Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 48d643f

Browse filesBrowse files
nodejs-github-botmarco-ippolito
nodejs-github-bot
authored and
marco-ippolito
committed
deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1
PR-URL: #54336 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
1 parent d3441ff commit 48d643f
Copy full SHA for 48d643f

File tree

Expand file treeCollapse file tree

158 files changed

+2303
-800
lines changed
Open diff view settings
Filter options

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Dismiss banner
Expand file treeCollapse file tree

158 files changed

+2303
-800
lines changed
Open diff view settings
Collapse file

‎deps/openssl/openssl/CHANGES.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/CHANGES.md
+70-1Lines changed: 70 additions & 1 deletion
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,78 @@ breaking changes, and mappings for the large list of deprecated functions.
2828

2929
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
3030

31-
### Changes between 3.0.13 and 3.0.13+quic [30 Jan 2024]
31+
### Changes between 3.0.14 and 3.0.14+quic [7 Jun 2024]
3232

3333
* Add QUIC API support from BoringSSL
3434

3535
*Todd Short*
3636

37+
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
38+
39+
* Fixed potential use after free after SSL_free_buffers() is called.
40+
41+
The SSL_free_buffers function is used to free the internal OpenSSL
42+
buffer used when processing an incoming record from the network.
43+
The call is only expected to succeed if the buffer is not currently
44+
in use. However, two scenarios have been identified where the buffer
45+
is freed even when still in use.
46+
47+
The first scenario occurs where a record header has been received
48+
from the network and processed by OpenSSL, but the full record body
49+
has not yet arrived. In this case calling SSL_free_buffers will succeed
50+
even though a record has only been partially processed and the buffer
51+
is still in use.
52+
53+
The second scenario occurs where a full record containing application
54+
data has been received and processed by OpenSSL but the application has
55+
only read part of this data. Again a call to SSL_free_buffers will
56+
succeed even though the buffer is still in use.
57+
58+
([CVE-2024-4741])
59+
60+
*Matt Caswell*
61+
62+
* Fixed an issue where checking excessively long DSA keys or parameters may
63+
be very slow.
64+
65+
Applications that use the functions EVP_PKEY_param_check() or
66+
EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
67+
experience long delays. Where the key or parameters that are being checked
68+
have been obtained from an untrusted source this may lead to a Denial of
69+
Service.
70+
71+
To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
72+
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
73+
reason.
74+
75+
([CVE-2024-4603])
76+
77+
*Tomáš Mráz*
78+
79+
* Fixed an issue where some non-default TLS server configurations can cause
80+
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
81+
exploit certain server configurations to trigger unbounded memory growth that
82+
would lead to a Denial of Service
83+
84+
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
85+
is being used (but not if early_data is also configured and the default
86+
anti-replay protection is in use). In this case, under certain conditions,
87+
the session cache can get into an incorrect state and it will fail to flush
88+
properly as it fills. The session cache will continue to grow in an unbounded
89+
manner. A malicious client could deliberately create the scenario for this
90+
failure to force a Denial of Service. It may also happen by accident in
91+
normal operation.
92+
93+
([CVE-2024-2511])
94+
95+
*Matt Caswell*
96+
97+
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
98+
is registered when libcrypto is unloaded. This can be used on platforms
99+
where using atexit() from shared libraries causes crashes on exit.
100+
101+
*Randall S. Becker*
102+
37103
### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
38104

39105
* A file in PKCS12 format can contain certificates and keys and may come from
@@ -19830,6 +19896,9 @@ ndif
1983019896

1983119897
<!-- Links -->
1983219898

19899+
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19900+
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19901+
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
1983319902
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
1983419903
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
1983519904
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
Collapse file

‎deps/openssl/openssl/CONTRIBUTING.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/CONTRIBUTING.md
+4-2Lines changed: 4 additions & 2 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository.
99

1010
[openssl/openssl]: <https://github.com/openssl/openssl>
1111

12-
To request new a feature, ask a question, or report a bug,
12+
To request a new feature, ask a question, or report a bug,
1313
please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
1414

1515
To submit a patch or implement a new feature, please open a
@@ -67,7 +67,8 @@ guidelines:
6767
often. We do not accept merge commits, you will have to remove them
6868
(usually by rebasing) before it will be acceptable.
6969
70-
4. Code provided should follow our [coding style] and compile without warnings.
70+
4. Code provided should follow our [coding style] and [documentation policy]
71+
and compile without warnings.
7172
There is a [Perl tool](util/check-format.pl) that helps
7273
finding code formatting mistakes and other coding style nits.
7374
Where `gcc` or `clang` is available, you should use the
@@ -77,6 +78,7 @@ guidelines:
7778
whenever a PR is created or updated by committers.
7879
7980
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
81+
[documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
8082
8183
5. When at all possible, code contributions should include tests. These can
8284
either be added to an existing test, or completely new. Please see
Collapse file

‎deps/openssl/openssl/Configurations/10-main.conf‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/10-main.conf
+8-1Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -784,7 +784,14 @@ my %targets = (
784784
asm_arch => 'aarch64',
785785
perlasm_scheme => "linux64",
786786
},
787-
787+
"linux-arm64ilp32-clang" => { # clang config abi by --target
788+
inherit_from => [ "linux-generic32" ],
789+
CC => "clang",
790+
CXX => "clang++",
791+
bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
792+
asm_arch => 'aarch64',
793+
perlasm_scheme => "linux64",
794+
},
788795
"linux-mips32" => {
789796
# Configure script adds minimally required -march for assembly
790797
# support, if no -march was specified at command line.
Collapse file

‎deps/openssl/openssl/Configurations/15-ios.conf‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/15-ios.conf
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,16 +49,16 @@ my %targets = (
4949
#
5050
"iphoneos-cross" => {
5151
inherit_from => [ "ios-common" ],
52-
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"),
52+
cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"),
5353
},
5454
"ios-cross" => {
5555
inherit_from => [ "ios-xcrun" ],
5656
CC => "cc",
57-
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
57+
cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
5858
},
5959
"ios64-cross" => {
6060
inherit_from => [ "ios64-xcrun" ],
6161
CC => "cc",
62-
cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
62+
cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
6363
},
6464
);
Collapse file

‎deps/openssl/openssl/Configurations/unix-Makefile.tmpl‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/unix-Makefile.tmpl
+7-7Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
sub dependmagic {
2222
my $target = shift;
2323

24-
return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
24+
return "$target: build_generated\n\t\"\$(MAKE)\" depend && \"\$(MAKE)\" _$target\n_$target";
2525
}
2626

2727
our $COLUMNS = $ENV{COLUMNS};
@@ -527,7 +527,7 @@ all: build_sw build_docs
527527
528528
test: tests
529529
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
530-
$(MAKE) run_tests
530+
"$(MAKE)" run_tests
531531
run_tests: FORCE
532532
@ : {- output_off() if $disabled{tests}; "" -}
533533
( SRCTOP=$(SRCDIR) \
@@ -542,7 +542,7 @@ run_tests: FORCE
542542
543543
list-tests:
544544
@ : {- output_off() if $disabled{tests}; "" -}
545-
$(MAKE) run_tests TESTS=list
545+
"$(MAKE)" run_tests TESTS=list
546546
@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
547547
@echo "Tests are not supported with your chosen Configure options"
548548
@ : {- output_on() if !$disabled{tests}; "" -}
@@ -1193,12 +1193,12 @@ providers/fips.module.sources.new: configdata.pm
11931193
cd sources-tmp \
11941194
&& $$srcdir/Configure --banner=Configured enable-fips -O0 \
11951195
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \
1196-
&& $(MAKE) -sj 4 build_generated providers/fips.so \
1196+
&& "$(MAKE)" -sj 4 build_generated providers/fips.so \
11971197
&& find . -name '*.d' | xargs cat > dep1 \
1198-
&& $(MAKE) distclean \
1198+
&& "$(MAKE)" distclean \
11991199
&& $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \
12001200
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \
1201-
&& $(MAKE) -sj 4 build_generated providers/fips.so \
1201+
&& "$(MAKE)" -sj 4 build_generated providers/fips.so \
12021202
&& find . -name '*.d' | xargs cat > dep2 \
12031203
&& cat sources1 sources2 \
12041204
| grep -v ' : \\$$' | grep -v util/providers.num \
@@ -1332,7 +1332,7 @@ ordinals: build_generated
13321332
$(SSLHEADERS)
13331333
13341334
test_ordinals:
1335-
$(MAKE) run_tests TESTS=test_ordinals
1335+
"$(MAKE)" run_tests TESTS=test_ordinals
13361336
13371337
tags TAGS: FORCE
13381338
rm -f TAGS tags
Collapse file

‎deps/openssl/openssl/Configure‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configure
+2-1Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#! /usr/bin/env perl
22
# -*- mode: perl; -*-
3-
# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3+
# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
44
#
55
# Licensed under the Apache License 2.0 (the "License"). You may not use
66
# this file except in compliance with the License. You can obtain a copy
@@ -405,6 +405,7 @@ my @disablables = (
405405
"asan",
406406
"asm",
407407
"async",
408+
"atexit",
408409
"autoalginit",
409410
"autoerrinit",
410411
"autoload-config",
Collapse file

‎deps/openssl/openssl/FAQ.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/FAQ.md
-6Lines changed: 0 additions & 6 deletions
This file was deleted.
Collapse file

‎deps/openssl/openssl/INSTALL.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/INSTALL.md
+8-1Lines changed: 8 additions & 1 deletion
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -480,7 +480,7 @@ Setting the FIPS HMAC key
480480

481481
As part of its self-test validation, the FIPS module must verify itself
482482
by performing a SHA-256 HMAC computation on itself. The default key is
483-
the SHA256 value of "the holy handgrenade of antioch" and is sufficient
483+
the SHA256 value of "holy hand grenade of antioch" and is sufficient
484484
for meeting the FIPS requirements.
485485

486486
To change the key to a different value, use this flag. The value should
@@ -546,6 +546,13 @@ be used even with this option.
546546

547547
Do not build support for async operations.
548548

549+
### no-atexit
550+
551+
Do not use `atexit()` in libcrypto builds.
552+
553+
`atexit()` has varied semantics between platforms and can cause SIGSEGV in some
554+
circumstances. This option disables the atexit registration of OPENSSL_cleanup.
555+
549556
### no-autoalginit
550557

551558
Don't automatically load all supported ciphers and digests.
Collapse file

‎deps/openssl/openssl/NEWS.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/NEWS.md
+15Lines changed: 15 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,18 @@ OpenSSL Releases
1818
OpenSSL 3.0
1919
-----------
2020

21+
### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
22+
23+
* Fixed potential use after free after SSL_free_buffers() is called
24+
([CVE-2024-4741])
25+
26+
* Fixed an issue where checking excessively long DSA keys or parameters may
27+
be very slow
28+
([CVE-2024-4603])
29+
30+
* Fixed unbounded memory growth with session handling in TLSv1.3
31+
([CVE-2024-2511])
32+
2133
### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
2234

2335
* Fixed PKCS12 Decoding crashes
@@ -1470,6 +1482,9 @@ OpenSSL 0.9.x
14701482

14711483
<!-- Links -->
14721484

1485+
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
1486+
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
1487+
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
14731488
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
14741489
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
14751490
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
Collapse file

‎deps/openssl/openssl/NOTES-NONSTOP.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/NOTES-NONSTOP.md
+4-1Lines changed: 4 additions & 1 deletion
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,10 @@ relating to `atexit()` processing when a shared library is unloaded and when
5656
the program terminates. This limitation applies to all OpenSSL shared library
5757
components.
5858

59-
A resolution to this situation is under investigation.
59+
It is possible to configure the build with `no-atexit` to avoid the SIGSEGV.
60+
Preferably, you can explicitly call `OPENSSL_cleanup()` from your application.
61+
It is not mandatory as it just deallocates various global data structures
62+
OpenSSL allocated.
6063

6164
About Prefix and OpenSSLDir
6265
---------------------------

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.