ID: 7815 Fixed in:
Issue Date: 2024-07-10 12:02 AEST Owner:  CVS Support
Last Modified:  2024-09-29 16:05 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:ASSIGNED / Severity:major

Affected:  unspecified
Description:  win: upgrade OpenSSL to 3.0.15 (currently: 3.0.13)

Actions:    
2024-07-10 12:02 AEST by Arthur Barrett - There is now a security advisory for 3.0!

https://www.openssl.org/news/secadv/20240627.txt

OpenSSL Security Advisory [27th June 2024]
==========================================

SSL_select_next_proto buffer overread (CVE-2024-5535)
=====================================================

Severity: Low


OpenSSL 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15 once it is released.


But the current release is 3.0.14
KBytes 	Date  	File 
14946 	2024-Jun-04 15:15:27 	openssl-3.0.14.tar.gz (SHA256) (PGP sign) (SHA1)
15305 	2024-Jun-04 15:15:27 	openssl-3.1.6.tar.gz (SHA256) (PGP sign) (SHA1)
17328 	2024-Jun-04 15:15:27 	openssl-3.2.2.tar.gz (SHA256) (PGP sign) (SHA1)
17632 	2024-Jun-04 15:15:27 	openssl-3.3.1.tar.gz (SHA256) (PGP sign) (SHA1)
 
2024-07-10 12:02 AEST by Arthur Barrett - change priority
 
2024-09-04 11:56 AEST by Arthur Barrett - For 3.0.13 I build just using vs2022, but that produced a result that is not compatible with Windows XP.

So for 3.0.15 I am building with:
VS2015 - for Suite 2009
VS2022 - for Suite 2025


also need to include the merge module in the installer, see bug 7848


2024-09-04 11:58 AEST by Arthur Barrett - 
   OpenSSL version 3.0.15 released
   ===============================

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 3.0.15 of our open source toolkit for SSL/TLS.
   For details of the changes, see the release notes at:

        https://www.openssl.org/news/openssl-3.0-notes.html

   Specific notes on upgrading to OpenSSL 3.0 from previous versions
are
   available in the OpenSSL Migration Guide, here:

        https://www.openssl.org/docs/man3.0/man7/migration_guide.html

   The OpenSSL 3.0.15 is available for download at this URL:

     * https://github.com/openssl/openssl/releases

   The distribution file name is:

    o openssl-3.0.15.tar.gz
      Size: 15318633
      SHA1 checksum:  cecd647994de5b6bd065d88d8c81ad30f8ac6409
      SHA256 checksum:
23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533

   The checksums were calculated using the following commands:

    openssl sha1 openssl-3.0.15.tar.gz
    openssl sha256 openssl-3.0.15.tar.gz

   Yours,

   The OpenSSL Project Team.

2024-09-04 12:00 AEST by Arthur Barrett - Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]

OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.

This release incorporates the following bug fixes and mitigations:

Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])



Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]

Fixed potential use after free after SSL_free_buffers() is called ([CVE-2024-4741])
Fixed an issue where checking excessively long DSA keys or parameters may be very slow ([CVE-2024-
4603])
Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511])


2024-09-04 22:45 AEST by CVS Support - Created an attachment (id=3800)
vs2015 test results - second try with fix for loader_attic etc.

A 'problem' with the first openssl 3.0 build I shipped in CVSNT is that it
'depends on' some DLL's that do NOT have customized names:

D:\cvsbin\release builder>dir D:\cvsdeps\openSSL\lib\engines-3
 Volume in drive D is D-Drive
 Volume Serial Number is 3CB3-69D5

 Directory of D:\cvsdeps\openSSL\lib\engines-3

26/05/2024  11:26    <DIR>	    .
26/05/2024  11:26    <DIR>	    ..
26/05/2024  11:26	     37,888 capi.dll
26/05/2024  11:26	    183,296 capi.pdb
26/05/2024  11:26	     46,592 loader_attic.dll
26/05/2024  11:26	    216,064 loader_attic.pdb
26/05/2024  11:26	     28,672 padlock.dll
26/05/2024  11:26	    101,376 padlock.pdb
	       6 File(s)	613,888 bytes
	       2 Dir(s)  117,574,754,304 bytes free

D:\cvsbin\release builder>dir D:\cvsdeps\openSSL\lib\ossl-modules
 Volume in drive D is D-Drive
 Volume Serial Number is 3CB3-69D5

 Directory of D:\cvsdeps\openSSL\lib\ossl-modules

26/05/2024  11:26    <DIR>	    .
26/05/2024  11:26    <DIR>	    ..
26/05/2024  11:26	     98,304 legacy.dll
26/05/2024  11:26	    338,944 legacy.pdb
	       2 File(s)	437,248 bytes
	       2 Dir(s)  117,574,754,304 bytes free


So I tried to fix this in the vs2022 build script which is what I copied to
make the vs2015 build script.  This is incomplete and caused errors during
test, because loader_attic.dll could not be found (and presumably other tests
would have failed too for the other DLL's).

The test '90-test_store' failed because it was not able to load the DLL
loader_attic.dll


That DLL doesn't exist, because we rename it to loader_attic-3_0_vc140.dll

Changing the test to use the 'new' DLL name, also failed, so instead I've tried
to patch the code so we can call loader_attic but the DLL loaded is the right
one.

This didn't break in the previous 3.0.13 build because I just ignored these
DLL's - we don't ship them so there is no DLL Hell / namespace pollution.  But
maybe I should be shipping them, in which case I'd have a problem.

If it can be fixed it would be nice to fix it.



D:\GnuWin32\bin\sed < test\recipes\90-test_store.t >
test\recipes\90-test_store.t.1 "s/loader_attic/loader_attic-3_0_vc140/g"
copy /y test\recipes\90-test_store.t.1 test\recipes\90-test_store.t

nmake TESTS="test_store"  test


one test fails:

    # ERROR: (ptr) 'prov = ossl_provider_find(NULL, name, 0) != NULL' failed @
test\provider_internal_test.c:96
    # 0x0
    # OPENSSL_TEST_RAND_ORDER=1725444204
    not ok 3 - test_configured_provider
#
------------------------------------------------------------------------------
E:\perl-5.38\perl\bin\perl.exe ..\..\util\wrap.pl
..\..\test\provider_internal_test.exe => 1
not ok 1 - running provider_internal_test
#
------------------------------------------------------------------------------
#   Failed test 'running provider_internal_test'
#   at D:\cvsbin\release
builder\openssl\openssl-3.0.15-vc140-x32\util\perl/OpenSSL/Test/Simple.pm line
77.
# Looks like you failed 1 test of 1.02-test_internal_provider.t ........ 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests 

2024-09-05 16:58 AEST by CVS Support - ok fixed that test error with:

D:\GnuWin32\bin\sed < test\provider_internal_test.cnf.in > 
test\provider_internal_test.cnf.in.1 "s/'p_test'/'p_test-3_0_vc140'/g"
copy /y test\provider_internal_test.cnf.in.1 test\provider_internal_test.cnf.in


2024-09-05 16:59 AEST by CVS Support - Created an attachment (id=3801)
vs2015 test results - with fix for provider test etc.

2024-09-05 17:00 AEST by CVS Support - Created an attachment (id=3802)
notes on how to get and build openssl 3.0.15 for cvsnt

2024-09-05 18:10 AEST by CVS Support - Created an attachment (id=3803)
vs2022 x32 build results

2024-09-05 19:03 AEST by CVS Support - Created an attachment (id=3804)
vs2022 x32 test results

2024-09-05 21:19 AEST by CVS Support - Created an attachment (id=3805)
install log

2024-09-05 21:24 AEST by Arthur Barrett - Created an attachment (id=3806)
dependencies for vc143 built / vs2022

2024-09-29 16:01 AEST by Arthur Barrett - Created an attachment (id=3810)
screenshot of control panel showing upgraded version

control panel now shows openssl version number or sserver protocol
 
2024-09-29 16:05 AEST by Arthur Barrett - Created an attachment (id=3811)
dll properties also shows openssl version


     Query page