Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit e02a562

Browse filesBrowse files
nodejs-github-botaduh95
nodejs-github-bot
authored and
aduh95
committed
deps: upgrade openssl sources to openssl-3.5.3
PR-URL: #59901 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
1 parent 2bf0a93 commit e02a562
Copy full SHA for e02a562

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Dismiss banner
Expand file treeCollapse file tree

99 files changed

+569
-368
lines changed
Open diff view settings
Collapse file

‎deps/openssl/openssl/CHANGES.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/CHANGES.md
+50Lines changed: 50 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,56 @@ OpenSSL Releases
2828
OpenSSL 3.5
2929
-----------
3030

31+
### Changes between 3.5.2 and 3.5.3 [16 Sep 2025]
32+
33+
* Avoided a potential race condition introduced in 3.5.1, where
34+
`OSSL_STORE_CTX` kept open during lookup while potentially being used
35+
by multiple threads simultaneously, that could lead to potential crashes
36+
when multiple concurrent TLS connections are served.
37+
38+
*Matt Caswell*
39+
40+
* The FIPS provider no longer performs a PCT on key import for RSA, DH,
41+
and EC keys (that was introduced in 3.5.2), following the latest update
42+
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
43+
44+
*Dr Paul Dale*
45+
46+
* Secure memory allocation calls are no longer used for HMAC keys.
47+
48+
*Dr Paul Dale*
49+
50+
* `openssl req` no longer generates certificates with an empty extension list
51+
when SKID/AKID are set to `none` during generation.
52+
53+
*David Benjamin*
54+
55+
* The man page date is now derived from the release date provided
56+
in `VERSION.dat` and not the current date for the released builds.
57+
58+
*Enji Cooper*
59+
60+
* Hardened the provider implementation of the RSA public key "encrypt"
61+
operation to add a missing check that the caller-indicated output buffer
62+
size is at least as large as the byte count of the RSA modulus. The issue
63+
was reported by Arash Ale Ebrahim from SYSPWN.
64+
65+
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
66+
in fact provide a sufficiently large buffer, but fail to correctly indicate
67+
its size may now encounter unexpected errors. In applications that attempt
68+
RSA public encryption into a buffer that is too small, an out-of-bounds
69+
write is now avoided and an error is reported instead.
70+
71+
*Viktor Dukhovni*
72+
73+
* Added FIPS 140-3 PCT on DH key generation.
74+
75+
*Nikola Pajkovsky*
76+
77+
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
78+
79+
*Richard Levitte*
80+
3181
### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
3282

3383
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
Collapse file

‎deps/openssl/openssl/Configurations/unix-Makefile.tmpl‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/unix-Makefile.tmpl
+13-1Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33
##
44
## {- join("\n## ", @autowarntext) -}
55
{-
6+
use Time::Piece;
7+
68
use OpenSSL::Util;
79

810
our $makedep_scheme = $config{makedep_scheme};
@@ -74,6 +76,15 @@ FIPSKEY={- $config{FIPSKEY} -}
7476

7577
VERSION={- "$config{full_version}" -}
7678
VERSION_NUMBER={- "$config{version}" -}
79+
RELEASE_DATE={- my $t = localtime;
80+
if ($config{"release_date"}) {
81+
# Provide the user with a more meaningful error message
82+
# than the default internal parsing error from
83+
# `Time::Piece->strptime(..)`.
84+
eval { $t = Time::Piece->strptime($config{"release_date"}, "%d %b %Y"); } ||
85+
die "Parsing \$config{release_date} ('$config{release_date}') failed: $@";
86+
}
87+
$t->strftime("%Y-%m-%d") -}
7788
MAJOR={- $config{major} -}
7889
MINOR={- $config{minor} -}
7990
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
@@ -1565,7 +1576,8 @@ EOF
15651576
return <<"EOF";
15661577
$args{src}: $pod
15671578
pod2man --name=$name --section=$section\$(MANSUFFIX) --center=OpenSSL \\
1568-
--release=\$(VERSION) $pod >\$\@
1579+
--date=\$(RELEASE_DATE) --release=\$(VERSION) \\
1580+
$pod >\$\@
15691581
EOF
15701582
} elsif (platform->isdef($args{src})) {
15711583
#
Collapse file

‎deps/openssl/openssl/NEWS.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/NEWS.md
+10Lines changed: 10 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,16 @@ OpenSSL Releases
2323
OpenSSL 3.5
2424
-----------
2525

26+
### Major changes between OpenSSL 3.5.2 and OpenSSL 3.5.3 [16 Sep 2025]
27+
28+
* Added FIPS 140-3 PCT on DH key generation.
29+
30+
*Nikola Pajkovsky*
31+
32+
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
33+
34+
*Richard Levitte*
35+
2636
### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025]
2737

2838
* none
Collapse file

‎deps/openssl/openssl/NOTES-WINDOWS.md‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/NOTES-WINDOWS.md
+1-1Lines changed: 1 addition & 1 deletion
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@ format:
125125
`\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\OpenSSL-<version>-<ctx>`
126126

127127
Where `<version>` is the major.minor version of the library being
128-
built, and `<ctx>` is the value specified by `-DOPENSSL_WINCTX`. This allows
128+
built, and `<ctx>` is the value specified by `-DOSSL_WINCTX`. This allows
129129
for multiple openssl builds to be created and installed on a single system, in
130130
which each library can use its own set of registry keys.
131131

Collapse file

‎deps/openssl/openssl/VERSION.dat‎

Copy file name to clipboard
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
MAJOR=3
22
MINOR=5
3-
PATCH=2
3+
PATCH=3
44
PRE_RELEASE_TAG=
55
BUILD_METADATA=
6-
RELEASE_DATE="5 Aug 2025"
6+
RELEASE_DATE="16 Sep 2025"
77
SHLIB_VERSION=3
Collapse file

‎deps/openssl/openssl/apps/cms.c‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/apps/cms.c
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1280,6 +1280,7 @@ int cms_main(int argc, char **argv)
12801280
goto end;
12811281
}
12821282
if (ret <= 0) {
1283+
BIO_printf(bio_err, "Error writing CMS output\n");
12831284
ret = 6;
12841285
goto end;
12851286
}
Collapse file

‎deps/openssl/openssl/apps/enc.c‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/apps/enc.c
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -260,6 +260,8 @@ int enc_main(int argc, char **argv)
260260
goto opthelp;
261261
if (k)
262262
n *= 1024;
263+
if (n > INT_MAX)
264+
goto opthelp;
263265
bsize = (int)n;
264266
break;
265267
case OPT_K:
Collapse file

‎deps/openssl/openssl/apps/include/apps.h‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/apps/include/apps.h
-1Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,6 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
103103
/* progress callback for dsaparam, dhparam, req, genpkey, etc. */
104104
int progress_cb(EVP_PKEY_CTX *ctx);
105105

106-
int chopup_args(ARGS *arg, char *buf);
107106
void dump_cert_text(BIO *out, X509 *x);
108107
void print_name(BIO *out, const char *title, const X509_NAME *nm);
109108
void print_bignum_var(BIO *, const BIGNUM *, const char *,
Collapse file

‎deps/openssl/openssl/apps/lib/apps.c‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/apps/lib/apps.c
-49Lines changed: 0 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -83,55 +83,6 @@ static int set_multi_opts(unsigned long *flags, const char *arg,
8383
const NAME_EX_TBL *in_tbl);
8484
int app_init(long mesgwin);
8585

86-
int chopup_args(ARGS *arg, char *buf)
87-
{
88-
int quoted;
89-
char c = '\0', *p = NULL;
90-
91-
arg->argc = 0;
92-
if (arg->size == 0) {
93-
arg->size = 20;
94-
arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space");
95-
}
96-
97-
for (p = buf;;) {
98-
/* Skip whitespace. */
99-
while (*p && isspace(_UC(*p)))
100-
p++;
101-
if (*p == '\0')
102-
break;
103-
104-
/* The start of something good :-) */
105-
if (arg->argc >= arg->size) {
106-
char **tmp;
107-
108-
arg->size += 20;
109-
tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
110-
if (tmp == NULL)
111-
return 0;
112-
arg->argv = tmp;
113-
}
114-
quoted = *p == '\'' || *p == '"';
115-
if (quoted)
116-
c = *p++;
117-
arg->argv[arg->argc++] = p;
118-
119-
/* now look for the end of this */
120-
if (quoted) {
121-
while (*p && *p != c)
122-
p++;
123-
*p++ = '\0';
124-
} else {
125-
while (*p && !isspace(_UC(*p)))
126-
p++;
127-
if (*p)
128-
*p++ = '\0';
129-
}
130-
}
131-
arg->argv[arg->argc] = NULL;
132-
return 1;
133-
}
134-
13586
#ifndef APP_INIT
13687
int app_init(long mesgwin)
13788
{
Collapse file

‎deps/openssl/openssl/apps/ocsp.c‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/apps/ocsp.c
+12-9Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -662,7 +662,8 @@ int ocsp_main(int argc, char **argv)
662662
resp =
663663
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
664664
NULL);
665-
send_ocsp_response(cbio, resp);
665+
if (resp != NULL)
666+
send_ocsp_response(cbio, resp);
666667
}
667668
goto done_resp;
668669
}
@@ -764,16 +765,18 @@ int ocsp_main(int argc, char **argv)
764765
BIO_free(derbio);
765766
}
766767

767-
i = OCSP_response_status(resp);
768-
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
769-
BIO_printf(out, "Responder Error: %s (%d)\n",
770-
OCSP_response_status_str(i), i);
771-
if (!ignore_err)
768+
if (resp != NULL) {
769+
i = OCSP_response_status(resp);
770+
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
771+
BIO_printf(out, "Responder Error: %s (%d)\n",
772+
OCSP_response_status_str(i), i);
773+
if (!ignore_err)
772774
goto end;
773-
}
775+
}
774776

775-
if (resp_text)
776-
OCSP_RESPONSE_print(out, resp, 0);
777+
if (resp_text)
778+
OCSP_RESPONSE_print(out, resp, 0);
779+
}
777780

778781
/* If running as responder don't verify our own response */
779782
if (cbio != NULL) {

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.