Skip to content

Commit

Permalink
deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1
Browse files Browse the repository at this point in the history
PR-URL: #54336
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
  • Loading branch information
nodejs-github-bot authored and marco-ippolito committed Nov 17, 2024
1 parent d3441ff commit 48d643f
Show file tree
Hide file tree
Showing 158 changed files with 2,303 additions and 800 deletions.
71 changes: 70 additions & 1 deletion deps/openssl/openssl/CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,78 @@ breaking changes, and mappings for the large list of deprecated functions.

[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

### Changes between 3.0.13 and 3.0.13+quic [30 Jan 2024]
### Changes between 3.0.14 and 3.0.14+quic [7 Jun 2024]

* Add QUIC API support from BoringSSL

*Todd Short*

### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]

* Fixed potential use after free after SSL_free_buffers() is called.

The SSL_free_buffers function is used to free the internal OpenSSL
buffer used when processing an incoming record from the network.
The call is only expected to succeed if the buffer is not currently
in use. However, two scenarios have been identified where the buffer
is freed even when still in use.

The first scenario occurs where a record header has been received
from the network and processed by OpenSSL, but the full record body
has not yet arrived. In this case calling SSL_free_buffers will succeed
even though a record has only been partially processed and the buffer
is still in use.

The second scenario occurs where a full record containing application
data has been received and processed by OpenSSL but the application has
only read part of this data. Again a call to SSL_free_buffers will
succeed even though the buffer is still in use.

([CVE-2024-4741])

*Matt Caswell*

* Fixed an issue where checking excessively long DSA keys or parameters may
be very slow.

Applications that use the functions EVP_PKEY_param_check() or
EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
experience long delays. Where the key or parameters that are being checked
have been obtained from an untrusted source this may lead to a Denial of
Service.

To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
reason.

([CVE-2024-4603])

*Tomáš Mráz*

* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
is being used (but not if early_data is also configured and the default
anti-replay protection is in use). In this case, under certain conditions,
the session cache can get into an incorrect state and it will fail to flush
properly as it fills. The session cache will continue to grow in an unbounded
manner. A malicious client could deliberately create the scenario for this
failure to force a Denial of Service. It may also happen by accident in
normal operation.

([CVE-2024-2511])

*Matt Caswell*

* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit.

*Randall S. Becker*

### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]

* A file in PKCS12 format can contain certificates and keys and may come from
Expand Down Expand Up @@ -19830,6 +19896,9 @@ ndif

<!-- Links -->

[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
Expand Down
6 changes: 4 additions & 2 deletions deps/openssl/openssl/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository.

[openssl/openssl]: <https://github.com/openssl/openssl>

To request new a feature, ask a question, or report a bug,
To request a new feature, ask a question, or report a bug,
please open an [issue on GitHub](https://github.com/openssl/openssl/issues).

To submit a patch or implement a new feature, please open a
Expand Down Expand Up @@ -67,7 +67,8 @@ guidelines:
often. We do not accept merge commits, you will have to remove them
(usually by rebasing) before it will be acceptable.
4. Code provided should follow our [coding style] and compile without warnings.
4. Code provided should follow our [coding style] and [documentation policy]
and compile without warnings.
There is a [Perl tool](util/check-format.pl) that helps
finding code formatting mistakes and other coding style nits.
Where `gcc` or `clang` is available, you should use the
Expand All @@ -77,6 +78,7 @@ guidelines:
whenever a PR is created or updated by committers.
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
[documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see
Expand Down
9 changes: 8 additions & 1 deletion deps/openssl/openssl/Configurations/10-main.conf
Original file line number Diff line number Diff line change
Expand Up @@ -784,7 +784,14 @@ my %targets = (
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
},

"linux-arm64ilp32-clang" => { # clang config abi by --target
inherit_from => [ "linux-generic32" ],
CC => "clang",
CXX => "clang++",
bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
},
"linux-mips32" => {
# Configure script adds minimally required -march for assembly
# support, if no -march was specified at command line.
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/Configurations/15-ios.conf
Original file line number Diff line number Diff line change
Expand Up @@ -49,16 +49,16 @@ my %targets = (
#
"iphoneos-cross" => {
inherit_from => [ "ios-common" ],
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"),
cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"),
},
"ios-cross" => {
inherit_from => [ "ios-xcrun" ],
CC => "cc",
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
},
"ios64-cross" => {
inherit_from => [ "ios64-xcrun" ],
CC => "cc",
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
},
);
14 changes: 7 additions & 7 deletions deps/openssl/openssl/Configurations/unix-Makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
sub dependmagic {
my $target = shift;

return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
return "$target: build_generated\n\t\"\$(MAKE)\" depend && \"\$(MAKE)\" _$target\n_$target";
}

our $COLUMNS = $ENV{COLUMNS};
Expand Down Expand Up @@ -527,7 +527,7 @@ all: build_sw build_docs

test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
$(MAKE) run_tests
"$(MAKE)" run_tests
run_tests: FORCE
@ : {- output_off() if $disabled{tests}; "" -}
( SRCTOP=$(SRCDIR) \
Expand All @@ -542,7 +542,7 @@ run_tests: FORCE

list-tests:
@ : {- output_off() if $disabled{tests}; "" -}
$(MAKE) run_tests TESTS=list
"$(MAKE)" run_tests TESTS=list
@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
@echo "Tests are not supported with your chosen Configure options"
@ : {- output_on() if !$disabled{tests}; "" -}
Expand Down Expand Up @@ -1193,12 +1193,12 @@ providers/fips.module.sources.new: configdata.pm
cd sources-tmp \
&& $$srcdir/Configure --banner=Configured enable-fips -O0 \
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \
&& $(MAKE) -sj 4 build_generated providers/fips.so \
&& "$(MAKE)" -sj 4 build_generated providers/fips.so \
&& find . -name '*.d' | xargs cat > dep1 \
&& $(MAKE) distclean \
&& "$(MAKE)" distclean \
&& $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \
&& $(MAKE) -sj 4 build_generated providers/fips.so \
&& "$(MAKE)" -sj 4 build_generated providers/fips.so \
&& find . -name '*.d' | xargs cat > dep2 \
&& cat sources1 sources2 \
| grep -v ' : \\$$' | grep -v util/providers.num \
Expand Down Expand Up @@ -1332,7 +1332,7 @@ ordinals: build_generated
$(SSLHEADERS)

test_ordinals:
$(MAKE) run_tests TESTS=test_ordinals
"$(MAKE)" run_tests TESTS=test_ordinals

tags TAGS: FORCE
rm -f TAGS tags
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -405,6 +405,7 @@ my @disablables = (
"asan",
"asm",
"async",
"atexit",
"autoalginit",
"autoerrinit",
"autoload-config",
Expand Down
6 changes: 0 additions & 6 deletions deps/openssl/openssl/FAQ.md

This file was deleted.

9 changes: 8 additions & 1 deletion deps/openssl/openssl/INSTALL.md
Original file line number Diff line number Diff line change
Expand Up @@ -480,7 +480,7 @@ Setting the FIPS HMAC key

As part of its self-test validation, the FIPS module must verify itself
by performing a SHA-256 HMAC computation on itself. The default key is
the SHA256 value of "the holy handgrenade of antioch" and is sufficient
the SHA256 value of "holy hand grenade of antioch" and is sufficient
for meeting the FIPS requirements.

To change the key to a different value, use this flag. The value should
Expand Down Expand Up @@ -546,6 +546,13 @@ be used even with this option.

Do not build support for async operations.

### no-atexit

Do not use `atexit()` in libcrypto builds.

`atexit()` has varied semantics between platforms and can cause SIGSEGV in some
circumstances. This option disables the atexit registration of OPENSSL_cleanup.

### no-autoalginit

Don't automatically load all supported ciphers and digests.
Expand Down
15 changes: 15 additions & 0 deletions deps/openssl/openssl/NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,18 @@ OpenSSL Releases
OpenSSL 3.0
-----------

### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]

* Fixed potential use after free after SSL_free_buffers() is called
([CVE-2024-4741])

* Fixed an issue where checking excessively long DSA keys or parameters may
be very slow
([CVE-2024-4603])

* Fixed unbounded memory growth with session handling in TLSv1.3
([CVE-2024-2511])

### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]

* Fixed PKCS12 Decoding crashes
Expand Down Expand Up @@ -1470,6 +1482,9 @@ OpenSSL 0.9.x

<!-- Links -->

[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
Expand Down
5 changes: 4 additions & 1 deletion deps/openssl/openssl/NOTES-NONSTOP.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,10 @@ relating to `atexit()` processing when a shared library is unloaded and when
the program terminates. This limitation applies to all OpenSSL shared library
components.

A resolution to this situation is under investigation.
It is possible to configure the build with `no-atexit` to avoid the SIGSEGV.
Preferably, you can explicitly call `OPENSSL_cleanup()` from your application.
It is not mandatory as it just deallocates various global data structures
OpenSSL allocated.

About Prefix and OpenSSLDir
---------------------------
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/VERSION.dat
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
PATCH=13
PATCH=14
PRE_RELEASE_TAG=
BUILD_METADATA=quic
RELEASE_DATE="30 Jan 2024"
RELEASE_DATE="4 Jun 2024"
SHLIB_VERSION=81.3
8 changes: 5 additions & 3 deletions deps/openssl/openssl/apps/lib/s_cb.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -1318,7 +1318,8 @@ int ssl_load_stores(SSL_CTX *ctx,
if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
goto err;
add_crls_store(vfy, crls);
SSL_CTX_set1_verify_cert_store(ctx, vfy);
if (SSL_CTX_set1_verify_cert_store(ctx, vfy) == 0)
goto err;
if (crl_download)
store_setup_crl_download(vfy);
}
Expand All @@ -1332,7 +1333,8 @@ int ssl_load_stores(SSL_CTX *ctx,
goto err;
if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
goto err;
SSL_CTX_set1_chain_cert_store(ctx, ch);
if (SSL_CTX_set1_chain_cert_store(ctx, ch) == 0)
goto err;
}
rv = 1;
err:
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/apps/list.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -1230,6 +1230,7 @@ static void list_provider_info(void)
}

if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) {
sk_OSSL_PROVIDER_free(providers);
BIO_printf(bio_err, "ERROR: Memory allocation\n");
return;
}
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/apps/ocsp.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand All @@ -11,7 +11,7 @@

#ifdef OPENSSL_SYS_VMS
/* So fd_set and friends get properly defined on OpenVMS */
# define _XOPEN_SOURCE_EXTENDED
# define _XOPEN_SOURCE_EXTENDED 1
#endif

#include <stdio.h>
Expand Down
Loading

0 comments on commit 48d643f

Please sign in to comment.