Skip to content

Commit

Permalink
deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1
Browse files Browse the repository at this point in the history
PR-URL: nodejs/node#51614
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
sercher committed Apr 25, 2024
1 parent 7a86a73 commit 22ec7d9
Show file tree
Hide file tree
Showing 227 changed files with 3,738 additions and 820 deletions.
90 changes: 89 additions & 1 deletion graal-nodejs/deps/openssl/openssl/CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,96 @@ breaking changes, and mappings for the large list of deprecated functions.

[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

### Changes between 3.0.12 and 3.0.12+quic [24 Oct 2023]
### Changes between 3.0.13 and 3.0.13+quic [30 Jan 2024]

* Add QUIC API support from BoringSSL

*Todd Short*

### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]

* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.

OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.

([CVE-2024-0727])

*Matt Caswell*

* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.

An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.

The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.

To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.

([CVE-2023-6237])

*Tomáš Mráz*

* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.

*Richard Levitte*

* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.

([CVE-2023-6129])

*Rohan McLure*

* Fix excessive time spent in DH check / generation with large Q parameter
value.

Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.

([CVE-2023-5678])

*Richard Levitte*

### Changes between 3.0.11 and 3.0.12 [24 Oct 2023]

* Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
Expand Down Expand Up @@ -19746,6 +19830,10 @@ ndif

<!-- Links -->

[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
Expand Down
56 changes: 36 additions & 20 deletions graal-nodejs/deps/openssl/openssl/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,45 @@ Development is done on GitHub in the [openssl/openssl] repository.

[openssl/openssl]: <https://github.com/openssl/openssl>

To request new features or report bugs, please open an issue on GitHub
To request new a feature, ask a question, or report a bug,
please open an [issue on GitHub](https://github.com/openssl/openssl/issues).

To submit a patch, please open a pull request on GitHub. If you are thinking
of making a large contribution, open an issue for it before starting work,
to get comments from the community. Someone may be already working on
the same thing or there may be reasons why that feature isn't implemented.
To submit a patch or implement a new feature, please open a
[pull request on GitHub](https://github.com/openssl/openssl/pulls).
If you are thinking of making a large contribution,
open an issue for it before starting work, to get comments from the community.
Someone may be already working on the same thing,
or there may be special reasons why a feature is not implemented.

To make it easier to review and accept your pull request, please follow these
guidelines:

1. Anything other than a trivial contribution requires a [Contributor
License Agreement] (CLA), giving us permission to use your code.
If your contribution is too small to require a CLA (e.g. fixing a spelling
mistake), place the text "`CLA: trivial`" on a line by itself separated by
an empty line from the rest of the commit message. It is not sufficient to
only place the text in the GitHub pull request description.
If your contribution is too small to require a CLA (e.g., fixing a spelling
mistake), then place the text "`CLA: trivial`" on a line by itself below
the rest of your commit message separated by an empty line, like this:

```
One-line summary of trivial change
Optional main body of commit message. It might contain a sentence
or two explaining the trivial change.
CLA: trivial
```

It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
pull request description.

[Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>

To amend a missing "`CLA: trivial`" line after submission, do the following:

```
git commit --amend
[add the line, save and quit the editor]
git push -f
# add the line, save and quit the editor
git push -f [<repository> [<branch>]]
```

2. All source files should start with the following text (with
Expand All @@ -53,22 +67,24 @@ guidelines:
often. We do not accept merge commits, you will have to remove them
(usually by rebasing) before it will be acceptable.

4. Patches should follow our [coding style] and compile without warnings.
Where `gcc` or `clang` is available you should use the
4. Code provided should follow our [coding style] and compile without warnings.
There is a [Perl tool](util/check-format.pl) that helps
finding code formatting mistakes and other coding style nits.
Where `gcc` or `clang` is available, you should use the
`--strict-warnings` `Configure` option. OpenSSL compiles on many varied
platforms: try to ensure you only use portable features. Clean builds via
GitHub Actions and AppVeyor are required, and they are started automatically
whenever a PR is created or updated.
platforms: try to ensure you only use portable features.
Clean builds via GitHub Actions are required. They are started automatically
whenever a PR is created or updated by committers.

[coding style]: https://www.openssl.org/policies/technical/coding-style.html

5. When at all possible, patches should include tests. These can
5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see
[test/README.md](test/README.md) for information on the test framework.

6. New features or changed functionality must include
documentation. Please look at the "pod" files in doc/man[1357] for
examples of our style. Run "make doc-nits" to make sure that your
documentation. Please look at the `.pod` files in `doc/man[1357]` for
examples of our style. Run `make doc-nits` to make sure that your
documentation changes are clean.

7. For user visible changes (API changes, behaviour changes, ...),
Expand All @@ -78,7 +94,7 @@ guidelines:
Have a look through existing entries for inspiration.
Please note that this is NOT simply a copy of git-log one-liners.
Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
This file helps users get more in depth information of what comes
This file helps users get more in-depth information of what comes
with a specific release without having to sift through the higher
noise ratio in git-log.

Expand Down
10 changes: 10 additions & 0 deletions graal-nodejs/deps/openssl/openssl/Configurations/10-main.conf
Original file line number Diff line number Diff line change
Expand Up @@ -1941,5 +1941,15 @@ my %targets = (
inherit_from => [ "vms-generic" ],
bn_ops => "SIXTY_FOUR_BIT",
pointer_size => "",
},
"vms-x86_64-p32" => {
inherit_from => [ "vms-x86_64" ],
cflags => add("/POINTER_SIZE=32"),
pointer_size => "32",
},
"vms-x86_64-p64" => {
inherit_from => [ "vms-x86_64" ],
cflags => add("/POINTER_SIZE=64=ARGV"),
pointer_size => "64",
}
);
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,8 @@ build_all_generated : $(GENERATED_MANDATORY) $(GENERATED) build_docs
all : build_sw build_docs

test : tests
{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep run_tests
{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep
$(MMS) $(MMSQUALIFIERS) run_tests
run_tests :
@ ! {- output_off() if $disabled{tests}; "" -}
DEFINE SRCTOP "$(SRCDIR)"
Expand Down Expand Up @@ -710,13 +711,15 @@ vmsconfig.pm : configdata.pm
WRITE CONFIG " shlib_version => '","{- $config{shlib_version} -}","',"
WRITE CONFIG " shlib_major => '","{- $config{shlib_major} -}","',"
WRITE CONFIG " shlib_minor => '","{- $config{shlib_minor} -}","',"
WRITE CONFIG " no_shared => '","{- $disabled{shared} -}","',"
WRITE CONFIG " INSTALLTOP => '$(INSTALLTOP)',"
WRITE CONFIG " OPENSSLDIR => '$(OPENSSLDIR)',"
WRITE CONFIG ");"
WRITE CONFIG "our %target = ("
WRITE CONFIG " pointer_size => '","{- $target{pointer_size} -}","',"
WRITE CONFIG ");"
WRITE CONFIG "our %target = ();"
WRITE CONFIG "our %disabled = ();"
WRITE CONFIG "our %disabled = ("
WRITE CONFIG " shared => '","{- $disabled{shared} -}","',"
WRITE CONFIG ");"
WRITE CONFIG "our %withargs = ();"
WRITE CONFIG "our %unified_info = ();"
WRITE CONFIG "1;"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -526,8 +526,9 @@ build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) build_docs
all: build_sw build_docs

test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils run_tests
run_tests:
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
$(MAKE) run_tests
run_tests: FORCE
@ : {- output_off() if $disabled{tests}; "" -}
( SRCTOP=$(SRCDIR) \
BLDTOP=$(BLDDIR) \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ RCOUTFLAG={- $target{rcoutflag} -}$(OSSL_EMPTY)

CNF_ASFLAGS={- join(' ', $target{asflags} || (),
@{$config{asflags}}) -}
CNF_CPPFLAGS={- our $cppfags2 =
CNF_CPPFLAGS={- our $cppflags2 =
join(' ', $target{cppflags} || (),
(map { '-D'.quotify1($_) } @{$target{defines}},
@{$config{defines}}),
Expand Down Expand Up @@ -440,6 +440,8 @@ all: build_sw build_docs

test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep copy-utils
$(MAKE) /$(MAKEFLAGS) run_tests
run_tests:
@{- output_off() if $disabled{tests}; "\@rem" -}
cmd /C "set "SRCTOP=$(SRCDIR)" & set "BLDTOP=$(BLDDIR)" & set "PERL=$(PERL)" & set "FIPSKEY=$(FIPSKEY)" & "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS)"
@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
Expand Down
Loading

0 comments on commit 22ec7d9

Please sign in to comment.