From 87a91d708934b1ae152314c2035192d0d27c5321 Mon Sep 17 00:00:00 2001 From: Erik Olofsson Date: Fri, 3 Aug 2018 12:08:13 +0200 Subject: [PATCH 1/5] Add "from_certificate" setting for ecdhCurve option --- src/node_crypto.cc | 118 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 61db9f04bba143..9ffb936d3410ea 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -1200,6 +1200,121 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { } } +static void set_settings_from_certificate(Environment* env, SSL_CTX* const context) { + int curveName = 0; + + auto privateKey = SSL_CTX_get0_privatekey(context); + if (privateKey) { + if (auto keyRSA = EVP_PKEY_get1_RSA(privateKey)) { + auto RSASize = RSA_size(keyRSA) * 8; + RSA_free(keyRSA); + // Match curve security to security of RSA key + if (RSASize >= 12288) + curveName = NID_secp521r1; + else if (RSASize >= 4096) + curveName = NID_secp384r1; + else + curveName = NID_X9_62_prime256v1; + } else if (auto keyEC = EVP_PKEY_get1_EC_KEY(privateKey)) { + curveName = EC_GROUP_get_curve_name(EC_KEY_get0_group(keyEC)); + if (!curveName) + curveName = NID_secp521r1; + EC_KEY_free(keyEC); + } + } + + if (curveName) { + EC_KEY *curveKey = EC_KEY_new_by_curve_name(curveName); + if (curveKey) { + SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); + if (SSL_CTX_set_tmp_ecdh(context, curveKey) != 1) + SSL_CTX_set_ecdh_auto(context, 1); + EC_KEY_free(curveKey); + } else + SSL_CTX_set_ecdh_auto(context, 1); + } + + static const int supportedCurves[] = { + NID_secp521r1 + , NID_secp384r1 +#ifdef OPENSSL_IS_BORINGSSL + , NID_X25519 +#endif + , NID_X9_62_prime256v1 + }; + + if (!SSL_CTX_set1_curves(context, supportedCurves, sizeof(supportedCurves) + / sizeof(supportedCurves[0]))) { + return env->ThrowError("Failed to set supported curves on ssl context"); + } + +#ifdef OPENSSL_IS_BORINGSSL + static const uint16_t s_DefaultAlgos[] = { + SSL_SIGN_ECDSA_SECP521R1_SHA512 + , SSL_SIGN_RSA_PSS_SHA512 + , SSL_SIGN_RSA_PKCS1_SHA512 + , SSL_SIGN_ECDSA_SECP384R1_SHA384 + , SSL_SIGN_RSA_PSS_SHA384 + , SSL_SIGN_RSA_PKCS1_SHA384 + , SSL_SIGN_ECDSA_SECP256R1_SHA256 + , SSL_SIGN_RSA_PSS_SHA256 + , SSL_SIGN_RSA_PKCS1_SHA256 + }; + + size_t num_algos = sizeof(s_DefaultAlgos) / sizeof(s_DefaultAlgos[0]); + const uint16_t *algos = s_DefaultAlgos; + + switch (curveName) + { + case NID_secp521r1: break; + case NID_secp384r1: + { + static const uint16_t s_CustomAlgos[] = + { + SSL_SIGN_ECDSA_SECP384R1_SHA384 + , SSL_SIGN_RSA_PSS_SHA384 + , SSL_SIGN_RSA_PKCS1_SHA384 + , SSL_SIGN_ECDSA_SECP521R1_SHA512 + , SSL_SIGN_RSA_PSS_SHA512 + , SSL_SIGN_RSA_PKCS1_SHA512 + , SSL_SIGN_ECDSA_SECP256R1_SHA256 + , SSL_SIGN_RSA_PSS_SHA256 + , SSL_SIGN_RSA_PKCS1_SHA256 + }; + num_algos = sizeof(s_CustomAlgos) / sizeof(s_CustomAlgos[0]); + algos = s_CustomAlgos; + } + break; + case NID_X9_62_prime256v1: + case NID_X25519: + { + static const uint16_t s_CustomAlgos[] = + { + SSL_SIGN_ECDSA_SECP256R1_SHA256 + , SSL_SIGN_RSA_PSS_SHA256 + , SSL_SIGN_RSA_PKCS1_SHA256 + , SSL_SIGN_ECDSA_SECP384R1_SHA384 + , SSL_SIGN_RSA_PSS_SHA384 + , SSL_SIGN_RSA_PKCS1_SHA384 + , SSL_SIGN_ECDSA_SECP521R1_SHA512 + , SSL_SIGN_RSA_PSS_SHA512 + , SSL_SIGN_RSA_PKCS1_SHA512 + }; + num_algos = sizeof(s_CustomAlgos) / sizeof(s_CustomAlgos[0]); + algos = s_CustomAlgos; + } + break; + } + + if (!SSL_CTX_set_signing_algorithm_prefs(context, algos, num_algos)) { + return env->ThrowError("Failed to set preferred signing algorithms on ssl context"); + } + + if (!SSL_CTX_set_verify_algorithm_prefs(context, algos, num_algos)) { + return env->ThrowError("Failed to set preferred verify algorithms on ssl context"); + } +#endif +} void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { SecureContext* sc; @@ -1213,6 +1328,9 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { node::Utf8Value curve(env->isolate(), args[0]); + if (strcmp(*curve, "from_certificate") == 0) + return set_settings_from_certificate(env, sc->ctx_); + if (strcmp(*curve, "auto") == 0) return; From 76133ee12bf42379fb7b239b5b6358697170edb1 Mon Sep 17 00:00:00 2001 From: Erik Olofsson Date: Fri, 7 Feb 2020 13:27:14 +0100 Subject: [PATCH 2/5] Fix BoringSSL compile errors --- src/node_crypto.cc | 70 +++++++++++++++++++++++++++++++++------ src/node_crypto_common.cc | 7 +++- src/node_crypto_common.h | 4 +++ 3 files changed, 69 insertions(+), 12 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 9ffb936d3410ea..b8c082574a18c8 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -272,6 +272,41 @@ Maybe Decorate(Environment* env, Local obj, c = ToUpper(c); } +#ifdef OPENSSL_IS_BORINGSSL +#define OSSL_ERROR_CODES_MAP(V) \ + V(SYS) \ + V(BN) \ + V(RSA) \ + V(DH) \ + V(EVP) \ + V(BUF) \ + V(OBJ) \ + V(PEM) \ + V(DSA) \ + V(X509) \ + V(ASN1) \ + V(CONF) \ + V(CRYPTO) \ + V(EC) \ + V(SSL) \ + V(BIO) \ + V(PKCS7) \ + V(PKCS8) \ + V(X509V3) \ + V(RAND) \ + V(ENGINE) \ + V(OCSP) \ + V(UI) \ + V(COMP) \ + V(ECDSA) \ + V(ECDH) \ + V(HMAC) \ + V(DIGEST) \ + V(CIPHER) \ + V(HKDF) \ + V(USER) \ + +#else #define OSSL_ERROR_CODES_MAP(V) \ V(SYS) \ V(BN) \ @@ -311,6 +346,8 @@ Maybe Decorate(Environment* env, Local obj, V(SM2) \ V(USER) \ +#endif + #define V(name) case ERR_LIB_##name: lib = #name "_"; break; const char* lib = ""; const char* prefix = "OSSL_"; @@ -1229,7 +1266,7 @@ static void set_settings_from_certificate(Environment* env, SSL_CTX* const conte SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); if (SSL_CTX_set_tmp_ecdh(context, curveKey) != 1) SSL_CTX_set_ecdh_auto(context, 1); - EC_KEY_free(curveKey); + EC_KEY_free(curveKey); } else SSL_CTX_set_ecdh_auto(context, 1); } @@ -1242,8 +1279,8 @@ static void set_settings_from_certificate(Environment* env, SSL_CTX* const conte #endif , NID_X9_62_prime256v1 }; - - if (!SSL_CTX_set1_curves(context, supportedCurves, sizeof(supportedCurves) + + if (!SSL_CTX_set1_curves(context, supportedCurves, sizeof(supportedCurves) / sizeof(supportedCurves[0]))) { return env->ThrowError("Failed to set supported curves on ssl context"); } @@ -1262,14 +1299,14 @@ static void set_settings_from_certificate(Environment* env, SSL_CTX* const conte }; size_t num_algos = sizeof(s_DefaultAlgos) / sizeof(s_DefaultAlgos[0]); - const uint16_t *algos = s_DefaultAlgos; + const uint16_t *algos = s_DefaultAlgos; switch (curveName) { case NID_secp521r1: break; case NID_secp384r1: { - static const uint16_t s_CustomAlgos[] = + static const uint16_t s_CustomAlgos[] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 , SSL_SIGN_RSA_PSS_SHA384 @@ -1282,13 +1319,13 @@ static void set_settings_from_certificate(Environment* env, SSL_CTX* const conte , SSL_SIGN_RSA_PKCS1_SHA256 }; num_algos = sizeof(s_CustomAlgos) / sizeof(s_CustomAlgos[0]); - algos = s_CustomAlgos; + algos = s_CustomAlgos; } break; case NID_X9_62_prime256v1: case NID_X25519: { - static const uint16_t s_CustomAlgos[] = + static const uint16_t s_CustomAlgos[] = { SSL_SIGN_ECDSA_SECP256R1_SHA256 , SSL_SIGN_RSA_PSS_SHA256 @@ -1301,7 +1338,7 @@ static void set_settings_from_certificate(Environment* env, SSL_CTX* const conte , SSL_SIGN_RSA_PKCS1_SHA512 }; num_algos = sizeof(s_CustomAlgos) / sizeof(s_CustomAlgos[0]); - algos = s_CustomAlgos; + algos = s_CustomAlgos; } break; } @@ -1329,7 +1366,7 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { node::Utf8Value curve(env->isolate(), args[0]); if (strcmp(*curve, "from_certificate") == 0) - return set_settings_from_certificate(env, sc->ctx_); + return set_settings_from_certificate(env, sc->ctx_.get()); if (strcmp(*curve, "auto") == 0) return; @@ -5862,7 +5899,7 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo& args) { if (!EC_KEY_set_public_key(new_key.get(), pub.get())) return env->ThrowError("Failed to set generated public key"); - EC_KEY_copy(ecdh->key_.get(), new_key.get()); + ecdh->key_ = ECKeyPointer(EC_KEY_dup(new_key.get())); ecdh->group_ = EC_KEY_get0_group(ecdh->key_.get()); } @@ -6243,6 +6280,7 @@ class RSAPSSKeyPairGenerationConfig : public RSAKeyPairGenerationConfig { const int saltlen_; }; +#ifndef OPENSSL_IS_BORINGSSL class DSAKeyPairGenerationConfig : public KeyPairGenerationConfig { public: DSAKeyPairGenerationConfig(unsigned int modulus_bits, int divisor_bits) @@ -6281,6 +6319,7 @@ class DSAKeyPairGenerationConfig : public KeyPairGenerationConfig { const unsigned int modulus_bits_; const int divisor_bits_; }; +#endif class ECKeyPairGenerationConfig : public KeyPairGenerationConfig { public: @@ -6338,6 +6377,7 @@ struct PrimeInfo { unsigned int prime_size_; }; +#ifndef OPENSSL_IS_BORINGSSL class DHKeyPairGenerationConfig : public KeyPairGenerationConfig { public: explicit DHKeyPairGenerationConfig(PrimeInfo&& prime_info, @@ -6393,6 +6433,7 @@ class DHKeyPairGenerationConfig : public KeyPairGenerationConfig { PrimeInfo prime_info_; unsigned int generator_; }; +#endif class GenerateKeyPairJob : public CryptoJob { public: @@ -6572,6 +6613,7 @@ void GenerateKeyPairRSAPSS(const FunctionCallbackInfo& args) { GenerateKeyPair(args, 5, std::move(config)); } +#ifndef OPENSSL_IS_BORINGSSL void GenerateKeyPairDSA(const FunctionCallbackInfo& args) { CHECK(args[0]->IsUint32()); const uint32_t modulus_bits = args[0].As()->Value(); @@ -6581,6 +6623,7 @@ void GenerateKeyPairDSA(const FunctionCallbackInfo& args) { new DSAKeyPairGenerationConfig(modulus_bits, divisor_bits)); GenerateKeyPair(args, 2, std::move(config)); } +#endif void GenerateKeyPairEC(const FunctionCallbackInfo& args) { CHECK(args[0]->IsString()); @@ -6610,6 +6653,7 @@ void GenerateKeyPairNid(const FunctionCallbackInfo& args) { GenerateKeyPair(args, 1, std::move(config)); } +#ifndef OPENSSL_IS_BORINGSSL void GenerateKeyPairDH(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); @@ -6642,7 +6686,7 @@ void GenerateKeyPairDH(const FunctionCallbackInfo& args) { new DHKeyPairGenerationConfig(std::move(prime_info), generator)); GenerateKeyPair(args, 2, std::move(config)); } - +#endif void GetSSLCiphers(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); @@ -7139,10 +7183,14 @@ void Initialize(Local target, env->SetMethod(target, "pbkdf2", PBKDF2); env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA); env->SetMethod(target, "generateKeyPairRSAPSS", GenerateKeyPairRSAPSS); +#ifndef OPENSSL_IS_BORINGSSL env->SetMethod(target, "generateKeyPairDSA", GenerateKeyPairDSA); +#endif env->SetMethod(target, "generateKeyPairEC", GenerateKeyPairEC); env->SetMethod(target, "generateKeyPairNid", GenerateKeyPairNid); +#ifndef OPENSSL_IS_BORINGSSL env->SetMethod(target, "generateKeyPairDH", GenerateKeyPairDH); +#endif NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED25519); NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED448); NODE_DEFINE_CONSTANT(target, EVP_PKEY_X25519); diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc index 6473b652ac9560..9e004e154c1a08 100644 --- a/src/node_crypto_common.cc +++ b/src/node_crypto_common.cc @@ -239,6 +239,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr context) { return err; } +#ifndef OPENSSL_IS_BORINGSSL const char* GetClientHelloALPN(const SSLPointer& ssl) { const unsigned char* buf; size_t len; @@ -285,14 +286,17 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) { return nullptr; return reinterpret_cast(buf + 5); } +#endif const char* GetServerName(SSL* ssl) { return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); } +#ifndef OPENSSL_IS_BORINGSSL bool SetGroups(SecureContext* sc, const char* groups) { return SSL_CTX_set1_groups_list(**sc, groups) == 1; } +#endif const char* X509ErrorCode(long err) { // NOLINT(runtime/int) const char* code = "UNSPECIFIED"; @@ -764,6 +768,7 @@ MaybeLocal GetCipherVersion(Environment* env, const SSLPointer& ssl) { return GetCipherVersion(env, SSL_get_current_cipher(ssl.get())); } +#ifndef OPENSSL_IS_BORINGSSL MaybeLocal GetClientHelloCiphers( Environment* env, const SSLPointer& ssl) { @@ -796,7 +801,7 @@ MaybeLocal GetClientHelloCiphers( Local ret = Array::New(env->isolate(), ciphers.out(), count); return scope.Escape(ret); } - +#endif MaybeLocal GetCipherInfo(Environment* env, const SSLPointer& ssl) { EscapableHandleScope scope(env->isolate()); diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h index c373a97e4763a4..5af49145ba402d 100644 --- a/src/node_crypto_common.h +++ b/src/node_crypto_common.h @@ -73,17 +73,21 @@ long VerifyPeerCertificate( // NOLINT(runtime/int) int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr context); +#ifndef OPENSSL_IS_BORINGSSL const char* GetClientHelloALPN(const SSLPointer& ssl); const char* GetClientHelloServerName(const SSLPointer& ssl); +#endif const char* GetServerName(SSL* ssl); +#ifndef OPENSSL_IS_BORINGSSL v8::MaybeLocal GetClientHelloCiphers( Environment* env, const SSLPointer& ssl); bool SetGroups(SecureContext* sc, const char* groups); +#endif const char* X509ErrorCode(long err); // NOLINT(runtime/int) From c69a0f04e36b12b6b1bcc7adefe87a99278a9a90 Mon Sep 17 00:00:00 2001 From: Erik Olofsson Date: Thu, 30 Sep 2021 18:52:46 +0200 Subject: [PATCH 3/5] Remove DST Root CA X3 from root certificates --- src/node_root_certs.h | 20 ------- tools/certdata.txt | 132 +----------------------------------------- 2 files changed, 1 insertion(+), 151 deletions(-) diff --git a/src/node_root_certs.h b/src/node_root_certs.h index 47beb730f4b853..94ac882ec7e4e2 100644 --- a/src/node_root_certs.h +++ b/src/node_root_certs.h @@ -525,26 +525,6 @@ "yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K\n" "-----END CERTIFICATE-----", -/* DST Root CA X3 */ -"-----BEGIN CERTIFICATE-----\n" -"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYD\n" -"VQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENB\n" -"IFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRh\n" -"bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJ\n" -"KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdA\n" -"wRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwG\n" -"MoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4X\n" -"Lh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n" -"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkq\n" -"tilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" -"HQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiyb\n" -"FwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR\n" -"6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaL\n" -"bumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir\n" -"/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06Xyx\n" -"V3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n" -"-----END CERTIFICATE-----", - /* SwissSign Gold CA - G2 */ "-----BEGIN CERTIFICATE-----\n" "MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNI\n" diff --git a/tools/certdata.txt b/tools/certdata.txt index fcef935cbfc96c..c1606d47e0f0c5 100644 --- a/tools/certdata.txt +++ b/tools/certdata.txt @@ -1,4 +1,4 @@ -# +# # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. @@ -4034,136 +4034,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "DST Root CA X3" -# -# Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. -# Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b -# Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. -# Not Valid Before: Sat Sep 30 21:12:19 2000 -# Not Valid After : Thu Sep 30 14:01:15 2021 -# Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5 -# Fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DST Root CA X3" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\077\061\044\060\042\006\003\125\004\012\023\033\104\151\147 -\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124 -\162\165\163\164\040\103\157\056\061\027\060\025\006\003\125\004 -\003\023\016\104\123\124\040\122\157\157\164\040\103\101\040\130 -\063 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\077\061\044\060\042\006\003\125\004\012\023\033\104\151\147 -\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124 -\162\165\163\164\040\103\157\056\061\027\060\025\006\003\125\004 -\003\023\016\104\123\124\040\122\157\157\164\040\103\101\040\130 -\063 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\104\257\260\200\326\243\047\272\211\060\071\206\056\370 -\100\153 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\112\060\202\002\062\240\003\002\001\002\002\020\104 -\257\260\200\326\243\047\272\211\060\071\206\056\370\100\153\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\077 -\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164 -\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165 -\163\164\040\103\157\056\061\027\060\025\006\003\125\004\003\023 -\016\104\123\124\040\122\157\157\164\040\103\101\040\130\063\060 -\036\027\015\060\060\060\071\063\060\062\061\061\062\061\071\132 -\027\015\062\061\060\071\063\060\061\064\060\061\061\065\132\060 -\077\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151 -\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162 -\165\163\164\040\103\157\056\061\027\060\025\006\003\125\004\003 -\023\016\104\123\124\040\122\157\157\164\040\103\101\040\130\063 -\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001 -\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001 -\000\337\257\351\227\120\010\203\127\264\314\142\145\366\220\202 -\354\307\323\054\153\060\312\133\354\331\303\175\307\100\301\030 -\024\213\340\350\063\166\111\052\343\077\041\111\223\254\116\016 -\257\076\110\313\145\356\374\323\041\017\145\322\052\331\062\217 -\214\345\367\167\260\022\173\265\225\300\211\243\251\272\355\163 -\056\172\014\006\062\203\242\176\212\024\060\315\021\240\341\052 -\070\271\171\012\061\375\120\275\200\145\337\267\121\143\203\310 -\342\210\141\352\113\141\201\354\122\153\271\242\342\113\032\050 -\237\110\243\236\014\332\011\216\076\027\056\036\335\040\337\133 -\306\052\212\253\056\275\160\255\305\013\032\045\220\164\162\305 -\173\152\253\064\326\060\211\377\345\150\023\173\124\013\310\326 -\256\354\132\234\222\036\075\144\263\214\306\337\277\311\101\160 -\354\026\162\325\046\354\070\125\071\103\320\374\375\030\134\100 -\361\227\353\325\232\233\215\035\272\332\045\271\306\330\337\301 -\025\002\072\253\332\156\361\076\056\365\134\010\234\074\326\203 -\151\344\020\233\031\052\266\051\127\343\345\075\233\237\360\002 -\135\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035 -\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125 -\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125 -\035\016\004\026\004\024\304\247\261\244\173\054\161\372\333\341 -\113\220\165\377\304\025\140\205\211\020\060\015\006\011\052\206 -\110\206\367\015\001\001\005\005\000\003\202\001\001\000\243\032 -\054\233\027\000\134\251\036\356\050\146\067\072\277\203\307\077 -\113\303\011\240\225\040\135\343\331\131\104\322\076\015\076\275 -\212\113\240\164\037\316\020\202\234\164\032\035\176\230\032\335 -\313\023\113\263\040\104\344\221\351\314\374\175\245\333\152\345 -\376\346\375\340\116\335\267\000\072\265\160\111\257\362\345\353 -\002\361\321\002\213\031\313\224\072\136\110\304\030\036\130\031 -\137\036\002\132\360\014\361\261\255\251\334\131\206\213\156\351 -\221\365\206\312\372\271\146\063\252\131\133\316\342\247\026\163 -\107\313\053\314\231\260\067\110\317\343\126\113\365\317\017\014 -\162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122 -\147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071 -\044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011 -\220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221 -\213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050 -\071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221 -\013\004\216\007\333\051\266\012\356\235\202\065\065\020 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE -CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE - -# Trust for Certificate "DST Root CA X3" -# Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. -# Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b -# Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. -# Not Valid Before: Sat Sep 30 21:12:19 2000 -# Not Valid After : Thu Sep 30 14:01:15 2021 -# Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5 -# Fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DST Root CA X3" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\332\311\002\117\124\330\366\337\224\223\137\261\163\046\070\312 -\152\327\174\023 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\101\003\122\334\017\367\120\033\026\360\002\216\272\157\105\305 -END -CKA_ISSUER MULTILINE_OCTAL -\060\077\061\044\060\042\006\003\125\004\012\023\033\104\151\147 -\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124 -\162\165\163\164\040\103\157\056\061\027\060\025\006\003\125\004 -\003\023\016\104\123\124\040\122\157\157\164\040\103\101\040\130 -\063 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\104\257\260\200\326\243\047\272\211\060\071\206\056\370 -\100\153 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "SwissSign Platinum CA - G2" # From 822f43929a7e0982eb20bae70410b6c06cc43806 Mon Sep 17 00:00:00 2001 From: Erik Olofsson Date: Wed, 20 Oct 2021 20:56:33 +0200 Subject: [PATCH 4/5] Fix clang miscompile --- deps/v8/third_party/zlib/contrib/optimizations/inffast_chunk.c | 2 +- deps/zlib/contrib/optimizations/inffast_chunk.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deps/v8/third_party/zlib/contrib/optimizations/inffast_chunk.c b/deps/v8/third_party/zlib/contrib/optimizations/inffast_chunk.c index 4099edf3961d74..89eca989004164 100644 --- a/deps/v8/third_party/zlib/contrib/optimizations/inffast_chunk.c +++ b/deps/v8/third_party/zlib/contrib/optimizations/inffast_chunk.c @@ -276,7 +276,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ the main copy is near the end. */ out = chunkunroll_relaxed(out, &dist, &len); - out = chunkcopy_safe(out, out - dist, len, limit); + out = chunkcopy_lapped_safe(out, dist, len, limit); } else { /* from points to window, so there is no risk of overlapping pointers requiring memset-like behaviour diff --git a/deps/zlib/contrib/optimizations/inffast_chunk.c b/deps/zlib/contrib/optimizations/inffast_chunk.c index 4099edf3961d74..89eca989004164 100644 --- a/deps/zlib/contrib/optimizations/inffast_chunk.c +++ b/deps/zlib/contrib/optimizations/inffast_chunk.c @@ -276,7 +276,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ the main copy is near the end. */ out = chunkunroll_relaxed(out, &dist, &len); - out = chunkcopy_safe(out, out - dist, len, limit); + out = chunkcopy_lapped_safe(out, dist, len, limit); } else { /* from points to window, so there is no risk of overlapping pointers requiring memset-like behaviour From 9e61be68f71ae012e73bca4de050246beea202c9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 15 Nov 2021 04:10:22 +0000 Subject: [PATCH 5/5] meta: move one or more collaborators to emeritus --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 74a31d75d60f02..bcd14c00c0a5ed 100644 --- a/README.md +++ b/README.md @@ -278,8 +278,6 @@ For information about the governance of the Node.js project, see **Beth Griggs** <bgriggs@redhat.com> (she/her) * [bmeck](https://github.com/bmeck) - **Bradley Farias** <bradley.meck@gmail.com> -* [bmeurer](https://github.com/bmeurer) - -**Benedikt Meurer** <benedikt.meurer@gmail.com> * [boneskull](https://github.com/boneskull) - **Christopher Hiller** <boneskull@boneskull.com> (he/him) * [BridgeAR](https://github.com/BridgeAR) - @@ -336,8 +334,6 @@ For information about the governance of the Node.js project, see **Guy Bedford** <guybedford@gmail.com> (he/him) * [HarshithaKP](https://github.com/HarshithaKP) - **Harshitha K P** <harshitha014@gmail.com> (she/her) -* [hashseed](https://github.com/hashseed) - -**Yang Guo** <yangguo@chromium.org> (he/him) * [himself65](https://github.com/himself65) - **Zeyu Yang** <himself65@outlook.com> (he/him) * [hiroppy](https://github.com/hiroppy) - @@ -346,8 +342,6 @@ For information about the governance of the Node.js project, see **Ian Sutherland** <ian@iansutherland.ca> * [indutny](https://github.com/indutny) - **Fedor Indutny** <fedor@indutny.com> -* [JacksonTian](https://github.com/JacksonTian) - -**Jackson Tian** <shyvo1987@gmail.com> * [jasnell](https://github.com/jasnell) - **James M Snell** <jasnell@gmail.com> (he/him) * [jkrems](https://github.com/jkrems) - @@ -382,8 +376,6 @@ For information about the governance of the Node.js project, see **Milad Fa** <mfarazma@redhat.com> (he/him) * [mildsunrise](https://github.com/mildsunrise) - **Alba Mendez** <me@alba.sh> (she/her) -* [misterdjules](https://github.com/misterdjules) - -**Julien Gilli** <jgilli@netflix.com> * [mmarchini](https://github.com/mmarchini) - **Mary Marchini** <oss@mmarchini.me> (she/her) * [mscdex](https://github.com/mscdex) - @@ -402,8 +394,6 @@ For information about the governance of the Node.js project, see **Stephen Belanger** <admin@stephenbelanger.com> (he/him) * [RaisinTen](https://github.com/RaisinTen) - **Darshan Sen** <raisinten@gmail.com> (he/him) -* [refack](https://github.com/refack) - -**Refael Ackermann (רפאל פלחי)** <refack@gmail.com> (he/him/הוא/אתה) * [rexagod](https://github.com/rexagod) - **Pranshu Srivastava** <rexagod@gmail.com> (he/him) * [richardlau](https://github.com/richardlau) - @@ -479,6 +469,8 @@ For information about the governance of the Node.js project, see **Andreas Madsen** <amwebdk@gmail.com> (he/him) * [aqrln](https://github.com/aqrln) - **Alexey Orlenko** <eaglexrlnk@gmail.com> (he/him) +* [bmeurer](https://github.com/bmeurer) - +**Benedikt Meurer** <benedikt.meurer@gmail.com> * [bnoordhuis](https://github.com/bnoordhuis) - **Ben Noordhuis** <info@bnoordhuis.nl> * [brendanashworth](https://github.com/brendanashworth) - @@ -505,6 +497,10 @@ For information about the governance of the Node.js project, see **Gibson Fahnestock** <gibfahn@gmail.com> (he/him) * [glentiki](https://github.com/glentiki) - **Glen Keane** <glenkeane.94@gmail.com> (he/him) +* [hashseed](https://github.com/hashseed) - +**Yang Guo** <yangguo@chromium.org> (he/him) +* [JacksonTian](https://github.com/JacksonTian) - +**Jackson Tian** <shyvo1987@gmail.com> * [iarna](https://github.com/iarna) - **Rebecca Turner** <me@re-becca.org> * [imran-iq](https://github.com/imran-iq) - @@ -545,6 +541,8 @@ For information about the governance of the Node.js project, see **Nicu Micleușanu** <micnic90@gmail.com> (he/him) * [mikeal](https://github.com/mikeal) - **Mikeal Rogers** <mikeal.rogers@gmail.com> +* [misterdjules](https://github.com/misterdjules) - +**Julien Gilli** <jgilli@netflix.com> * [monsanto](https://github.com/monsanto) - **Christopher Monsanto** <chris@monsan.to> * [MoonBall](https://github.com/MoonBall) - @@ -571,6 +569,8 @@ For information about the governance of the Node.js project, see **Prince John Wesley** <princejohnwesley@gmail.com> * [psmarshall](https://github.com/psmarshall) - **Peter Marshall** <petermarshall@chromium.org> (he/him) +* [refack](https://github.com/refack) - +**Refael Ackermann (רפאל פלחי)** <refack@gmail.com> (he/him/הוא/אתה) * [rlidwka](https://github.com/rlidwka) - **Alex Kocharin** <alex@kocharin.ru> * [rmg](https://github.com/rmg) -