Skip to content

Commit

Permalink
deps: upgrade openssl sources to quictls/openssl-3.0.15+quic1
Browse files Browse the repository at this point in the history
PR-URL: #55184
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
  • Loading branch information
nodejs-github-bot authored and targos committed Oct 5, 2024
1 parent 29e6484 commit 63d51c8
Show file tree
Hide file tree
Showing 205 changed files with 2,458 additions and 863 deletions.
36 changes: 35 additions & 1 deletion deps/openssl/openssl/CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,36 @@ breaking changes, and mappings for the large list of deprecated functions.

[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

### Changes between 3.0.14 and 3.0.14+quic [7 Jun 2024]
### Changes between 3.0.15 and 3.0.15+quic [3 Sep 2024]

* Add QUIC API support from BoringSSL

*Todd Short*

### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]

* Fixed possible denial of service in X.509 name checks.

Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of
an X.509 certificate. This may result in an exception that terminates the
application program.

([CVE-2024-6119])

*Viktor Dukhovni*

* Fixed possible buffer overread in SSL_select_next_proto().

Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory contents
to be sent to the peer.

([CVE-2024-5535])

*Matt Caswell*

### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]

* Fixed potential use after free after SSL_free_buffers() is called.
Expand Down Expand Up @@ -76,6 +100,14 @@ breaking changes, and mappings for the large list of deprecated functions.

*Tomáš Mráz*

* Improved EC/DSA nonce generation routines to avoid bias and timing
side channel leaks.

Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
and Hubert Kario from Red Hat for reporting the issues.

*Tomáš Mráz and Paul Dale*

* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
Expand Down Expand Up @@ -19896,6 +19928,8 @@ ndif

<!-- Links -->

[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ HOW TO CONTRIBUTE TO OpenSSL

Please visit our [Getting Started] page for other ideas about how to contribute.

[Getting Started]: <https://www.openssl.org/community/getting-started.html>
[Getting Started]: <https://openssl-library.org/community/getting-started>

Development is done on GitHub in the [openssl/openssl] repository.

Expand Down Expand Up @@ -77,8 +77,8 @@ guidelines:
Clean builds via GitHub Actions are required. They are started automatically
whenever a PR is created or updated by committers.
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
[documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
[coding style]: https://openssl-library.org/policies/technical/coding-style/
[documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see
Expand Down
36 changes: 36 additions & 0 deletions deps/openssl/openssl/Configurations/10-main.conf
Original file line number Diff line number Diff line change
Expand Up @@ -1264,6 +1264,25 @@ my %targets = (
AR => add("-X32"),
RANLIB => add("-X32"),
},
# To enable openxl compiler for aix
# If 17.1 openxl runtime is available, -latomic can be used
# instead of -DBROKEN_CLANG_ATOMICS
"aix-clang" => {
inherit_from => [ "aix-common" ],
CC => "ibm-clang",
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-Wno-implicit-function-declaration -mcmodel=large -DBROKEN_CLANG_ATOMICS",
threads("-pthread")),
ex_libs => add(threads("-pthread")),
bn_ops => "BN_LLONG RC4_CHAR",
asm_arch => 'ppc32',
perlasm_scheme => "aix32",
shared_cflag => "-fpic",
shared_ldflag => add("-shared"),
AR => add("-X32"),
RANLIB => add("-X32"),
},
"aix64-cc" => {
inherit_from => [ "aix-common" ],
CC => "cc",
Expand All @@ -1282,6 +1301,23 @@ my %targets = (
AR => add("-X64"),
RANLIB => add("-X64"),
},
"aix64-clang" => {
inherit_from => [ "aix-common" ],
CC => "ibm-clang",
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-maix64 -Wno-implicit-function-declaration -mcmodel=large",
threads("-pthread")),
ex_libs => add(threads("-pthread")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
asm_arch => 'ppc64',
perlasm_scheme => "aix64",
shared_cflag => "-fpic",
shared_ldflag => add("-shared"),
shared_extension => "64.so.\$(SHLIB_VERSION_NUMBER)",
AR => add("-X64"),
RANLIB => add("-X64"),
},

# SIEMENS BS2000/OSD: an EBCDIC-based mainframe
"BS2000-OSD" => {
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Configurations/15-ios.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ my %targets = (
template => 1,
inherit_from => [ "darwin-common" ],
sys_id => "iOS",
disable => [ "shared", "async" ],
disable => [ "async" ],
},
"ios-xcrun" => {
inherit_from => [ "ios-common" ],
Expand Down
10 changes: 8 additions & 2 deletions deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,6 @@ my @gcc_devteam_warn = qw(
# -Wextended-offsetof -- no, needed in CMS ASN1 code
my @clang_devteam_warn = qw(
-Wno-unknown-warning-option
-Wswitch-default
-Wno-parentheses-equality
-Wno-language-extension-token
-Wno-extended-offsetof
Expand Down Expand Up @@ -1586,7 +1585,7 @@ if (!$disabled{makedepend}) {
disable('unavailable', 'makedepend') unless $config{makedep_scheme};
}

if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS') {
if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS' && !$predefined_C{_AIX}) {
# probe for -Wa,--noexecstack option...
if ($predefined_C{__clang__}) {
# clang has builtin assembler, which doesn't recognize --help,
Expand Down Expand Up @@ -3410,6 +3409,13 @@ sub absolutedir {
return rel2abs($dir);
}

# realpath() on Windows seems to check if the directory actually exists,
# which isn't what is wanted here. All we want to know is if a directory
# spec is absolute, not if it exists.
if ($^O eq "MSWin32") {
return rel2abs($dir);
}

# We use realpath() on Unix, since no other will properly clean out
# a directory spec.
use Cwd qw/realpath/;
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/INSTALL.md
Original file line number Diff line number Diff line change
Expand Up @@ -1168,7 +1168,7 @@ Configure OpenSSL
### Automatic Configuration

In previous version, the `config` script determined the platform type and
compiler and then called `Configure`. Starting with this release, they are
compiler and then called `Configure`. Starting with version 3.0, they are
the same.

#### Unix / Linux / macOS
Expand Down Expand Up @@ -1622,7 +1622,7 @@ More about our support resources can be found in the [SUPPORT] file.

### Configuration Errors

If the `./Configure` or `./Configure` command fails with an error message,
If the `./config` or `./Configure` command fails with an error message,
read the error message carefully and try to figure out whether you made
a mistake (e.g., by providing a wrong option), or whether the script is
working incorrectly. If you think you encountered a bug, please
Expand Down
15 changes: 15 additions & 0 deletions deps/openssl/openssl/NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,19 @@ OpenSSL Releases
OpenSSL 3.0
-----------

### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]

OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
release is Moderate.

This release incorporates the following bug fixes and mitigations:

* Fixed possible denial of service in X.509 name checks
([CVE-2024-6119])

* Fixed possible buffer overread in SSL_select_next_proto()
([CVE-2024-5535])

### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]

* Fixed potential use after free after SSL_free_buffers() is called
Expand Down Expand Up @@ -1482,6 +1495,8 @@ OpenSSL 0.9.x

<!-- Links -->

[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ What This Is
This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition
to the website, the official source distribution is at
<https://github.com/openssl/openssl>. The OpenSSL `README` can be found at
[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.13%2Bquic/README-OpenSSL.md)
[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.15%2Bquic/README-OpenSSL.md)

This fork adds APIs that can be used by QUIC implementations for connection
handshakes. Quoting the IETF Working group
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/VERSION.dat
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
PATCH=14
PATCH=15
PRE_RELEASE_TAG=
BUILD_METADATA=quic
RELEASE_DATE="4 Jun 2024"
RELEASE_DATE="3 Sep 2024"
SHLIB_VERSION=81.3
4 changes: 2 additions & 2 deletions deps/openssl/openssl/apps/cms.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -132,7 +132,7 @@ const OPTIONS cms_options[] = {
{"binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form"},
{"crlfeol", OPT_CRLFEOL, '-',
"Use CRLF as EOL termination instead of CR only" },
"Use CRLF as EOL termination instead of LF only" },
{"asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing"},

Expand Down
9 changes: 5 additions & 4 deletions deps/openssl/openssl/apps/dgst.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -478,7 +478,7 @@ int dgst_main(int argc, char **argv)
static void show_digests(const OBJ_NAME *name, void *arg)
{
struct doall_dgst_digests *dec = (struct doall_dgst_digests *)arg;
const EVP_MD *md = NULL;
EVP_MD *md = NULL;

/* Filter out signed digests (a.k.a signature algorithms) */
if (strstr(name->name, "rsa") != NULL || strstr(name->name, "RSA") != NULL)
Expand All @@ -490,8 +490,7 @@ static void show_digests(const OBJ_NAME *name, void *arg)
/* Filter out message digests that we cannot use */
md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
if (md == NULL) {
md = EVP_get_digestbyname(name->name);
if (md == NULL)
if (EVP_get_digestbyname(name->name) == NULL)
return;
}

Expand All @@ -502,6 +501,8 @@ static void show_digests(const OBJ_NAME *name, void *arg)
} else {
BIO_printf(dec->bio, " ");
}

EVP_MD_free(md);
}

/*
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/apps/lib/opt.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -616,7 +616,7 @@ int opt_uintmax(const char *value, ossl_uintmax_t *result)
opt_number_error(value);
return 0;
}
*result = (ossl_intmax_t)m;
*result = (ossl_uintmax_t)m;
errno = oerrno;
return 1;
}
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/apps/lib/s_cb.c
Original file line number Diff line number Diff line change
Expand Up @@ -649,7 +649,7 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
(void)BIO_flush(bio);
}

static STRINT_PAIR tlsext_types[] = {
static const STRINT_PAIR tlsext_types[] = {
{"server name", TLSEXT_TYPE_server_name},
{"max fragment length", TLSEXT_TYPE_max_fragment_length},
{"client certificate URL", TLSEXT_TYPE_client_certificate_url},
Expand Down Expand Up @@ -688,6 +688,7 @@ static STRINT_PAIR tlsext_types[] = {
{"psk kex modes", TLSEXT_TYPE_psk_kex_modes},
{"certificate authorities", TLSEXT_TYPE_certificate_authorities},
{"post handshake auth", TLSEXT_TYPE_post_handshake_auth},
{"early_data", TLSEXT_TYPE_early_data},
{NULL}
};

Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/apps/smime.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -118,7 +118,7 @@ const OPTIONS smime_options[] = {
"Do not load certificates from the default certificates store"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},

OPT_R_OPTIONS,
OPT_V_OPTIONS,
Expand Down
Loading

0 comments on commit 63d51c8

Please sign in to comment.