZeroMidChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 1.1.001.1:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpLeadingZeroEndChecked) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: 1.1.1.01:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
TEST_F(InspectorSocketTest, HostIPNonRoutable) {
const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
"Host: 0.0.0.0:9229\r\n\r\n";
@@ -933,4 +981,36 @@ TEST_F(InspectorSocketTest, HostIPNonRoutable) {
expect_handshake_failure();
}
+TEST_F(InspectorSocketTest, HostIPv6NonRoutable) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: [::]:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIPv6NonRoutableDual) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: [::0.0.0.0]:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIPv4InSquareBrackets) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: [127.0.0.1]:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIPv6InvalidAbbreviation) {
+ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+ "Host: [:::1]:9229\r\n\r\n";
+ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+ INVALID_HOST_IP_REQUEST.length());
+ expect_handshake_failure();
+}
+
} // anonymous namespace

40
CVE-2022-4450.patch
View File

@ -1,40 +0,0 @@
From c39b0146144293a88abd73115bcfbd9d27af3897 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 22 Feb 2023 19:30:41 +0800
Subject: [PATCH 1/1] Avoid dangling ptrs in header and data params for PEM_read_bio_ex
In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.
Thanks to Dawei Wang for reporting this issue.
Based on a proposed patch by Kurt Roeckx.
CVE-2022-4450
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
---
deps/openssl/openssl/crypto/pem/pem_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/deps/openssl/openssl/crypto/pem/pem_lib.c b/deps/openssl/openssl/crypto/pem/pem_lib.c
index 2de09359..173045be 100644
--- a/deps/openssl/openssl/crypto/pem/pem_lib.c
+++ b/deps/openssl/openssl/crypto/pem/pem_lib.c
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
*data = pem_malloc(len, flags);
if (*header == NULL || *data == NULL) {
pem_free(*header, flags, 0);
+ *header = NULL;
pem_free(*data, flags, 0);
+ *data = NULL;
goto end;
}
BIO_read(headerB, *header, headerlen);
--
2.30.0

106
CVE-2023-0215.patch
View File

@ -1,106 +0,0 @@
From c6ca9c4b78a6e88f3517e167ff6d498623bf296a Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 22 Feb 2023 19:06:45 +0800
Subject: [PATCH 1/1] Fix a UAF resulting from a bug in BIO_new_NDEF
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.
Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.
Thanks to Octavio Galland for reporting this issue.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
deps/openssl/openssl/crypto/asn1/bio_ndef.c | 39 +++++++++++++++++----
1 file changed, 32 insertions(+), 7 deletions(-)
diff --git a/deps/openssl/openssl/crypto/asn1/bio_ndef.c b/deps/openssl/openssl/crypto/asn1/bio_ndef.c
index 760e4846..f8d4b1b9 100644
--- a/deps/openssl/openssl/crypto/asn1/bio_ndef.c
+++ b/deps/openssl/openssl/crypto/asn1/bio_ndef.c
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
void *parg);
+/*
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
+ * On failure, NULL is returned and the input BIO is owned by the caller.
+ *
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
+ */
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
{
NDEF_SUPPORT *ndef_aux = NULL;
BIO *asn_bio = NULL;
const ASN1_AUX *aux = it->funcs;
ASN1_STREAM_ARG sarg;
+ BIO *pop_bio = NULL;
if (!aux || !aux->asn1_cb) {
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
out = BIO_push(asn_bio, out);
if (out == NULL)
goto err;
+ pop_bio = asn_bio;
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
+ goto err;
/*
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
- * needs.
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
+ * ASN1 structure needs.
*/
sarg.out = out;
sarg.ndef_bio = NULL;
sarg.boundary = NULL;
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
+ /*
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
+ * middle of some partially built, but not returned BIO chain.
+ */
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
+ /*
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
+ * clean up block
+ */
+ ndef_aux = NULL;
goto err;
+ }
+
+ /*
+ * We must not fail now because the callback has prepended additional
+ * BIOs to the chain
+ */
ndef_aux->val = val;
ndef_aux->it = it;
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
ndef_aux->boundary = sarg.boundary;
ndef_aux->out = out;
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
-
return sarg.ndef_bio;
err:
+ /* BIO_pop() is NULL safe */
+ (void)BIO_pop(pop_bio);
BIO_free(asn_bio);
OPENSSL_free(ndef_aux);
return NULL;
--
2.30.0

41
CVE-2023-0286.patch
View File

@ -1,41 +0,0 @@
From 2f177ac5e83391054c7b95ba697a6293c9b3c6bd Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 22 Feb 2023 17:47:37 +0800
Subject: [PATCH 1/1] CVE-2023-0286 Fix GENERAL_NAME_cmp for x400Address (1.1.1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
deps/openssl/openssl/crypto/x509v3/v3_genn.c | 2 +-
deps/openssl/openssl/include/openssl/x509v3.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/deps/openssl/openssl/crypto/x509v3/v3_genn.c b/deps/openssl/openssl/crypto/x509v3/v3_genn.c
index 87a5eff4..e54ddc55 100644
--- a/deps/openssl/openssl/crypto/x509v3/v3_genn.c
+++ b/deps/openssl/openssl/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
return -1;
switch (a->type) {
case GEN_X400:
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
break;
case GEN_EDIPARTY:
diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h
index 90fa3592..e61c0f29 100644
--- a/deps/openssl/openssl/include/openssl/x509v3.h
+++ b/deps/openssl/openssl/include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
OTHERNAME *otherName; /* otherName */
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;
--
2.30.0

BIN
icu4c-70_1-data-bin-l.zip → icu4c-72_1-data-bin-l.zip
View File

Binary file not shown.

BIN
node-v16.15.0.tar.gz → node-v18.16.0.tar.gz
View File

Binary file not shown.

114
nodejs.spec
View File

@ -1,62 +1,59 @@
%bcond_with bootstrap
%global baserelease 3
%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
%global nodejs_epoch 1
%global nodejs_major 16
%global nodejs_minor 15
%global nodejs_major 18
%global nodejs_minor 16
%global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_soversion 93
%global nodejs_soversion 108
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release %{baserelease}
%global nodejs_datadir %{_datarootdir}/nodejs
%global v8_epoch 2
%global v8_major 9
%global v8_minor 4
%global v8_build 146
%global v8_patch 24
%global v8_epoch 3
%global v8_major 10
%global v8_minor 2
%global v8_build 154
%global v8_patch 26
%global v8_abi %{v8_major}.%{v8_minor}
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
%global c_ares_major 1
%global c_ares_minor 18
%global c_ares_patch 1
%global c_ares_minor 19
%global c_ares_patch 0
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
%global http_parser_major 2
%global http_parser_minor 9
%global http_parser_patch 4
%global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
%global llhttp_major 6
%global llhttp_minor 0
%global llhttp_patch 4
%global llhttp_patch 10
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
%global libuv_major 1
%global libuv_minor 40
%global libuv_patch 0
%global libuv_minor 44
%global libuv_patch 2
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
%global nghttp2_major 1
%global nghttp2_minor 47
%global nghttp2_minor 52
%global nghttp2_patch 0
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
%global icu_major 70
%global icu_major 72
%global icu_minor 1
%global icu_version %{icu_major}.%{icu_minor}
%global icudatadir %{nodejs_datadir}/icudata
%{!?little_endian: %global little_endian %(%{__python3} -c "import sys;print (0 if sys.byteorder=='big' else 1)")}
# " this line just fixes syntax highlighting for vim that is confused by the above and continues literal
%global openssl_minimum 1:1.1.1
# OpenSSL3
%global openssl3_minimum 1:3.0.2
%global punycode_major 2
%global punycode_minor 1
%global punycode_patch 0
%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
%global npm_epoch 1
%global npm_major 8
%global npm_major 9
%global npm_minor 5
%global npm_patch 5
%global npm_patch 1
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
%global uvwasi_major 0
%global uvwasi_minor 0
%global uvwasi_patch 12
%global uvwasi_patch 15
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
%global histogram_major 0
%global histogram_minor 9
@ -77,40 +74,25 @@ Source0: https://nodejs.org/dist/v%{version}/node-v%{version}.tar.gz
Source1: npmrc
Source2: btest402.js
Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip
Source7: nodejs_native.attr
Source4: nodejs_native.attr
Patch0001: 0001-Disable-running-gyp-on-shared-deps.patch
Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
Patch0003: 0003-Make-AARCH64-compile-on-64KB-physical-pages.patch
Patch0004: 0004-Support-openssl3.patch
Patch0006: CVE-2022-43548-pre-1.patch
Patch0007: CVE-2022-43548-pre-2.patch
Patch0008: CVE-2022-43548.patch
Patch0009: CVE-2023-0286.patch
Patch0010: CVE-2023-0215.patch
Patch0011: CVE-2022-4304.patch
Patch0012: CVE-2022-4450.patch
Patch0: 0001-Use-system-uv-zlib.patch
BuildRequires: python3-devel python3-setuptools make
BuildRequires: zlib-devel python3-jinja2
BuildRequires: brotli-devel python3-unversioned-command
BuildRequires: gcc >= 8.3.0 jq
BuildRequires: gcc >= 8.3.0 jq
BuildRequires: gcc-c++ >= 8.3.0 unzip
BuildRequires: nodejs-packaging
BuildRequires: chrpath
BuildRequires: ninja-build
BuildRequires: libatomic
%if %{with bootstrap}
Provides: bundled(http-parser) = %{http_parser_version}
Provides: bundled(libuv) = %{libuv_version}
Provides: bundled(nghttp2) = %{nghttp2_version}
%else
BuildRequires: systemtap-sdt-devel
BuildRequires: libuv-devel >= 1:%{libuv_version}
Requires: libuv >= 1:%{libuv_version}
Provides: bundled(nghttp2) = %{nghttp2_version}
Provides: bundled(llhttp) = %{llhttp_version}
%endif
BuildRequires: openssl-devel >= %{openssl_minimum}
Requires: openssl >= %{openssl_minimum}
@ -130,6 +112,7 @@ Provides: bundled(v8) = %{v8_version}
Provides: bundled(icu) = %{icu_version}
Provides: bundled(uvwasi) = %{uvwasi_version}
Provides: bundled(histogram) = %{histogram_version}
Provides: bundled(ada) = 1.0.4
Requires: (nodejs-packaging if rpm-build)
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
@ -148,11 +131,7 @@ Requires: openssl-devel%{?_isa}
Requires: zlib-devel%{?_isa}
Requires: brotli-devel%{?_isa}
Requires: nodejs-packaging
%if %{with bootstrap}
%else
Requires: libuv-devel%{?_isa}
%endif
%description devel
Development headers for the Node.js JavaScript runtime.
@ -201,7 +180,7 @@ Epoch: %{npm_epoch}
Version: %{npm_version}
Release: %{npm_release}
Obsoletes: npm < 0:3.5.4-6
Obsoletes: npm < 1:9
Provides: npm = %{npm_epoch}:%{npm_version}
Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
@ -223,9 +202,8 @@ Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
The API documentation for the Node.js JavaScript runtime.
%prep
%autosetup -p1 -n node-v%{nodejs_version}
%autosetup -p1 -n node-%{nodejs_version}
rm -rf deps/zlib
rm -rf deps/openssl
rm -rf deps/brotli
rm -rf deps/v8/third_party/jinja2
rm -rf tools/inspector_protocol/jinja2
@ -233,15 +211,11 @@ pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_test.py
find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
%build
%define _lto_cflags %{nil}
%ifarch s390 s390x %{arm} %ix86
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
%endif
export CC='%{__cc}'
export CXX='%{__cxx}'
@ -260,18 +234,6 @@ export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' ' ')"
export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
export LDFLAGS="%{build_ldflags}"
%if %{with bootstrap}
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--without-dtrace \
--with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store
%else
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
@ -284,13 +246,10 @@ export LDFLAGS="%{build_ldflags}"
--with-icu-default-data-dir=%{icudatadir} \
--without-corepack \
--openssl-use-def-ca-store
%endif
make BUILDTYPE=Release %{?_smp_mflags}
%install
rm -rf %{buildroot}
./tools/install.py install %{buildroot} %{_prefix}
chmod 0755 %{buildroot}/%{_bindir}/node
@ -309,7 +268,7 @@ done
mkdir -p %{buildroot}%{_prefix}/lib/node_modules
install -Dpm0644 %{SOURCE7} %{buildroot}%{_rpmconfigdir}/fileattrs/nodejs_native.attr
install -Dpm0644 %{SOURCE4} %{buildroot}%{_rpmconfigdir}/fileattrs/nodejs_native.attr
cat << EOF > %{buildroot}%{_rpmconfigdir}/nodejs_native.req
#!/bin/sh
echo 'nodejs(abi%{nodejs_major}) >= %nodejs_abi'
@ -378,15 +337,12 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%dir %{_datadir}/systemtap/tapset
%{_datadir}/systemtap/tapset/node.stp
%if %{with bootstrap}
%else
%dir %{_usr}/lib/dtrace
%{_usr}/lib/dtrace/node.d
%endif
%{_rpmconfigdir}/fileattrs/nodejs_native.attr
%{_rpmconfigdir}/nodejs_native.req
%doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md
%doc CHANGELOG.md onboarding.md GOVERNANCE.md README.md
%doc %{_mandir}/man1/node.1*
%files devel
@ -430,6 +386,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
%doc %{_mandir}/man5/package-json.5*
%doc %{_mandir}/man5/package-lock-json.5*
%doc %{_mandir}/man5/npm*.5*
%doc %{_mandir}/man7/config.7*
%doc %{_mandir}/man7/developers.7*
%doc %{_mandir}/man7/orgs.7*
@ -439,6 +396,8 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%doc %{_mandir}/man7/scope.7*
%doc %{_mandir}/man7/scripts.7*
%doc %{_mandir}/man7/workspaces.7*
%doc %{_mandir}/man7/dependency-selectors.7*
%doc %{_mandir}/man7/package-spec.7*
%files docs
%dir %{_pkgdocdir}
@ -447,6 +406,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%{_pkgdocdir}/npm/docs
%changelog
* Thu May 18 2023 misaka00251 <liuxin@iscas.ac.cn> - 1:18.16.0-1
- Update to 18.16.0
* Sat Mar 11 2023 Tom_zc <tom_toworld@163.com> - 1:16.15.0-3
- support openssl v3.0.8