Skip to content

Commit

Permalink
deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1
Browse files Browse the repository at this point in the history
PR-URL: #49036
Reviewed-By: Rafael Gonzaga <[email protected]>
  • Loading branch information
nodejs-github-bot authored and RafaelGSS committed Aug 8, 2023
1 parent 6378377 commit 2c5a522
Show file tree
Hide file tree
Showing 173 changed files with 2,430 additions and 1,223 deletions.
73 changes: 68 additions & 5 deletions deps/openssl/openssl/CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,70 @@ breaking changes, and mappings for the large list of deprecated functions.

[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

### Changes between 3.0.9 and 3.0.9+quic [30 May 2023]
* Add QUIC API support from BoringSSL
### Changes between 3.0.10 and 3.0.10+quic [1 Aug 2023]

* Add QUIC API support from BoringSSL

*Todd Short*

### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]

* Fix excessive time spent checking DH q parameter value.

The function DH_check() performs various checks on DH parameters. After
fixing CVE-2023-3446 it was discovered that a large q parameter value can
also trigger an overly long computation during some of these checks.
A correct q value, if present, cannot be larger than the modulus p
parameter, thus it is unnecessary to perform these checks if q is larger
than p.

If DH_check() is called with such q parameter value,
DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
intensive checks are skipped.

([CVE-2023-3817])

*Tomáš Mráz*

* Fix DH_check() excessive time with over sized modulus.

The function DH_check() performs various checks on DH parameters. One of
those checks confirms that the modulus ("p" parameter) is not too large.
Trying to use a very large modulus is slow and OpenSSL will not normally use
a modulus which is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the supplied
modulus value even if it has already been found to be too large.

A new limit has been added to DH_check of 32,768 bits. Supplying a
key/parameters with a modulus over this size will simply cause DH_check() to
fail.

([CVE-2023-3446])

*Matt Caswell*

* Do not ignore empty associated data entries with AES-SIV.

The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data the
application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
with NULL pointer as the output buffer and 0 as the input buffer length.
The AES-SIV implementation in OpenSSL just returns success for such call
instead of performing the associated data authentication operation.
The empty data thus will not be authenticated. ([CVE-2023-2975])

Thanks to Juerg Wullschleger (Google) for discovering the issue.

The fix changes the authentication tag value and the ciphertext for
applications that use empty associated data entries with AES-SIV.
To decrypt data encrypted with previous versions of OpenSSL the application
has to skip calls to `EVP_DecryptUpdate()` for empty associated data
entries.

*Tomáš Mráz*

### Changes between 3.0.8 and 3.0.9 [30 May 2023]

* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
Expand All @@ -45,7 +106,7 @@ breaking changes, and mappings for the large list of deprecated functions.
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.

The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
Expand All @@ -55,8 +116,6 @@ breaking changes, and mappings for the large list of deprecated functions.
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.

Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

*Richard Levitte*

* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
Expand Down Expand Up @@ -19655,6 +19714,10 @@ ndif

<!-- Links -->

[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
Expand Down
5 changes: 1 addition & 4 deletions deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
Expand Up @@ -599,8 +599,7 @@ my @disable_cascades = (

"crypto-mdebug" => [ "crypto-mdebug-backtrace" ],

# If no modules, then no dynamic engines either
"module" => [ "dynamic-engine" ],
"module" => [ "dynamic-engine", "fips" ],

# Without shared libraries, dynamic engines aren't possible.
# This is due to them having to link with libcrypto and register features
Expand All @@ -618,8 +617,6 @@ my @disable_cascades = (
# or modules.
"pic" => [ "shared", "module" ],

"module" => [ "fips", "dso" ],

"engine" => [ "dynamic-engine", grep(/eng$/, @disablables) ],
"dynamic-engine" => [ "loadereng" ],
"hw" => [ "padlockeng" ],
Expand Down
18 changes: 13 additions & 5 deletions deps/openssl/openssl/INSTALL.md
Original file line number Diff line number Diff line change
Expand Up @@ -796,14 +796,22 @@ By default OpenSSL will attempt to stay in memory until the process exits.
This is so that libcrypto and libssl can be properly cleaned up automatically
via an `atexit()` handler. The handler is registered by libcrypto and cleans
up both libraries. On some platforms the `atexit()` handler will run on unload of
libcrypto (if it has been dynamically loaded) rather than at process exit. This
option can be used to stop OpenSSL from attempting to stay in memory until the
libcrypto (if it has been dynamically loaded) rather than at process exit.

This option can be used to stop OpenSSL from attempting to stay in memory until the
process exits. This could lead to crashes if either libcrypto or libssl have
already been unloaded at the point that the atexit handler is invoked, e.g. on a
platform which calls `atexit()` on unload of the library, and libssl is unloaded
before libcrypto then a crash is likely to happen. Applications can suppress
running of the `atexit()` handler at run time by using the
`OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
before libcrypto then a crash is likely to happen.

Note that shared library pinning is not automatically disabled for static builds,
i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when
linking libcrypto statically into a shared third-party library, because in this
case the shared library will be pinned. To prevent this behaviour, you need to
configure the static build using `no-shared` and `no-pinshared` together.

Applications can suppress running of the `atexit()` handler at run time by
using the `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
See the man page for it for further details.

### no-posix-io
Expand Down
9 changes: 9 additions & 0 deletions deps/openssl/openssl/NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ OpenSSL Releases
OpenSSL 3.0
-----------

### Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]

* Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
* Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
* Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])

### Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]

* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
Expand Down Expand Up @@ -1442,6 +1448,9 @@ OpenSSL 0.9.x

<!-- Links -->

[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
Expand Down
96 changes: 89 additions & 7 deletions deps/openssl/openssl/README-FIPS.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ OpenSSL FIPS support
====================

This release of OpenSSL includes a cryptographic module that can be
FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
FIPS validated. The module is implemented as an OpenSSL provider.
A provider is essentially a dynamically loadable module which implements
cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
for further details.
Expand All @@ -28,8 +28,16 @@ resp. `fips.dll` (on Windows). The FIPS provider does not get built and
installed automatically. To enable it, you need to configure OpenSSL using
the `enable-fips` option.

Installing the FIPS module
==========================
Installing the FIPS provider
============================

In order to be FIPS compliant you must only use FIPS validated source code.
Refer to <https://www.openssl.org/source/> for information related to
which versions are FIPS validated. The instructions given below build OpenSSL
just using the FIPS validated source code.

If you want to use a validated FIPS provider, but also want to use the latest
OpenSSL release to build everything else, then refer to the next section.

The following is only a guide.
Please read the Security Policy for up to date installation instructions.
Expand Down Expand Up @@ -63,19 +71,93 @@ the installation by doing the following two things:

- Runs the FIPS module self tests
- Generates the so-called FIPS module configuration file containing information
about the module such as the self test status, and the module checksum.
about the module such as the module checksum (and for OpenSSL 3.0 the
self test status).

The FIPS module must have the self tests run, and the FIPS module config file
output generated on every machine that it is to be used on. You must not copy
the FIPS module config file output data from one machine to another.
output generated on every machine that it is to be used on. For OpenSSL 3.0,
you must not copy the FIPS module config file output data from one machine to another.

On Unix the `openssl fipsinstall` command will be invoked as follows by default:

$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so

If you configured OpenSSL to be installed to a different location, the paths will
vary accordingly. In the rare case that you need to install the fipsmodule.cnf
to non-standard location, you can execute the `openssl fipsinstall` command manually.
to a non-standard location, you can execute the `openssl fipsinstall` command manually.

Installing the FIPS provider and using it with the latest release
=================================================================

This normally requires you to download 2 copies of the OpenSSL source code.

Download and build a validated FIPS provider
--------------------------------------------

Refer to <https://www.openssl.org/source/> for information related to
which versions are FIPS validated. For this example we use OpenSSL 3.0.0.

$ wget https://www.openssl.org/source/openssl-3.0.0.tar.gz
$ tar -xf openssl-3.0.0.tar.gz
$ cd openssl-3.0.0
$ ./Configure enable-fips
$ make
$ cd ..

Download and build the latest release of OpenSSL
------------------------------------------------

We use OpenSSL 3.1.0 here, (but you could also use the latest 3.0.X)

$ wget https://www.openssl.org/source/openssl-3.1.0.tar.gz
$ tar -xf openssl-3.1.0.tar.gz
$ cd openssl-3.1.0
$ ./Configure enable-fips
$ make

Use the OpenSSL FIPS provider for testing
-----------------------------------------

We do this by replacing the artifact for the OpenSSL 3.1.0 FIPS provider.
Note that the OpenSSL 3.1.0 FIPS provider has not been validated
so it must not be used for FIPS purposes.

$ cp ../openssl-3.0.0/providers/fips.so providers/.
$ cp ../openssl-3.0.0/providers/fipsmodule.cnf providers/.
// Note that for OpenSSL 3.0 that the `fipsmodule.cnf` file should not
// be copied across multiple machines if it contains an entry for
// `install-status`. (Otherwise the self tests would be skipped).

// Validate the output of the following to make sure we are using the
// OpenSSL 3.0.0 FIPS provider
$ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider fips -providers

// Now run the current tests using the OpenSSL 3.0 FIPS provider.
$ make tests

Copy the FIPS provider artifacts (`fips.so` & `fipsmodule.cnf`) to known locations
-------------------------------------------------------------------------------------

$ cd ../openssl-3.0.0
$ sudo make install_fips

Check that the correct FIPS provider is being used
--------------------------------------------------

$./util/wrap.pl -fips apps/openssl list -provider-path providers \
-provider fips -providers

// This should produce the following output
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.0
status: active

Using the FIPS Module in applications
=====================================
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ What This Is
This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition
to the website, the official source distribution is at
<https://github.com/openssl/openssl>. The OpenSSL `README` can be found at
[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.9%2Bquic/README-OpenSSL.md)
[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.10%2Bquic/README-OpenSSL.md)

This fork adds APIs that can be used by QUIC implementations for connection
handshakes. Quoting the IETF Working group
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/VERSION.dat
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
PATCH=9
PATCH=10
PRE_RELEASE_TAG=
BUILD_METADATA=quic
RELEASE_DATE="30 May 2023"
RELEASE_DATE="1 Aug 2023"
SHLIB_VERSION=81.3
Loading

0 comments on commit 2c5a522

Please sign in to comment.