Skip to content

Commit 4056c1f

Browse files
nodejs-github-bottargos
nodejs-github-bot
authored and
targos
committed
deps: upgrade openssl sources to quictls/openssl-3.0.16
PR-URL: #57335 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
1 parent 5c20dcc commit 4056c1f

File tree

232 files changed

+2754
-3535
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

232 files changed

+2754
-3535
lines changed

deps/openssl/openssl/CHANGES.md

+30-3
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,36 @@ breaking changes, and mappings for the large list of deprecated functions.
2828

2929
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
3030

31-
### Changes between 3.0.15 and 3.0.15+quic [3 Sep 2024]
31+
### Changes between 3.0.15 and 3.0.16 [11 Feb 2025]
3232

33-
* Add QUIC API support from BoringSSL
33+
* Fixed timing side-channel in ECDSA signature computation.
3434

35-
*Todd Short*
35+
There is a timing signal of around 300 nanoseconds when the top word of
36+
the inverted ECDSA nonce value is zero. This can happen with significant
37+
probability only for some of the supported elliptic curves. In particular
38+
the NIST P-521 curve is affected. To be able to measure this leak, the
39+
attacker process must either be located in the same physical computer or
40+
must have a very fast network connection with low latency.
41+
42+
([CVE-2024-13176])
43+
44+
*Tomáš Mráz*
45+
46+
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
47+
curve parameters.
48+
49+
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
50+
explicit values for the field polynomial can lead to out-of-bounds memory
51+
reads or writes.
52+
Applications working with "exotic" explicit binary (GF(2^m)) curve
53+
parameters, that make it possible to represent invalid field polynomials
54+
with a zero constant term, via the above or similar APIs, may terminate
55+
abruptly as a result of reading or writing outside of array bounds. Remote
56+
code execution cannot easily be ruled out.
57+
58+
([CVE-2024-9143])
59+
60+
*Viktor Dukhovni*
3661

3762
### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
3863

@@ -19928,6 +19953,8 @@ ndif
1992819953

1992919954
<!-- Links -->
1993019955

19956+
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
19957+
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
1993119958
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
1993219959
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
1993319960
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

+1-1
Original file line numberDiff line numberDiff line change
@@ -1688,7 +1688,7 @@ EOF
16881688
} elsif ($makedep_scheme eq 'gcc' && !grep /\.rc$/, @srcs) {
16891689
$recipe .= <<"EOF";
16901690
$obj: $deps
1691-
$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -MT \$\@ -c -o \$\@ $srcs
1691+
$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -c -o \$\@ $srcs
16921692
\@touch $dep.tmp
16931693
\@if cmp $dep.tmp $dep > /dev/null 2> /dev/null; then \\
16941694
rm -f $dep.tmp; \\

deps/openssl/openssl/Configure

+1-4
Original file line numberDiff line numberDiff line change
@@ -467,7 +467,6 @@ my @disablables = (
467467
"poly1305",
468468
"posix-io",
469469
"psk",
470-
"quic",
471470
"rc2",
472471
"rc4",
473472
"rc5",
@@ -578,15 +577,14 @@ my @disable_cascades = (
578577
"sm3", "sm4", "srp",
579578
"srtp", "ssl3-method", "ssl-trace",
580579
"ts", "ui-console", "whirlpool",
581-
"quic",
582580
"fips-securitychecks" ],
583581
sub { $config{processor} eq "386" }
584582
=> [ "sse2" ],
585583
"ssl" => [ "ssl3" ],
586584
"ssl3-method" => [ "ssl3" ],
587585
"zlib" => [ "zlib-dynamic" ],
588586
"des" => [ "mdc2" ],
589-
"ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "quic" ],
587+
"ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ],
590588
"dgram" => [ "dtls", "sctp" ],
591589
"sock" => [ "dgram" ],
592590
"dtls" => [ @dtls ],
@@ -637,7 +635,6 @@ my @disable_cascades = (
637635
"legacy" => [ "md2" ],
638636

639637
"cmp" => [ "crmf" ],
640-
"tls1_3" => [ "quic" ],
641638

642639
"fips" => [ "fips-securitychecks", "acvp-tests" ],
643640

deps/openssl/openssl/INSTALL.md

-4
Original file line numberDiff line numberDiff line change
@@ -829,10 +829,6 @@ Don't use POSIX IO capabilities.
829829

830830
Don't build support for Pre-Shared Key based ciphersuites.
831831

832-
### no-quic
833-
834-
Don't build support for QUIC API from BoringSSL.
835-
836832
### no-rdrand
837833

838834
Don't use hardware RDRAND capabilities.

deps/openssl/openssl/NEWS.md

+16
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,20 @@ OpenSSL Releases
1818
OpenSSL 3.0
1919
-----------
2020

21+
### Major changes between OpenSSL 3.0.15 and OpenSSL 3.0.16 [11 Feb 2025]
22+
23+
OpenSSL 3.0.16 is a security patch release. The most severe CVE fixed in this
24+
release is Low.
25+
26+
This release incorporates the following bug fixes and mitigations:
27+
28+
* Fixed timing side-channel in ECDSA signature computation.
29+
([CVE-2024-13176])
30+
31+
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
32+
curve parameters.
33+
([CVE-2024-9143])
34+
2135
### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]
2236

2337
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
@@ -1495,6 +1509,8 @@ OpenSSL 0.9.x
14951509

14961510
<!-- Links -->
14971511

1512+
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
1513+
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
14981514
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
14991515
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
15001516
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741

deps/openssl/openssl/NOTES-NONSTOP.md

+2-5
Original file line numberDiff line numberDiff line change
@@ -119,12 +119,9 @@ correctly, you also need the `COMP_ROOT` set, as in:
119119

120120
`COMP_ROOT` needs to be in Windows form.
121121

122-
`Configure` must specify the `no-makedepend` option otherwise errors will
123-
result when running the build because the c99 cross-compiler does not support
124-
the `gcc -MT` option. An example of a `Configure` command to be run from the
125-
OpenSSL directory is:
122+
An example of a `Configure` command to be run from the OpenSSL directory is:
126123

127-
./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
124+
./Configure nonstop-nsx_64 --with-rand-seed=rdcpu
128125

129126
Do not forget to include any OpenSSL cross-compiling prefix and certificate
130127
options when creating your libraries.

deps/openssl/openssl/README-OpenSSL.md

-224
This file was deleted.

0 commit comments

Comments
 (0)