Skip to content
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
deps: upgrade openssl sources to quictls/openssl-3.0.16
  • Loading branch information
nodejs-github-bot committed Mar 5, 2025
commit d2931bdf1e09d84f9e171b70cf5261b8a617b1f2
33 changes: 30 additions & 3 deletions deps/openssl/openssl/CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,36 @@ breaking changes, and mappings for the large list of deprecated functions.

[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

### Changes between 3.0.15 and 3.0.15+quic [3 Sep 2024]
### Changes between 3.0.15 and 3.0.16 [11 Feb 2025]

* Add QUIC API support from BoringSSL
* Fixed timing side-channel in ECDSA signature computation.

*Todd Short*
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.

([CVE-2024-13176])

*Tomáš Mráz*

* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.

Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds memory
reads or writes.
Applications working with "exotic" explicit binary (GF(2^m)) curve
parameters, that make it possible to represent invalid field polynomials
with a zero constant term, via the above or similar APIs, may terminate
abruptly as a result of reading or writing outside of array bounds. Remote
code execution cannot easily be ruled out.

([CVE-2024-9143])

*Viktor Dukhovni*

### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]

Expand Down Expand Up @@ -19928,6 +19953,8 @@ ndif

<!-- Links -->

[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Configurations/unix-Makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -1688,7 +1688,7 @@ EOF
} elsif ($makedep_scheme eq 'gcc' && !grep /\.rc$/, @srcs) {
$recipe .= <<"EOF";
$obj: $deps
$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -MT \$\@ -c -o \$\@ $srcs
$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -c -o \$\@ $srcs
\@touch $dep.tmp
\@if cmp $dep.tmp $dep > /dev/null 2> /dev/null; then \\
rm -f $dep.tmp; \\
Expand Down
5 changes: 1 addition & 4 deletions deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
Expand Up @@ -467,7 +467,6 @@ my @disablables = (
"poly1305",
"posix-io",
"psk",
"quic",
"rc2",
"rc4",
"rc5",
Expand Down Expand Up @@ -578,15 +577,14 @@ my @disable_cascades = (
"sm3", "sm4", "srp",
"srtp", "ssl3-method", "ssl-trace",
"ts", "ui-console", "whirlpool",
"quic",
"fips-securitychecks" ],
sub { $config{processor} eq "386" }
=> [ "sse2" ],
"ssl" => [ "ssl3" ],
"ssl3-method" => [ "ssl3" ],
"zlib" => [ "zlib-dynamic" ],
"des" => [ "mdc2" ],
"ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "quic" ],
"ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ],
"dgram" => [ "dtls", "sctp" ],
"sock" => [ "dgram" ],
"dtls" => [ @dtls ],
Expand Down Expand Up @@ -637,7 +635,6 @@ my @disable_cascades = (
"legacy" => [ "md2" ],

"cmp" => [ "crmf" ],
"tls1_3" => [ "quic" ],

"fips" => [ "fips-securitychecks", "acvp-tests" ],

Expand Down
4 changes: 0 additions & 4 deletions deps/openssl/openssl/INSTALL.md
Original file line number Diff line number Diff line change
Expand Up @@ -829,10 +829,6 @@ Don't use POSIX IO capabilities.

Don't build support for Pre-Shared Key based ciphersuites.

### no-quic

Don't build support for QUIC API from BoringSSL.

### no-rdrand

Don't use hardware RDRAND capabilities.
Expand Down
16 changes: 16 additions & 0 deletions deps/openssl/openssl/NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,20 @@ OpenSSL Releases
OpenSSL 3.0
-----------

### Major changes between OpenSSL 3.0.15 and OpenSSL 3.0.16 [11 Feb 2025]

OpenSSL 3.0.16 is a security patch release. The most severe CVE fixed in this
release is Low.

This release incorporates the following bug fixes and mitigations:

* Fixed timing side-channel in ECDSA signature computation.
([CVE-2024-13176])

* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
([CVE-2024-9143])

### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]

OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
Expand Down Expand Up @@ -1495,6 +1509,8 @@ OpenSSL 0.9.x

<!-- Links -->

[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
Expand Down
7 changes: 2 additions & 5 deletions deps/openssl/openssl/NOTES-NONSTOP.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,9 @@ correctly, you also need the `COMP_ROOT` set, as in:

`COMP_ROOT` needs to be in Windows form.

`Configure` must specify the `no-makedepend` option otherwise errors will
result when running the build because the c99 cross-compiler does not support
the `gcc -MT` option. An example of a `Configure` command to be run from the
OpenSSL directory is:
An example of a `Configure` command to be run from the OpenSSL directory is:

./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
./Configure nonstop-nsx_64 --with-rand-seed=rdcpu

Do not forget to include any OpenSSL cross-compiling prefix and certificate
options when creating your libraries.
Expand Down
224 changes: 0 additions & 224 deletions deps/openssl/openssl/README-OpenSSL.md

This file was deleted.

Loading