diff --git a/NSIS/signalk-server.nsi b/NSIS/signalk-server.nsi index 526f61e..bf5d5dc 100644 --- a/NSIS/signalk-server.nsi +++ b/NSIS/signalk-server.nsi @@ -13,7 +13,7 @@ !include "MUI2.nsh" ;====================================================== ;General - !define INST_VERSION "1.0.0" + !define INST_VERSION "1.1.0" BrandingText "Signal K from http://signalk.org/" Name "Signal K installer ${INST_VERSION}" OutFile "..\output\signalk-server-setup-${INST_VERSION}.exe" @@ -65,7 +65,8 @@ Var /GLOBAL NODE_UPGRADE Var /GLOBAL NODE_SHORT_VERSION Var /GLOBAL NODE_VERSION - + Var /GLOBAL SIGNALK_NODE_CONFIG_DIR + Function SetGlobalVars LogSet on StrCpy $USERPROFILE $INSTDIR\signalkhome @@ -75,21 +76,17 @@ StrCpy $OPENSSL_BIN_PATH '$INSTDIR\openssl\bin' StrCpy $OPENSSL_CONF '$INSTDIR\openssl\openssl.cnf' StrCpy $TOOLS_PATH '$INSTDIR\tools' + StrCpy $SIGNALK_NODE_CONFIG_DIR '$USERPROFILE\.signalk' + ${If} ${AtLeastWin10} - StrCpy $NODE64_URL 'https://nodejs.org/dist/v16.13.2/node-v16.13.2-win-x64.zip' - StrCpy $NODE86_URL 'https://nodejs.org/dist/v16.13.2/node-v16.13.2-win-x86.zip' - StrCpy $NODE64_ORG_DIR 'node-v16.13.2-win-x64' - StrCpy $NODE86_ORG_DIR 'node-v16.13.2-win-x86' - StrCpy $NODE_VERSION 'v16.13.2' - StrCpy $NODE_SHORT_VERSION 'v16' + StrCpy $NODE64_URL 'https://nodejs.org/dist/v18.17.1/node-v18.17.1-win-x64.zip' + StrCpy $NODE86_URL 'https://nodejs.org/dist/v18.17.1/node-v18.17.1-win-x86.zip' + StrCpy $NODE64_ORG_DIR 'node-v18.17.1-win-x64' + StrCpy $NODE86_ORG_DIR 'node-v18.17.1-win-x86' + StrCpy $NODE_VERSION 'v18.17.1' + StrCpy $NODE_SHORT_VERSION 'v18' ${Else} - StrCpy $NODE64_URL 'https://nodejs.org/download/release/v12.22.9/node-v12.22.9-win-x64.zip' - StrCpy $NODE86_URL 'https://nodejs.org/download/release/v12.22.9/node-v12.22.9-win-x86.zip' - StrCpy $NODE64_ORG_DIR 'node-v12.22.9-win-x64' - StrCpy $NODE86_ORG_DIR 'node-v12.22.9-win-x86' StrCpy $W7_DETECTED '1' - StrCpy $NODE_VERSION 'v12.22.9' - StrCpy $NODE_SHORT_VERSION 'v12' ${EndIf} FunctionEnd @@ -109,8 +106,9 @@ SetDetailsView show LogText "Signal K installer version: ${INST_VERSION}" ${IfNot} ${AtLeastWin10} - MessageBox MB_ICONEXCLAMATION|MB_OK "Your current version of Windows is lower than Windows 10,$\nNodeJS 12 will be installed instead of NodeJS 16.$\nLimited support for Signal K server versions > 1.40.0." - LogText "Windows version < 10 detected, install NodeJS 12" + MessageBox MB_ICONEXCLAMATION|MB_OK "Your current version of Windows is lower than Windows 10,$\nOperating System version prior to Windows 10 are no longer supported with recent versions of Signal K server. " + LogText "Windows version < 10 detected, installation cancelled " + Abort ${EndIf} LogSet off FunctionEnd @@ -125,9 +123,9 @@ FileWrite $9 '@ECHO OFF$\r$\n' FileWrite $9 '$INSTALL_DRIVE$\r$\n' FileWrite $9 'set USERPROFILE=$USERPROFILE$\r$\n' - FileWrite $9 'set NODE_PATH=$NODE_PATH$\r$\n' - FileWrite $9 'set PATH=%NODE_PATH%;$OPENSSL_BIN_PATH;%PATH%$\r$\n' - FileWrite $9 'set SIGNALK_NODE_CONFIG_DIR=%USERPROFILE%\.signalk$\r$\n' + FileWrite $9 'set NODE_PATH=$NODE_MODULES_PATH$\r$\n' + FileWrite $9 'set PATH=$NODE_PATH;$OPENSSL_BIN_PATH;%PATH%$\r$\n' + FileWrite $9 'set SIGNALK_NODE_CONFIG_DIR=$SIGNALK_NODE_CONFIG_DIR$\r$\n' FileWrite $9 'set SIGNALK_SERVER_IS_UPDATABLE=1$\r$\n' FileWrite $9 'set OPENSSL_CONF=$OPENSSL_CONF$\r$\n' FileWrite $9 'cd %USERPROFILE%$\r$\n' @@ -140,14 +138,16 @@ DetailPrint "Create $USERPROFILE\.npmrc" FileOpen $9 $USERPROFILE\.npmrc w FileWrite $9 'cache=$USERPROFILE\npm-cache$\r$\n' - FileWrite $9 'tmp=$USERPROFILE\tmp$\r$\n' FileWrite $9 'prefix=$NODE_PATH$\r$\n' FileWrite $9 '$\r$\n' FileClose $9 DetailPrint "Create $TOOLS_PATH\signalk-server-services.js" FileOpen $9 $TOOLS_PATH\signalk-server-services.js w - FileWrite $9 'process.env.SIGNALK_NODE_CONFIG_DIR = process.env.USERPROFILE + "\\.signalk"$\r$\n' + Push $SIGNALK_NODE_CONFIG_DIR + Call ConvertBStoDBS + Pop $R0 + FileWrite $9 'process.env.SIGNALK_NODE_CONFIG_DIR = "$R0"$\r$\n' FileWrite $9 'process.env.SIGNALK_SERVER_IS_UPDATABLE = "1"$\r$\n' FileWrite $9 '//process.env.DEBUG = ""$\r$\n' Push $OPENSSL_BIN_PATH @@ -232,8 +232,8 @@ FileWrite $9 '@ECHO OFF$\r$\n' FileWrite $9 '$INSTALL_DRIVE$\r$\n' FileWrite $9 'echo Install signalk as service in progress...$\r$\n' - FileWrite $9 'set NODE_PATH=$NODE_PATH$\r$\n' - FileWrite $9 'set "PATH=%NODE_PATH%;%PATH%"$\r$\n' + FileWrite $9 'set NODE_PATH=$NODE_MODULES_PATH$\r$\n' + FileWrite $9 'set "PATH=$NODE_PATH;%PATH%"$\r$\n' FileWrite $9 'cd $TOOLS_PATH$\r$\n' FileWrite $9 'node .\install-signalk-server-services.js$\r$\n' FileWrite $9 'if %ERRORLEVEL% neq 0 goto :ERROR$\r$\n' @@ -291,8 +291,8 @@ FileWrite $9 'echo Install log saved in $INSTDIR\$LOG_FILE file$\r$\n' FileWrite $9 'echo Please wait ...$\r$\n' FileWrite $9 'set USERPROFILE=$USERPROFILE$\r$\n' - FileWrite $9 'set NODE_PATH=$NODE_PATH$\r$\n' - FileWrite $9 'set "Path=%NODE_PATH%;%Path%"$\r$\n' + FileWrite $9 'set NODE_PATH=$NODE_MODULES_PATH$\r$\n' + FileWrite $9 'set "Path=$NODE_PATH;%Path%"$\r$\n' FileWrite $9 'set OPENSSL_CONF=$OPENSSL_CONF$\r$\n' FileWrite $9 'cd $NODE_PATH$\r$\n' FileWrite $9 'echo "start: npm install -g --unsafe-perm node-windows@1.0.0-beta.5" 1>>$INSTDIR\$LOG_FILE 2>&1$\r$\n' @@ -316,8 +316,8 @@ FileWrite $9 'echo Install log saved in $INSTDIR\$LOG_FILE file$\r$\n' FileWrite $9 'echo Please wait this may take some time ...$\r$\n' FileWrite $9 'set USERPROFILE=$USERPROFILE$\r$\n' - FileWrite $9 'set NODE_PATH=$NODE_PATH$\r$\n' - FileWrite $9 'set "Path=%NODE_PATH%;%Path%"$\r$\n' + FileWrite $9 'set NODE_PATH=$NODE_MODULES_PATH$\r$\n' + FileWrite $9 'set "Path=$NODE_PATH;%Path%"$\r$\n' FileWrite $9 'set OPENSSL_CONF=$OPENSSL_CONF$\r$\n' FileWrite $9 'cd $NODE_PATH$\r$\n' FileWrite $9 'echo "start: npm install -g --unsafe-perm signalk-server" 1>>$INSTDIR\$LOG_FILE 2>&1$\r$\n' @@ -332,32 +332,40 @@ FileWrite $9 '$\r$\n' FileClose $9 - ${If} $W7_DETECTED == "1" - DetailPrint "Create $TOOLS_PATH\npm-install-serial.cmd for Windows 7" - StrCpy $LOG_FILE "npm-inst-serial.log" - FileOpen $9 $TOOLS_PATH\npm-install-serial.cmd w - FileWrite $9 '@ECHO OFF$\r$\n' - FileWrite $9 '$INSTALL_DRIVE$\r$\n' - FileWrite $9 'echo Install alternative package for serial port support in progress...$\r$\n' - FileWrite $9 'echo Install log saved in $INSTDIR\$LOG_FILE file$\r$\n' - FileWrite $9 'echo Please wait ...$\r$\n' - FileWrite $9 'set USERPROFILE=$USERPROFILE$\r$\n' - FileWrite $9 'set NODE_PATH=$NODE_PATH$\r$\n' - FileWrite $9 'set "Path=%NODE_PATH%;%Path%"$\r$\n' - FileWrite $9 'set OPENSSL_CONF=$OPENSSL_CONF$\r$\n' - FileWrite $9 'cd $NODE_PATH$\r$\n' - FileWrite $9 'echo "start: npm install -g --unsafe-perm serialport@10.1.0" 1>>$INSTDIR\$LOG_FILE 2>&1$\r$\n' - FileWrite $9 'call npm install -g --unsafe-perm serialport@10.1.0 1>>$INSTDIR\$LOG_FILE 2>&1$\r$\n' - FileWrite $9 'if %ERRORLEVEL% neq 0 goto :ERROR$\r$\n' - FileWrite $9 'exit /b 0$\r$\n' - FileWrite $9 ':ERROR$\r$\n' - FileWrite $9 'echo An ERROR has occurred.$\r$\n' - FileWrite $9 'echo See the $INSTDIR\$LOG_FILE file$\r$\n' - FileWrite $9 'pause$\r$\n' - FileWrite $9 'exit /b 1$\r$\n' - FileWrite $9 '$\r$\n' - FileClose $9 - ${EndIf} + DetailPrint "Create $TOOLS_PATH\generate-certificate.cmd" + StrCpy $LOG_FILE "generate-certificate.log" + FileOpen $9 $TOOLS_PATH\generate-certificate.cmd w + FileWrite $9 '@ECHO OFF$\r$\n' + FileWrite $9 '$INSTALL_DRIVE$\r$\n' + FileWrite $9 'echo log saved in $INSTDIR\$LOG_FILE file$\r$\n' + FileWrite $9 'echo Check if certificate already exist$\r$\n' + FileWrite $9 'if exist "$SIGNALK_NODE_CONFIG_DIR\ssl-cert.pem" goto :NOGENCERT$\r$\n' + FileWrite $9 'if exist "$SIGNALK_NODE_CONFIG_DIR\ssl-key.pem" goto :NOGENCERT$\r$\n' + FileWrite $9 'goto :GENCERT$\r$\n' + FileWrite $9 ':NOGENCERT$\r$\n' + FileWrite $9 'echo Certificate already exist in directory $SIGNALK_NODE_CONFIG_DIR$\r$\n' + FileWrite $9 'echo Certificate already exist in directory $SIGNALK_NODE_CONFIG_DIR >>$INSTDIR\$LOG_FILE$\r$\n' + FileWrite $9 'echo Delete the ssl-cert.pem and ssl-key.pem files to generate a new certificate.$\r$\n' + FileWrite $9 'echo Delete the ssl-cert.pem and ssl-key.pem files to generate a new certificate. >>$INSTDIR\$LOG_FILE$\r$\n' + FileWrite $9 'exit /b 0$\r$\n' + FileWrite $9 ':GENCERT$\r$\n' + FileWrite $9 'echo Generate certificate in progress...$\r$\n' + FileWrite $9 'echo Generatecertificate in progress... >>$INSTDIR\$LOG_FILE$\r$\n' + FileWrite $9 'set PATH=$NODE_PATH;$OPENSSL_BIN_PATH;%PATH%$\r$\n' + FileWrite $9 'set "Path=$NODE_PATH;%Path%"$\r$\n' + FileWrite $9 'set OPENSSL_CONF=$OPENSSL_CONF$\r$\n' + FileWrite $9 'cd $SIGNALK_NODE_CONFIG_DIR\$\r$\n' + FileWrite $9 'echo "openssl req -newkey rsa:2048 -nodes -keyout ssl-key.pem -x509 -out ssl-cert.pem -days 3650 -config $TOOLS_PATH\certificate-authority-self-signing.conf" >>$INSTDIR\$LOG_FILE$\r$\n' + FileWrite $9 'openssl req -newkey rsa:2048 -nodes -keyout ssl-key.pem -x509 -out ssl-cert.pem -days 3650 -config "$TOOLS_PATH\certificate-authority-self-signing.conf" 1>>$INSTDIR\$LOG_FILE 2>&1$\r$\n' + FileWrite $9 'if %ERRORLEVEL% neq 0 goto :ERROR$\r$\n' + FileWrite $9 'exit /b 0$\r$\n' + FileWrite $9 ':ERROR$\r$\n' + FileWrite $9 'echo An ERROR has occurred.$\r$\n' + FileWrite $9 'echo See the $INSTDIR\$LOG_FILE file$\r$\n' + FileWrite $9 'pause$\r$\n' + FileWrite $9 'exit /b 1$\r$\n' + FileWrite $9 '$\r$\n' + FileClose $9 DetailPrint "Create $TOOLS_PATH\SignalK-CLI.lnk" CreateShortCut "$TOOLS_PATH\SignalK-CLI.lnk" "cmd" \ @@ -462,12 +470,10 @@ Section "install signalk-server" SecSkInstall LogSet on - ${If} $W7_DETECTED == "1" - ExecWait '"$TOOLS_PATH\npm-install-serial.cmd"' $0 - DetailPrint "npm install -g --unsafe-perm serialport@10.1.0 returned $0" - ${EndIf} ExecWait '"$TOOLS_PATH\npm-install-signalk-server.cmd"' $0 DetailPrint "npm install -g --unsafe-perm signalk-server returned $0" + ExecWait '"$TOOLS_PATH\generate-certificate.cmd"' $0 + DetailPrint "generate-certificate returned $0" SectionEnd Section "Signal K as services" SecSkService @@ -491,7 +497,7 @@ !insertmacro CreateInternetShortcutWithIcon "$DESKTOP\SignalK-GUI.URL" "http://localhost:3000" "$TOOLS_PATH\signalk.ico" 0 SectionEnd - Section /o "Signal K CLI" SecSignalkCli + Section "Signal K CLI" SecSignalkCli LogSet on DetailPrint "Create desktop shortcut 'Signal K CLI'" CreateShortCut "$DESKTOP\Signal K CLI.lnk" "cmd" \ diff --git a/readme.md b/readme.md index f44d6b4..709323d 100644 --- a/readme.md +++ b/readme.md @@ -1,21 +1,20 @@ -**All in one Windows installer v1.0.0 for Signal K server node http://signalk.org/** +**All in one Windows installer v1.1.0 for Signal K server node http://signalk.org/** ___ # Prerequisite - Internet connection during setup process -- **If you have already installed Signal K** with a previous version of the installer with a version of NodeJS lower than 16, +- **If you have already installed Signal K** with a previous version of the installer with a version of NodeJS lower than 18, you will see a windows like this: ![Install-SelectDir](screenshots/Install-CheckNode.png) Please see [Upgrade NodeJS](#upgrade-nodejs) before ! - **If your current OS version is lower than Windows 10**, -NodeJS 12 will be installed instead of NodeJS 16 with limited Signal K server support ( Windows 7 is end of life ). +Operating System version prior to Windows 10 are no longer supported with recent versions of Signal K server. # What's provide with this installer - The latest version of the Signal K server downloaded during installation. -- NodeJS 16.13.2 ( downloaded from https://nodejs.org/dist/v16.13.2/ during installation). -**If your current OS version is lower than Windows 10**, NodeJS 12 only will be install (https://nodejs.org/download/release/v12.22.9/) -- openssl 1.1.1h ( from https://slproweb.com/products/Win32OpenSSL.html ). -- support of X64 and X86 Windows version (Windows 10 X64 and Windows 7 X86 tested). +- NodeJS 18.17.1 ( downloaded from https://nodejs.org/dist/v18.17.1/ during installation). +- openssl 1.1.1u ( from https://slproweb.com/products/Win32OpenSSL.html ). +- support of X64 and X86 Windows version (Windows 10 X64). - All packages are installed under a root directory. You choose your root directory at the time of installation. - Signal K can start as windows service if you choose it at the time of installation. - You can re-run the installer several times. @@ -45,8 +44,13 @@ The `Signal K as services` option is selected by default, this is the most inter - Several windows will open successively during the installation. ![Install-Progress-Download-nodejs](screenshots/Install-Progress-Download-nodejs.png) -![Install-Progress-NPM-SignalK](screenshots/Install-Progress-NPM-SignalK.png) ![Install-Progress-NPM-node-windows](screenshots/Install-Progress-NPM-node-windows.png) +![Install-Progress-NPM-SignalK](screenshots/Install-Progress-NPM-SignalK.png) +![Install-Progress-openssl-certificate](screenshots/Install-Progress-openssl-certificate.png) + +- To simplify implementation of the https protocol with your Signal K server, a auto-signed certificat is generated at the installation time. +If you enable ssl mode in the server, your web browser will alert you with the indication of an insecure connection. +It's not ideal solution but at least it won't lock your Signal K server if you want to try the ssl mode. - The `Signal K as services` will bring up 3 message boxes asking permission to install the Windows service. Answer with `OK`. @@ -99,18 +103,19 @@ Or ask for support at http://slack-invite.signalk.org/ in channel #support-windo - `stop-signalk-server-services.cmd` stop the Signal K service, you must `Run as administrator` this script. - `remove-signalk-server-services.cmd` remove the Signal K windows service, use this before delete the root directory. You must `Run as administrator` this script. - `create-signalk-server-services.cmd` create the Signal K windows service if you didn't choose it at installation. Cannot be re-run if `tools\daemon` directory exist. You must `Run as administrator` this script. +- `generate-certificat.cmd` generates a self-signed certificate for the Signal K server in https mode. # Upgrade NodeJS -Since the installer in version 1.0.0, NodeJS is provided in version 16. -If you have already installed Signal K with a previous version (with NodeJS version 10), +Since the installer in version 1.1.0, NodeJS is provided in version 18. +If you've already installed Signal K with an earlier version (e.g. NodeJS 10, 12 or 16), it is recommended to make a new installation and then restore the configuration of your Signal K server later. - Stop your Signal K server `stop-signalk-server-services.cmd`. - Remove the Signal K service `remove-signalk-server-services.cmd`. - Close all windows related to signal K. -- Rename your Signal K root directory: e.g. `c:\signalk` to `c:\signalk10`. +- Rename your Signal K root directory: e.g. `c:\signalk` to `c:\signalk-old`. This way, you will keep your Signal K server configuration in a safe place. You can also `Backup` your Signal K server configuration in GUI server: `Server` then `Backup/Restore`. -See also the tips here, about plugin compatibility: [Updating to Node.js-16](https://github.com/SignalK/signalk-server/wiki/Updating-to-Node.js-16) +See also the tips here, about plugin compatibility: [Installing and Updating Node.js](https://github.com/SignalK/signalk-server/wiki/Installing-and-Updating-Node.js) - Start installer and install Signal K in the original directory: e.g. `c:\signalk`. - Start the Signal K server and check first without any plugins. - If everything is OK, reinstall your plugins, restore your previous configuration with the `Backup/Restore` function diff --git a/screenshots/Install-Finished.greenshot b/screenshots/Install-Finished.greenshot index 8854265..9517789 100644 Binary files a/screenshots/Install-Finished.greenshot and b/screenshots/Install-Finished.greenshot differ diff --git a/screenshots/Install-Finished.png b/screenshots/Install-Finished.png index ea6d630..5b79a19 100644 Binary files a/screenshots/Install-Finished.png and b/screenshots/Install-Finished.png differ diff --git a/screenshots/Install-Progress-Download-nodejs.greenshot b/screenshots/Install-Progress-Download-nodejs.greenshot index 64c2998..1b45bb1 100644 Binary files a/screenshots/Install-Progress-Download-nodejs.greenshot and b/screenshots/Install-Progress-Download-nodejs.greenshot differ diff --git a/screenshots/Install-Progress-Download-nodejs.png b/screenshots/Install-Progress-Download-nodejs.png index 61472b9..57cb975 100644 Binary files a/screenshots/Install-Progress-Download-nodejs.png and b/screenshots/Install-Progress-Download-nodejs.png differ diff --git a/screenshots/Install-Progress-openssl-certificate.greenshot b/screenshots/Install-Progress-openssl-certificate.greenshot new file mode 100644 index 0000000..dcb6b25 Binary files /dev/null and b/screenshots/Install-Progress-openssl-certificate.greenshot differ diff --git a/screenshots/Install-Progress-openssl-certificate.png b/screenshots/Install-Progress-openssl-certificate.png new file mode 100644 index 0000000..eeaff8e Binary files /dev/null and b/screenshots/Install-Progress-openssl-certificate.png differ diff --git a/screenshots/Install-Progress.greenshot b/screenshots/Install-Progress.greenshot index c50288b..80c6c34 100644 Binary files a/screenshots/Install-Progress.greenshot and b/screenshots/Install-Progress.greenshot differ diff --git a/screenshots/Install-Progress.png b/screenshots/Install-Progress.png index 6e1f5a7..6874327 100644 Binary files a/screenshots/Install-Progress.png and b/screenshots/Install-Progress.png differ diff --git a/screenshots/Install-SelectComponents.greenshot b/screenshots/Install-SelectComponents.greenshot index 0aef18f..9ca0119 100644 Binary files a/screenshots/Install-SelectComponents.greenshot and b/screenshots/Install-SelectComponents.greenshot differ diff --git a/screenshots/Install-SelectComponents.png b/screenshots/Install-SelectComponents.png index c1e1a55..a64e499 100644 Binary files a/screenshots/Install-SelectComponents.png and b/screenshots/Install-SelectComponents.png differ diff --git a/screenshots/Install-SelectDir.greenshot b/screenshots/Install-SelectDir.greenshot index 19348ea..c5ffa9d 100644 Binary files a/screenshots/Install-SelectDir.greenshot and b/screenshots/Install-SelectDir.greenshot differ diff --git a/screenshots/Install-SelectDir.png b/screenshots/Install-SelectDir.png index 0a2837b..88eb9d5 100644 Binary files a/screenshots/Install-SelectDir.png and b/screenshots/Install-SelectDir.png differ diff --git a/screenshots/Install-Welcome.greenshot b/screenshots/Install-Welcome.greenshot index 77d6439..b890534 100644 Binary files a/screenshots/Install-Welcome.greenshot and b/screenshots/Install-Welcome.greenshot differ diff --git a/screenshots/Install-Welcome.png b/screenshots/Install-Welcome.png index bd903e0..d4f1b5b 100644 Binary files a/screenshots/Install-Welcome.png and b/screenshots/Install-Welcome.png differ diff --git a/src/Win32OpenSSL_Light-1_1_1h.exe b/src/Win32OpenSSL_Light-1_1_1h.exe deleted file mode 100644 index 3ade3be..0000000 Binary files a/src/Win32OpenSSL_Light-1_1_1h.exe and /dev/null differ diff --git a/src/Win32OpenSSL_Light-1_1_1u.exe b/src/Win32OpenSSL_Light-1_1_1u.exe new file mode 100644 index 0000000..b2e9a35 Binary files /dev/null and b/src/Win32OpenSSL_Light-1_1_1u.exe differ diff --git a/src/Win64OpenSSL_Light-1_1_1h.exe b/src/Win64OpenSSL_Light-1_1_1h.exe deleted file mode 100644 index d446d4f..0000000 Binary files a/src/Win64OpenSSL_Light-1_1_1h.exe and /dev/null differ diff --git a/src/Win64OpenSSL_Light-1_1_1u.exe b/src/Win64OpenSSL_Light-1_1_1u.exe new file mode 100644 index 0000000..0533db0 Binary files /dev/null and b/src/Win64OpenSSL_Light-1_1_1u.exe differ diff --git a/target/openssl-x64/authors.txt b/target/openssl-x64/authors.txt index 956395b..258c773 100644 --- a/target/openssl-x64/authors.txt +++ b/target/openssl-x64/authors.txt @@ -13,6 +13,8 @@ Ben Kaduk Bernd Edlinger Bodo Möller David Benjamin +David von Oheimb +Dmitry Belyavskiy (Дмитрий Белявский) Emilia Käsper Eric Young Geoff Thorpe @@ -22,14 +24,19 @@ Lutz Jänicke Mark J. Cox Matt Caswell Matthias St. Pierre +Nicola Tuveri Nils Larsch +Patrick Steuer Paul Dale Paul C. Sutton +Paul Yang Ralf S. Engelschall Rich Salz Richard Levitte +Shane Lontis Stephen Henson Steve Marquess Tim Hudson +Tomáš Mráz Ulf Möller Viktor Dukhovni diff --git a/target/openssl-x64/bin/capi.dll b/target/openssl-x64/bin/capi.dll index 17ac95d..7546241 100644 Binary files a/target/openssl-x64/bin/capi.dll and b/target/openssl-x64/bin/capi.dll differ diff --git a/target/openssl-x64/bin/dasync.dll b/target/openssl-x64/bin/dasync.dll index 49f7bcc..df8aa7f 100644 Binary files a/target/openssl-x64/bin/dasync.dll and b/target/openssl-x64/bin/dasync.dll differ diff --git a/target/openssl-x64/bin/libcrypto-1_1-x64.dll b/target/openssl-x64/bin/libcrypto-1_1-x64.dll index ed3b841..0eba844 100644 Binary files a/target/openssl-x64/bin/libcrypto-1_1-x64.dll and b/target/openssl-x64/bin/libcrypto-1_1-x64.dll differ diff --git a/target/openssl-x64/bin/libssl-1_1-x64.dll b/target/openssl-x64/bin/libssl-1_1-x64.dll index e0f6300..56e02f5 100644 Binary files a/target/openssl-x64/bin/libssl-1_1-x64.dll and b/target/openssl-x64/bin/libssl-1_1-x64.dll differ diff --git a/target/openssl-x64/bin/openssl.exe b/target/openssl-x64/bin/openssl.exe index c0e5baf..e3dda7c 100644 Binary files a/target/openssl-x64/bin/openssl.exe and b/target/openssl-x64/bin/openssl.exe differ diff --git a/target/openssl-x64/bin/ossltest.dll b/target/openssl-x64/bin/ossltest.dll index b23d676..d3714fd 100644 Binary files a/target/openssl-x64/bin/ossltest.dll and b/target/openssl-x64/bin/ossltest.dll differ diff --git a/target/openssl-x64/bin/padlock.dll b/target/openssl-x64/bin/padlock.dll index 6e66aa3..0335087 100644 Binary files a/target/openssl-x64/bin/padlock.dll and b/target/openssl-x64/bin/padlock.dll differ diff --git a/target/openssl-x64/bin/tsget.pl b/target/openssl-x64/bin/tsget.pl index 361dac6..5ea169b 100644 --- a/target/openssl-x64/bin/tsget.pl +++ b/target/openssl-x64/bin/tsget.pl @@ -47,7 +47,7 @@ sub create_curl { $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; $curl->setopt(CURLOPT_FAILONERROR, 1); $curl->setopt(CURLOPT_USERAGENT, - "OpenTSA tsget.pl/openssl-1.1.1h"); + "OpenTSA tsget.pl/openssl-1.1.1u"); # Options for POST method. $curl->setopt(CURLOPT_UPLOAD, 1); diff --git a/target/openssl-x64/c_rehash.pl b/target/openssl-x64/c_rehash.pl index 2a60096..40738c1 100644 --- a/target/openssl-x64/c_rehash.pl +++ b/target/openssl-x64/c_rehash.pl @@ -2,7 +2,7 @@ # WARNING: do not edit! # Generated by makefile from tools\c_rehash.in -# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -105,54 +105,97 @@ sub help { } exit($errorcount); +sub copy_file { + my ($src_fname, $dst_fname) = @_; + + if (open(my $in, "<", $src_fname)) { + if (open(my $out, ">", $dst_fname)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "Cannot open $dst_fname for write, $!"; + } + close $in; + } else { + warn "Cannot open $src_fname for read, $!"; + } +} + sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my $dir = shift; + my %hashlist; + + print "Doing $dir\n"; + + if (!chdir $dir) { + print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; + return; + } + + opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_\n" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } + + chdir $pwd; } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + + open(my $in, "<", $fname); + while(<$in>) { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close $in; + return ($is_cert, $is_crl); } +sub compute_hash { + my $fh; + if ( $^O eq "VMS" ) { + # VMS uses the open through shell + # The file names are safe there and list form is unsupported + if (!open($fh, "-|", join(' ', @_))) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } else { + if (!open($fh, "-|", @_)) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } + return (<$fh>, <$fh>); +} # Link a certificate to its subject name hash value, each hash is of # the form . where n is an integer. If the hash value already exists @@ -161,72 +204,48 @@ sub check_file { # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'cert'); } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'crl'); +} + +sub link_hash { + my ($fname, $type) = @_; + my $is_cert = $type eq 'cert'; + + my ($hash, $fprint) = compute_hash($openssl, + $is_cert ? "x509" : "crl", + $is_cert ? $x509hash : $crlhash, + "-fingerprint", "-noout", + "-in", $fname); + chomp $hash; + chomp $fprint; + return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + my $crlmark = $is_cert ? "" : "r"; + while(exists $hashlist{"$hash.$crlmark$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { + my $what = $is_cert ? 'certificate' : 'CRL'; + print STDERR "WARNING: Skipping duplicate $what $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$crlmark$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + copy_file($fname, $hash); + } + $hashlist{$hash} = $fprint; } diff --git a/target/openssl-x64/changes.txt b/target/openssl-x64/changes.txt index 7eeacc7..a3e266a 100644 --- a/target/openssl-x64/changes.txt +++ b/target/openssl-x64/changes.txt @@ -7,6 +7,471 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1t and 1.1.1u [30 May 2023] + + *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. (CVE-2023-2650) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + [Richard Levitte] + + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 1.1.1s. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + [Bernd Edlinger] + + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0466) + [Tomas Mraz] + + *) Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. (CVE-2023-0465) + [Matt Caswell] + + *) Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. (CVE-2023-0464) + [Paul Dale] + + Changes between 1.1.1s and 1.1.1t [7 Feb 2023] + + *) Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0286) + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + [Hugo Landau] + + *) Fixed Use-after-free following BIO_new_NDEF. + + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + (CVE-2023-0215) + [Viktor Dukhovni, Matt Caswell] + + *) Fixed Double free after calling PEM_read_bio_ex. + + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + (CVE-2022-4450) + [Kurt Roeckx, Matt Caswell] + + *) Fixed Timing Oracle in RSA Decryption. + + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + (CVE-2022-4304) + [Dmitry Belyavsky, Hubert Kario] + + Changes between 1.1.1r and 1.1.1s [1 Nov 2022] + + *) Fixed a regression introduced in 1.1.1r version not refreshing the + certificate data to be signed before signing the certificate. + [Gibeom Gwon] + + Changes between 1.1.1q and 1.1.1r [11 Oct 2022] + + *) Fixed the linux-mips64 Configure target which was missing the + SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that + platform. + [Adam Joseph] + + *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was + causing incorrect results in some cases as a result. + [Paul Dale] + + *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to + report correct results in some cases + [Matt Caswell] + + *) Fixed a regression introduced in 1.1.1o for re-signing certificates with + different key sizes + [Todd Short] + + *) Added the loongarch64 target + [Shi Pujin] + + *) Fixed a DRBG seed propagation thread safety issue + [Bernd Edlinger] + + *) Fixed a memory leak in tls13_generate_secret + [Bernd Edlinger] + + *) Fixed reported performance degradation on aarch64. Restored the + implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid + 32-bit lane assignment in CTR mode") for 64bit targets only, since it is + reportedly 2-17% slower and the silicon errata only affects 32bit targets. + The new algorithm is still used for 32 bit targets. + [Bernd Edlinger] + + *) Added a missing header for memcmp that caused compilation failure on some + platforms + [Gregor Jasny] + + Changes between 1.1.1p and 1.1.1q [5 Jul 2022] + + *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised + implementation would not encrypt the entirety of the data under some + circumstances. This could reveal sixteen bytes of data that was + preexisting in the memory that wasn't written. In the special case of + "in place" encryption, sixteen bytes of the plaintext would be revealed. + + Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, + they are both unaffected. + (CVE-2022-2097) + [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] + + Changes between 1.1.1o and 1.1.1p [21 Jun 2022] + + *) In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + [Daniel Fiala, Tomáš Mráz] + + *) When OpenSSL TLS client is connecting without any supported elliptic + curves and TLS-1.3 protocol is disabled the connection will no longer fail + if a ciphersuite that does not use a key exchange based on elliptic + curves can be negotiated. + [Tomáš Mráz] + + Changes between 1.1.1n and 1.1.1o [3 May 2022] + + *) Fixed a bug in the c_rehash script which was not properly sanitising shell + metacharacters to prevent command injection. This script is distributed + by some operating systems in a manner where it is automatically executed. + On such operating systems, an attacker could execute arbitrary commands + with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-1292) + [Tomáš Mráz] + + Changes between 1.1.1m and 1.1.1n [15 Mar 2022] + + *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli. + + Internally this function is used when parsing certificates that contain + elliptic curve public keys in compressed form or explicit elliptic curve + parameters with a base point encoded in compressed form. + + It is possible to trigger the infinite loop by crafting a certificate that + has invalid explicit curve parameters. + + Since certificate parsing happens prior to verification of the certificate + signature, any process that parses an externally supplied certificate may + thus be subject to a denial of service attack. The infinite loop can also + be reached when parsing crafted private keys as they can contain explicit + elliptic curve parameters. + + Thus vulnerable situations include: + + - TLS clients consuming server certificates + - TLS servers consuming client certificates + - Hosting providers taking certificates or private keys from customers + - Certificate authorities parsing certification requests from subscribers + - Anything else which parses ASN.1 elliptic curve parameters + + Also any other applications that use the BN_mod_sqrt() where the attacker + can control the parameter values are vulnerable to this DoS issue. + (CVE-2022-0778) + [Tomáš Mráz] + + *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + + [Dmitry Belyavskiy, Nicola Tuveri] + + Changes between 1.1.1l and 1.1.1m [14 Dec 2021] + + *) Avoid loading of a dynamic engine twice. + + [Bernd Edlinger] + + *) Fixed building on Debian with kfreebsd kernels + + [Mattias Ellert] + + *) Prioritise DANE TLSA issuer certs over peer certs + + [Viktor Dukhovni] + + *) Fixed random API for MacOS prior to 10.12 + + These MacOS versions don't support the CommonCrypto APIs + + [Lenny Primak] + + Changes between 1.1.1k and 1.1.1l [24 Aug 2021] + + *) Fixed an SM2 Decryption Buffer Overflow. + + In order to decrypt SM2 encrypted data an application is expected to call the + API function EVP_PKEY_decrypt(). Typically an application will call this + function twice. The first time, on entry, the "out" parameter can be NULL and, + on exit, the "outlen" parameter is populated with the buffer size required to + hold the decrypted plaintext. The application can then allocate a sufficiently + sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL + value for the "out" parameter. + + A bug in the implementation of the SM2 decryption code means that the + calculation of the buffer size required to hold the plaintext returned by the + first call to EVP_PKEY_decrypt() can be smaller than the actual size required by + the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is + called by the application a second time with a buffer that is too small. + + A malicious attacker who is able present SM2 content for decryption to an + application could cause attacker chosen data to overflow the buffer by up to a + maximum of 62 bytes altering the contents of other data held after the + buffer, possibly changing application behaviour or causing the application to + crash. The location of the buffer is application dependent but is typically + heap allocated. + (CVE-2021-3711) + [Matt Caswell] + + *) Fixed various read buffer overruns processing ASN.1 strings + + ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING + structure which contains a buffer holding the string data and a field holding + the buffer length. This contrasts with normal C strings which are repesented as + a buffer for the string data which is terminated with a NUL (0) byte. + + Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's + own "d2i" functions (and other similar parsing functions) as well as any string + whose value has been set with the ASN1_STRING_set() function will additionally + NUL terminate the byte array in the ASN1_STRING structure. + + However, it is possible for applications to directly construct valid ASN1_STRING + structures which do not NUL terminate the byte array by directly setting the + "data" and "length" fields in the ASN1_STRING array. This can also happen by + using the ASN1_STRING_set0() function. + + Numerous OpenSSL functions that print ASN.1 data have been found to assume that + the ASN1_STRING byte array will be NUL terminated, even though this is not + guaranteed for strings that have been directly constructed. Where an application + requests an ASN.1 structure to be printed, and where that ASN.1 structure + contains ASN1_STRINGs that have been directly constructed by the application + without NUL terminating the "data" field, then a read buffer overrun can occur. + + The same thing can also occur during name constraints processing of certificates + (for example if a certificate has been directly constructed by the application + instead of loading it via the OpenSSL parsing functions, and the certificate + contains non NUL terminated ASN1_STRING structures). It can also occur in the + X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. + + If a malicious actor can cause an application to directly construct an + ASN1_STRING and then process it through one of the affected OpenSSL functions + then this issue could be hit. This might result in a crash (causing a Denial of + Service attack). It could also result in the disclosure of private memory + contents (such as private keys, or sensitive plaintext). + (CVE-2021-3712) + [Matt Caswell] + + Changes between 1.1.1j and 1.1.1k [25 Mar 2021] + + *) Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks + of the certificates present in a certificate chain. It is not set by + default. + + Starting from OpenSSL version 1.1.1h a check to disallow certificates in + the chain that have explicitly encoded elliptic curve parameters was added + as an additional strict check. + + An error in the implementation of this check meant that the result of a + previous check to confirm that certificates in the chain are valid CA + certificates was overwritten. This effectively bypasses the check + that non-CA certificates must not be able to issue other certificates. + + If a "purpose" has been configured then there is a subsequent opportunity + for checks that the certificate is a valid CA. All of the named "purpose" + values implemented in libcrypto perform this check. Therefore, where + a purpose is set the certificate chain will still be rejected even when the + strict flag has been used. A purpose is set by default in libssl client and + server certificate verification routines, but it can be overridden or + removed by an application. + + In order to be affected, an application must explicitly set the + X509_V_FLAG_X509_STRICT verification flag and either not set a purpose + for the certificate verification or, in the case of TLS client or server + applications, override the default purpose. + (CVE-2021-3450) + [Tomáš Mráz] + + *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously + crafted renegotiation ClientHello message from a client. If a TLSv1.2 + renegotiation ClientHello omits the signature_algorithms extension (where + it was present in the initial ClientHello), but includes a + signature_algorithms_cert extension then a NULL pointer dereference will + result, leading to a crash and a denial of service attack. + + A server is only vulnerable if it has TLSv1.2 and renegotiation enabled + (which is the default configuration). OpenSSL TLS clients are not impacted + by this issue. + (CVE-2021-3449) + [Peter Kästle and Samuel Sapalski] + + Changes between 1.1.1i and 1.1.1j [16 Feb 2021] + + *) Fixed the X509_issuer_and_serial_hash() function. It attempts to + create a unique hash value based on the issuer and serial number data + contained within an X509 certificate. However it was failing to correctly + handle any errors that may occur while parsing the issuer field (which might + occur if the issuer field is maliciously constructed). This may subsequently + result in a NULL pointer deref and a crash leading to a potential denial of + service attack. + (CVE-2021-23841) + [Matt Caswell] + + *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks. This is considered a + bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is + CVE-2021-23839. + [Matt Caswell] + + *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate + functions. Previously they could overflow the output length argument in some + cases where the input length is close to the maximum permissable length for + an integer on the platform. In such cases the return value from the function + call would be 1 (indicating success), but the output length value would be + negative. This could cause applications to behave incorrectly or crash. + (CVE-2021-23840) + [Matt Caswell] + + *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous + implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This + could be exploited in a side channel attack to recover the password. Since + the attack is local host only this is outside of the current OpenSSL + threat model and therefore no CVE is assigned. + + Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this + issue. + [Matt Caswell] + + Changes between 1.1.1h and 1.1.1i [8 Dec 2020] + + *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function + This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. + If an attacker can control both items being compared then this could lead + to a possible denial of service attack. OpenSSL itself uses the + GENERAL_NAME_cmp function for two purposes: + 1) Comparing CRL distribution point names between an available CRL and a + CRL distribution point embedded in an X509 certificate + 2) When verifying that a timestamp response token signer matches the + timestamp authority name (exposed via the API functions + TS_RESP_verify_response and TS_RESP_verify_token) + (CVE-2020-1971) + [Matt Caswell] + + *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target. + [Stuart Carnie] + + *) The security callback, which can be customised by application code, supports + the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY + in the "other" parameter. In most places this is what is passed. All these + places occur server side. However there was one client side call of this + security operation and it passed a DH object instead. This is incorrect + according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all + of the other locations. Therefore this client side call has been changed to + pass an EVP_PKEY instead. + [Matt Caswell] + + *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected + when validating a certificate path. This check is restored in 1.1.1i. + [David von Oheimb] + Changes between 1.1.1g and 1.1.1h [22 Sep 2020] *) Certificates with explicit curve parameters are now disallowed in @@ -32,6 +497,10 @@ on renegotiation. [Tomas Mraz] + *) Accidentally, an expired trusted (root) certificate is not anymore rejected + when validating a certificate path. + [David von Oheimb] + *) The Oracle Developer Studio compiler will start reporting deprecated APIs Changes between 1.1.1f and 1.1.1g [21 Apr 2020] diff --git a/target/openssl-x64/news.txt b/target/openssl-x64/news.txt index eeb8993..11a9e94 100644 --- a/target/openssl-x64/news.txt +++ b/target/openssl-x64/news.txt @@ -5,6 +5,84 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] + + o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic + OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Fixed handling of invalid certificate policies in leaf certificates + (CVE-2023-0465) + o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + + Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] + + o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) + o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) + o Fixed Timing Oracle in RSA Decryption (CVE-2022-4304) + + Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] + + o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the + certificate data to be signed before signing the certificate. + + Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022] + + o Added a missing header for memcmp that caused compilation failure on + some platforms + + Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] + + o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms + (CVE-2022-2097) + + Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] + + o Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + (CVE-2022-2068) + + Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] + + o Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection (CVE-2022-1292) + + Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] + + o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop + forever for non-prime moduli (CVE-2022-0778) + + Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] + + o None + + Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021] + + o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711) + o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712) + + Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] + + o Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag (CVE-2021-3450) + o Fixed an issue where an OpenSSL TLS server may crash if sent a + maliciously crafted renegotiation ClientHello message from a client + (CVE-2021-3449) + + Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] + + o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() + function (CVE-2021-23841) + o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks + o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions (CVE-2021-23840) + o Fixed SRP_Calc_client_key so that it runs in constant time + + Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] + + o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) + Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] o Disallow explicit curve parameters in verifications chains when diff --git a/target/openssl-x64/readme.txt b/target/openssl-x64/readme.txt index 4446836..3b51d0f 100644 --- a/target/openssl-x64/readme.txt +++ b/target/openssl-x64/readme.txt @@ -1,7 +1,7 @@ - OpenSSL 1.1.1h 22 Sep 2020 + OpenSSL 1.1.1u 30 May 2023 - Copyright (c) 1998-2020 The OpenSSL Project + Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/target/openssl-x86/authors.txt b/target/openssl-x86/authors.txt index 956395b..258c773 100644 --- a/target/openssl-x86/authors.txt +++ b/target/openssl-x86/authors.txt @@ -13,6 +13,8 @@ Ben Kaduk Bernd Edlinger Bodo Möller David Benjamin +David von Oheimb +Dmitry Belyavskiy (Дмитрий Белявский) Emilia Käsper Eric Young Geoff Thorpe @@ -22,14 +24,19 @@ Lutz Jänicke Mark J. Cox Matt Caswell Matthias St. Pierre +Nicola Tuveri Nils Larsch +Patrick Steuer Paul Dale Paul C. Sutton +Paul Yang Ralf S. Engelschall Rich Salz Richard Levitte +Shane Lontis Stephen Henson Steve Marquess Tim Hudson +Tomáš Mráz Ulf Möller Viktor Dukhovni diff --git a/target/openssl-x86/bin/capi.dll b/target/openssl-x86/bin/capi.dll index 0237f56..256e909 100644 Binary files a/target/openssl-x86/bin/capi.dll and b/target/openssl-x86/bin/capi.dll differ diff --git a/target/openssl-x86/bin/dasync.dll b/target/openssl-x86/bin/dasync.dll index 51b5b05..887a03b 100644 Binary files a/target/openssl-x86/bin/dasync.dll and b/target/openssl-x86/bin/dasync.dll differ diff --git a/target/openssl-x86/bin/libcrypto-1_1.dll b/target/openssl-x86/bin/libcrypto-1_1.dll index d9a0255..f96f38c 100644 Binary files a/target/openssl-x86/bin/libcrypto-1_1.dll and b/target/openssl-x86/bin/libcrypto-1_1.dll differ diff --git a/target/openssl-x86/bin/libssl-1_1.dll b/target/openssl-x86/bin/libssl-1_1.dll index f68af36..d8dad20 100644 Binary files a/target/openssl-x86/bin/libssl-1_1.dll and b/target/openssl-x86/bin/libssl-1_1.dll differ diff --git a/target/openssl-x86/bin/openssl.exe b/target/openssl-x86/bin/openssl.exe index b7f72f3..10218de 100644 Binary files a/target/openssl-x86/bin/openssl.exe and b/target/openssl-x86/bin/openssl.exe differ diff --git a/target/openssl-x86/bin/ossltest.dll b/target/openssl-x86/bin/ossltest.dll index 4eb9378..dcf69bd 100644 Binary files a/target/openssl-x86/bin/ossltest.dll and b/target/openssl-x86/bin/ossltest.dll differ diff --git a/target/openssl-x86/bin/padlock.dll b/target/openssl-x86/bin/padlock.dll index d3bfe97..f0af353 100644 Binary files a/target/openssl-x86/bin/padlock.dll and b/target/openssl-x86/bin/padlock.dll differ diff --git a/target/openssl-x86/bin/tsget.pl b/target/openssl-x86/bin/tsget.pl index 361dac6..5ea169b 100644 --- a/target/openssl-x86/bin/tsget.pl +++ b/target/openssl-x86/bin/tsget.pl @@ -47,7 +47,7 @@ sub create_curl { $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; $curl->setopt(CURLOPT_FAILONERROR, 1); $curl->setopt(CURLOPT_USERAGENT, - "OpenTSA tsget.pl/openssl-1.1.1h"); + "OpenTSA tsget.pl/openssl-1.1.1u"); # Options for POST method. $curl->setopt(CURLOPT_UPLOAD, 1); diff --git a/target/openssl-x86/c_rehash.pl b/target/openssl-x86/c_rehash.pl index 2a60096..40738c1 100644 --- a/target/openssl-x86/c_rehash.pl +++ b/target/openssl-x86/c_rehash.pl @@ -2,7 +2,7 @@ # WARNING: do not edit! # Generated by makefile from tools\c_rehash.in -# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -105,54 +105,97 @@ sub help { } exit($errorcount); +sub copy_file { + my ($src_fname, $dst_fname) = @_; + + if (open(my $in, "<", $src_fname)) { + if (open(my $out, ">", $dst_fname)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "Cannot open $dst_fname for write, $!"; + } + close $in; + } else { + warn "Cannot open $src_fname for read, $!"; + } +} + sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my $dir = shift; + my %hashlist; + + print "Doing $dir\n"; + + if (!chdir $dir) { + print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; + return; + } + + opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_\n" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } + + chdir $pwd; } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + + open(my $in, "<", $fname); + while(<$in>) { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close $in; + return ($is_cert, $is_crl); } +sub compute_hash { + my $fh; + if ( $^O eq "VMS" ) { + # VMS uses the open through shell + # The file names are safe there and list form is unsupported + if (!open($fh, "-|", join(' ', @_))) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } else { + if (!open($fh, "-|", @_)) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } + return (<$fh>, <$fh>); +} # Link a certificate to its subject name hash value, each hash is of # the form . where n is an integer. If the hash value already exists @@ -161,72 +204,48 @@ sub check_file { # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'cert'); } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + link_hash($_[0], 'crl'); +} + +sub link_hash { + my ($fname, $type) = @_; + my $is_cert = $type eq 'cert'; + + my ($hash, $fprint) = compute_hash($openssl, + $is_cert ? "x509" : "crl", + $is_cert ? $x509hash : $crlhash, + "-fingerprint", "-noout", + "-in", $fname); + chomp $hash; + chomp $fprint; + return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + my $crlmark = $is_cert ? "" : "r"; + while(exists $hashlist{"$hash.$crlmark$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { + my $what = $is_cert ? 'certificate' : 'CRL'; + print STDERR "WARNING: Skipping duplicate $what $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$crlmark$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + copy_file($fname, $hash); + } + $hashlist{$hash} = $fprint; } diff --git a/target/openssl-x86/changes.txt b/target/openssl-x86/changes.txt index 7eeacc7..a3e266a 100644 --- a/target/openssl-x86/changes.txt +++ b/target/openssl-x86/changes.txt @@ -7,6 +7,471 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1t and 1.1.1u [30 May 2023] + + *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. (CVE-2023-2650) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + [Richard Levitte] + + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 1.1.1s. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + [Bernd Edlinger] + + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0466) + [Tomas Mraz] + + *) Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. (CVE-2023-0465) + [Matt Caswell] + + *) Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. (CVE-2023-0464) + [Paul Dale] + + Changes between 1.1.1s and 1.1.1t [7 Feb 2023] + + *) Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0286) + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + [Hugo Landau] + + *) Fixed Use-after-free following BIO_new_NDEF. + + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + (CVE-2023-0215) + [Viktor Dukhovni, Matt Caswell] + + *) Fixed Double free after calling PEM_read_bio_ex. + + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + (CVE-2022-4450) + [Kurt Roeckx, Matt Caswell] + + *) Fixed Timing Oracle in RSA Decryption. + + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + (CVE-2022-4304) + [Dmitry Belyavsky, Hubert Kario] + + Changes between 1.1.1r and 1.1.1s [1 Nov 2022] + + *) Fixed a regression introduced in 1.1.1r version not refreshing the + certificate data to be signed before signing the certificate. + [Gibeom Gwon] + + Changes between 1.1.1q and 1.1.1r [11 Oct 2022] + + *) Fixed the linux-mips64 Configure target which was missing the + SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that + platform. + [Adam Joseph] + + *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was + causing incorrect results in some cases as a result. + [Paul Dale] + + *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to + report correct results in some cases + [Matt Caswell] + + *) Fixed a regression introduced in 1.1.1o for re-signing certificates with + different key sizes + [Todd Short] + + *) Added the loongarch64 target + [Shi Pujin] + + *) Fixed a DRBG seed propagation thread safety issue + [Bernd Edlinger] + + *) Fixed a memory leak in tls13_generate_secret + [Bernd Edlinger] + + *) Fixed reported performance degradation on aarch64. Restored the + implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid + 32-bit lane assignment in CTR mode") for 64bit targets only, since it is + reportedly 2-17% slower and the silicon errata only affects 32bit targets. + The new algorithm is still used for 32 bit targets. + [Bernd Edlinger] + + *) Added a missing header for memcmp that caused compilation failure on some + platforms + [Gregor Jasny] + + Changes between 1.1.1p and 1.1.1q [5 Jul 2022] + + *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised + implementation would not encrypt the entirety of the data under some + circumstances. This could reveal sixteen bytes of data that was + preexisting in the memory that wasn't written. In the special case of + "in place" encryption, sixteen bytes of the plaintext would be revealed. + + Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, + they are both unaffected. + (CVE-2022-2097) + [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] + + Changes between 1.1.1o and 1.1.1p [21 Jun 2022] + + *) In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection have been + fixed. + + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-2068) + [Daniel Fiala, Tomáš Mráz] + + *) When OpenSSL TLS client is connecting without any supported elliptic + curves and TLS-1.3 protocol is disabled the connection will no longer fail + if a ciphersuite that does not use a key exchange based on elliptic + curves can be negotiated. + [Tomáš Mráz] + + Changes between 1.1.1n and 1.1.1o [3 May 2022] + + *) Fixed a bug in the c_rehash script which was not properly sanitising shell + metacharacters to prevent command injection. This script is distributed + by some operating systems in a manner where it is automatically executed. + On such operating systems, an attacker could execute arbitrary commands + with the privileges of the script. + + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + (CVE-2022-1292) + [Tomáš Mráz] + + Changes between 1.1.1m and 1.1.1n [15 Mar 2022] + + *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli. + + Internally this function is used when parsing certificates that contain + elliptic curve public keys in compressed form or explicit elliptic curve + parameters with a base point encoded in compressed form. + + It is possible to trigger the infinite loop by crafting a certificate that + has invalid explicit curve parameters. + + Since certificate parsing happens prior to verification of the certificate + signature, any process that parses an externally supplied certificate may + thus be subject to a denial of service attack. The infinite loop can also + be reached when parsing crafted private keys as they can contain explicit + elliptic curve parameters. + + Thus vulnerable situations include: + + - TLS clients consuming server certificates + - TLS servers consuming client certificates + - Hosting providers taking certificates or private keys from customers + - Certificate authorities parsing certification requests from subscribers + - Anything else which parses ASN.1 elliptic curve parameters + + Also any other applications that use the BN_mod_sqrt() where the attacker + can control the parameter values are vulnerable to this DoS issue. + (CVE-2022-0778) + [Tomáš Mráz] + + *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + + [Dmitry Belyavskiy, Nicola Tuveri] + + Changes between 1.1.1l and 1.1.1m [14 Dec 2021] + + *) Avoid loading of a dynamic engine twice. + + [Bernd Edlinger] + + *) Fixed building on Debian with kfreebsd kernels + + [Mattias Ellert] + + *) Prioritise DANE TLSA issuer certs over peer certs + + [Viktor Dukhovni] + + *) Fixed random API for MacOS prior to 10.12 + + These MacOS versions don't support the CommonCrypto APIs + + [Lenny Primak] + + Changes between 1.1.1k and 1.1.1l [24 Aug 2021] + + *) Fixed an SM2 Decryption Buffer Overflow. + + In order to decrypt SM2 encrypted data an application is expected to call the + API function EVP_PKEY_decrypt(). Typically an application will call this + function twice. The first time, on entry, the "out" parameter can be NULL and, + on exit, the "outlen" parameter is populated with the buffer size required to + hold the decrypted plaintext. The application can then allocate a sufficiently + sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL + value for the "out" parameter. + + A bug in the implementation of the SM2 decryption code means that the + calculation of the buffer size required to hold the plaintext returned by the + first call to EVP_PKEY_decrypt() can be smaller than the actual size required by + the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is + called by the application a second time with a buffer that is too small. + + A malicious attacker who is able present SM2 content for decryption to an + application could cause attacker chosen data to overflow the buffer by up to a + maximum of 62 bytes altering the contents of other data held after the + buffer, possibly changing application behaviour or causing the application to + crash. The location of the buffer is application dependent but is typically + heap allocated. + (CVE-2021-3711) + [Matt Caswell] + + *) Fixed various read buffer overruns processing ASN.1 strings + + ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING + structure which contains a buffer holding the string data and a field holding + the buffer length. This contrasts with normal C strings which are repesented as + a buffer for the string data which is terminated with a NUL (0) byte. + + Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's + own "d2i" functions (and other similar parsing functions) as well as any string + whose value has been set with the ASN1_STRING_set() function will additionally + NUL terminate the byte array in the ASN1_STRING structure. + + However, it is possible for applications to directly construct valid ASN1_STRING + structures which do not NUL terminate the byte array by directly setting the + "data" and "length" fields in the ASN1_STRING array. This can also happen by + using the ASN1_STRING_set0() function. + + Numerous OpenSSL functions that print ASN.1 data have been found to assume that + the ASN1_STRING byte array will be NUL terminated, even though this is not + guaranteed for strings that have been directly constructed. Where an application + requests an ASN.1 structure to be printed, and where that ASN.1 structure + contains ASN1_STRINGs that have been directly constructed by the application + without NUL terminating the "data" field, then a read buffer overrun can occur. + + The same thing can also occur during name constraints processing of certificates + (for example if a certificate has been directly constructed by the application + instead of loading it via the OpenSSL parsing functions, and the certificate + contains non NUL terminated ASN1_STRING structures). It can also occur in the + X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. + + If a malicious actor can cause an application to directly construct an + ASN1_STRING and then process it through one of the affected OpenSSL functions + then this issue could be hit. This might result in a crash (causing a Denial of + Service attack). It could also result in the disclosure of private memory + contents (such as private keys, or sensitive plaintext). + (CVE-2021-3712) + [Matt Caswell] + + Changes between 1.1.1j and 1.1.1k [25 Mar 2021] + + *) Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks + of the certificates present in a certificate chain. It is not set by + default. + + Starting from OpenSSL version 1.1.1h a check to disallow certificates in + the chain that have explicitly encoded elliptic curve parameters was added + as an additional strict check. + + An error in the implementation of this check meant that the result of a + previous check to confirm that certificates in the chain are valid CA + certificates was overwritten. This effectively bypasses the check + that non-CA certificates must not be able to issue other certificates. + + If a "purpose" has been configured then there is a subsequent opportunity + for checks that the certificate is a valid CA. All of the named "purpose" + values implemented in libcrypto perform this check. Therefore, where + a purpose is set the certificate chain will still be rejected even when the + strict flag has been used. A purpose is set by default in libssl client and + server certificate verification routines, but it can be overridden or + removed by an application. + + In order to be affected, an application must explicitly set the + X509_V_FLAG_X509_STRICT verification flag and either not set a purpose + for the certificate verification or, in the case of TLS client or server + applications, override the default purpose. + (CVE-2021-3450) + [Tomáš Mráz] + + *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously + crafted renegotiation ClientHello message from a client. If a TLSv1.2 + renegotiation ClientHello omits the signature_algorithms extension (where + it was present in the initial ClientHello), but includes a + signature_algorithms_cert extension then a NULL pointer dereference will + result, leading to a crash and a denial of service attack. + + A server is only vulnerable if it has TLSv1.2 and renegotiation enabled + (which is the default configuration). OpenSSL TLS clients are not impacted + by this issue. + (CVE-2021-3449) + [Peter Kästle and Samuel Sapalski] + + Changes between 1.1.1i and 1.1.1j [16 Feb 2021] + + *) Fixed the X509_issuer_and_serial_hash() function. It attempts to + create a unique hash value based on the issuer and serial number data + contained within an X509 certificate. However it was failing to correctly + handle any errors that may occur while parsing the issuer field (which might + occur if the issuer field is maliciously constructed). This may subsequently + result in a NULL pointer deref and a crash leading to a potential denial of + service attack. + (CVE-2021-23841) + [Matt Caswell] + + *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks. This is considered a + bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is + CVE-2021-23839. + [Matt Caswell] + + *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate + functions. Previously they could overflow the output length argument in some + cases where the input length is close to the maximum permissable length for + an integer on the platform. In such cases the return value from the function + call would be 1 (indicating success), but the output length value would be + negative. This could cause applications to behave incorrectly or crash. + (CVE-2021-23840) + [Matt Caswell] + + *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous + implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This + could be exploited in a side channel attack to recover the password. Since + the attack is local host only this is outside of the current OpenSSL + threat model and therefore no CVE is assigned. + + Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this + issue. + [Matt Caswell] + + Changes between 1.1.1h and 1.1.1i [8 Dec 2020] + + *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function + This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. + If an attacker can control both items being compared then this could lead + to a possible denial of service attack. OpenSSL itself uses the + GENERAL_NAME_cmp function for two purposes: + 1) Comparing CRL distribution point names between an available CRL and a + CRL distribution point embedded in an X509 certificate + 2) When verifying that a timestamp response token signer matches the + timestamp authority name (exposed via the API functions + TS_RESP_verify_response and TS_RESP_verify_token) + (CVE-2020-1971) + [Matt Caswell] + + *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target. + [Stuart Carnie] + + *) The security callback, which can be customised by application code, supports + the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY + in the "other" parameter. In most places this is what is passed. All these + places occur server side. However there was one client side call of this + security operation and it passed a DH object instead. This is incorrect + according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all + of the other locations. Therefore this client side call has been changed to + pass an EVP_PKEY instead. + [Matt Caswell] + + *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected + when validating a certificate path. This check is restored in 1.1.1i. + [David von Oheimb] + Changes between 1.1.1g and 1.1.1h [22 Sep 2020] *) Certificates with explicit curve parameters are now disallowed in @@ -32,6 +497,10 @@ on renegotiation. [Tomas Mraz] + *) Accidentally, an expired trusted (root) certificate is not anymore rejected + when validating a certificate path. + [David von Oheimb] + *) The Oracle Developer Studio compiler will start reporting deprecated APIs Changes between 1.1.1f and 1.1.1g [21 Apr 2020] diff --git a/target/openssl-x86/news.txt b/target/openssl-x86/news.txt index eeb8993..11a9e94 100644 --- a/target/openssl-x86/news.txt +++ b/target/openssl-x86/news.txt @@ -5,6 +5,84 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] + + o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic + OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Fixed handling of invalid certificate policies in leaf certificates + (CVE-2023-0465) + o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + + Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] + + o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) + o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) + o Fixed Timing Oracle in RSA Decryption (CVE-2022-4304) + + Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] + + o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the + certificate data to be signed before signing the certificate. + + Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022] + + o Added a missing header for memcmp that caused compilation failure on + some platforms + + Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] + + o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms + (CVE-2022-2097) + + Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] + + o Fixed additional bugs in the c_rehash script which was not properly + sanitising shell metacharacters to prevent command injection + (CVE-2022-2068) + + Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] + + o Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection (CVE-2022-1292) + + Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] + + o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop + forever for non-prime moduli (CVE-2022-0778) + + Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] + + o None + + Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021] + + o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711) + o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712) + + Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] + + o Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag (CVE-2021-3450) + o Fixed an issue where an OpenSSL TLS server may crash if sent a + maliciously crafted renegotiation ClientHello message from a client + (CVE-2021-3449) + + Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] + + o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() + function (CVE-2021-23841) + o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks + o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions (CVE-2021-23840) + o Fixed SRP_Calc_client_key so that it runs in constant time + + Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] + + o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) + Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] o Disallow explicit curve parameters in verifications chains when diff --git a/target/openssl-x86/readme.txt b/target/openssl-x86/readme.txt index 4446836..3b51d0f 100644 --- a/target/openssl-x86/readme.txt +++ b/target/openssl-x86/readme.txt @@ -1,7 +1,7 @@ - OpenSSL 1.1.1h 22 Sep 2020 + OpenSSL 1.1.1u 30 May 2023 - Copyright (c) 1998-2020 The OpenSSL Project + Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/target/readme.html b/target/readme.html index fbcc704..79c9aa1 100644 --- a/target/readme.html +++ b/target/readme.html @@ -15,26 +15,26 @@

- All in one Windows installer v1.0.0 for Signal K server node http://signalk.org/ + All in one Windows installer v1.1.0 for Signal K server node http://signalk.org/

Prerequisite

  • Internet connection during setup process
  • - If you have already installed Signal K with a previous version of the installer with a version of NodeJS lower than 16,
    + If you have already installed Signal K with a previous version of the installer with a version of NodeJS lower than 18,
    you will see a windows like this:
    Install-SelectDir
    Please see Upgrade NodeJS before !
  • If your current OS version is lower than Windows 10,
    -NodeJS 12 will be installed instead of NodeJS 16 with limited Signal K server support ( Windows 7 is end of life ).
    • +Operating System version prior to Windows 10 are no longer supported with recent versions of Signal K server.

What's provide with this installer

  • The latest version of the Signal K server downloaded during installation.
    • -
  • NodeJS 16.13.2 ( downloaded from https://nodejs.org/dist/v16.13.2/ during installation).
    If your current OS version is lower than Windows 10, NodeJS 12 only will be install (https://nodejs.org/download/release/v12.22.9/)
    • -
  • openssl 1.1.1h ( from https://slproweb.com/products/Win32OpenSSL.html ).
    • -
  • support of X64 and X86 Windows version (Windows 10 X64 and Windows 7 X86 tested).
    • +
  • NodeJS 18.17.1 ( downloaded from https://nodejs.org/dist/v18.17.1/ during installation).
    • +
  • openssl 1.1.1u ( from https://slproweb.com/products/Win32OpenSSL.html ).
    • +
  • support of X64 and X86 Windows version (Windows 10 X64).
  • All packages are installed under a root directory. You choose your root directory at the time of installation.
  • Signal K can start as windows service if you choose it at the time of installation.
  • You can re-run the installer several times.
    • @@ -67,7 +67,12 @@

    How to install Signal K server node

    Then click Install button
    Install-Progress

  • -

    Several windows will open successively during the installation.
    Install-Progress-Download-nodejs
    Install-Progress-NPM-SignalK
    Install-Progress-NPM-node-windows

    +

    Several windows will open successively during the installation.
    Install-Progress-Download-nodejs
    Install-Progress-NPM-node-windows
    Install-Progress-NPM-SignalK
    Install-Progress-openssl-certificate

    +
    • +
  • +

    To simplify implementation of the https protocol with your Signal K server, a auto-signed certificat is generated at the installation time.
    +If you enable ssl mode in the server, your web browser will alert you with the indication of an insecure connection.
    +It's not ideal solution but at least it won't lock your Signal K server if you want to try the ssl mode.

  • The Signal K as services will bring up 3 message boxes asking permission to install the Windows service.
    @@ -124,19 +129,21 @@

    The tools to mana remove-signalk-server-services.cmd remove the Signal K windows service, use this before delete the root directory. You must Run as administrator this script.

  • create-signalk-server-services.cmd create the Signal K windows service if you didn't choose it at installation. Cannot be re-run if tools\daemon directory exist. You must Run as administrator this script.
    • +
  • + generate-certificat.cmd generates a self-signed certificate for the Signal K server in https mode.

Upgrade NodeJS

-

Since the installer in version 1.0.0, NodeJS is provided in version 16.
-If you have already installed Signal K with a previous version (with NodeJS version 10),
+

Since the installer in version 1.1.0, NodeJS is provided in version 18.
+If you've already installed Signal K with an earlier version (e.g. NodeJS 10, 12 or 16),
it is recommended to make a new installation and then restore the configuration of your Signal K server later.

  • Stop your Signal K server stop-signalk-server-services.cmd.
  • Remove the Signal K service remove-signalk-server-services.cmd.
  • Close all windows related to signal K.
    • -
  • Rename your Signal K root directory: e.g. c:\signalk to c:\signalk10.
    +
  • Rename your Signal K root directory: e.g. c:\signalk to c:\signalk-old.
    This way, you will keep your Signal K server configuration in a safe place.
    You can also Backup your Signal K server configuration in GUI server: Server then Backup/Restore.
    -See also the tips here, about plugin compatibility: Updating to Node.js-16
    • +See also the tips here, about plugin compatibility: Installing and Updating Node.js
  • Start installer and install Signal K in the original directory: e.g. c:\signalk.
  • Start the Signal K server and check first without any plugins.
  • If everything is OK, reinstall your plugins, restore your previous configuration with the Backup/Restore function
    diff --git a/target/signalkhome/.signalk/readme.txt b/target/signalkhome/.signalk/readme.txt new file mode 100644 index 0000000..dc81f0b --- /dev/null +++ b/target/signalkhome/.signalk/readme.txt @@ -0,0 +1 @@ +This is the settings directory of Signal K \ No newline at end of file diff --git a/target/tools/certificate-authority-self-signing.conf b/target/tools/certificate-authority-self-signing.conf new file mode 100644 index 0000000..066cdb7 --- /dev/null +++ b/target/tools/certificate-authority-self-signing.conf @@ -0,0 +1,25 @@ +[ req ] +# Which algorithm to use +default_md = sha256 +# Don't prompt the TTY for input, just use the config file values +prompt = no +# Interpret strings as utf8, not ASCII +utf8 = yes +# This specifies the section containing the distinguished name fields to +# prompt for when generating a certificate request. +distinguished_name = req_distinguished_name +# This specifies the configuration file section containing a list of extensions +# to add to the certificate request. +x509_extensions = v3_ca +# How long is the CA valid for +default_days = 7000 + +[ req_distinguished_name ] +CN = localhost + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +# Mark our CA as a CA, and only allow it to issue server certificates - no intermediate certificates allowed +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign