python
diff --git a/‎CHANGES.md
Lines changed: 69 additions & 0 deletions b/‎CHANGES.md
Lines changed: 69 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md
Lines changed: 4 additions & 2 deletions b/‎CONTRIBUTING.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎Configurations/10-main.conf
Lines changed: 8 additions & 1 deletion b/‎Configurations/10-main.conf
Lines changed: 8 additions & 1 deletion
diff --git a/‎Configurations/15-ios.conf
Lines changed: 3 additions & 3 deletions b/‎Configurations/15-ios.conf
Lines changed: 3 additions & 3 deletions
diff --git a/‎Configurations/unix-Makefile.tmpl
Lines changed: 7 additions & 7 deletions b/‎Configurations/unix-Makefile.tmpl
Lines changed: 7 additions & 7 deletions
diff --git a/‎Configure
Lines changed: 2 additions & 1 deletion b/‎Configure
Lines changed: 2 additions & 1 deletion
diff --git a/‎FAQ.md
Lines changed: 0 additions & 6 deletions b/‎FAQ.md
Lines changed: 0 additions & 6 deletions
diff --git a/‎INSTALL.md
Lines changed: 8 additions & 1 deletion b/‎INSTALL.md
Lines changed: 8 additions & 1 deletion
diff --git a/‎NEWS.md
Lines changed: 15 additions & 0 deletions b/‎NEWS.md
Lines changed: 15 additions & 0 deletions
diff --git a/‎NOTES-NONSTOP.md
Lines changed: 4 additions & 1 deletion b/‎NOTES-NONSTOP.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎VERSION.dat
Lines changed: 2 additions & 2 deletions b/‎VERSION.dat
Lines changed: 2 additions & 2 deletions
diff --git a/‎apps/lib/s_cb.c
Lines changed: 5 additions & 3 deletions b/‎apps/lib/s_cb.c
Lines changed: 5 additions & 3 deletions
diff --git a/‎apps/list.c
Lines changed: 2 additions & 1 deletion b/‎apps/list.c
Lines changed: 2 additions & 1 deletion
diff --git a/‎apps/ocsp.c
Lines changed: 2 additions & 2 deletions b/‎apps/ocsp.c
Lines changed: 2 additions & 2 deletions
diff --git a/‎apps/pkcs12.c
Lines changed: 11 additions & 5 deletions b/‎apps/pkcs12.c
Lines changed: 11 additions & 5 deletions
@@ -28,6 +28,72 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
+### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
+
+ * Fixed potential use after free after SSL_free_buffers() is called.
+
+   The SSL_free_buffers function is used to free the internal OpenSSL
+   buffer used when processing an incoming record from the network.
+   The call is only expected to succeed if the buffer is not currently
+   in use. However, two scenarios have been identified where the buffer
+   is freed even when still in use.
+
+   The first scenario occurs where a record header has been received
+   from the network and processed by OpenSSL, but the full record body
+   has not yet arrived. In this case calling SSL_free_buffers will succeed
+   even though a record has only been partially processed and the buffer
+   is still in use.
+
+   The second scenario occurs where a full record containing application
+   data has been received and processed by OpenSSL but the application has
+   only read part of this data. Again a call to SSL_free_buffers will
+   succeed even though the buffer is still in use.
+
+   ([CVE-2024-4741])
+
+   *Matt Caswell*
+
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+   be very slow.
+
+   Applications that use the functions EVP_PKEY_param_check() or
+   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+   experience long delays. Where the key or parameters that are being checked
+   have been obtained from an untrusted source this may lead to a Denial of
+   Service.
+
+   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+   reason.
+
+   ([CVE-2024-4603])
+
+   *Tomáš Mráz*
+
+ * Fixed an issue where some non-default TLS server configurations can cause
+   unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+   exploit certain server configurations to trigger unbounded memory growth that
+   would lead to a Denial of Service
+
+   This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+   is being used (but not if early_data is also configured and the default
+   anti-replay protection is in use). In this case, under certain conditions,
+   the session cache can get into an incorrect state and it will fail to flush
+   properly as it fills. The session cache will continue to grow in an unbounded
+   manner. A malicious client could deliberately create the scenario for this
+   failure to force a Denial of Service. It may also happen by accident in
+   normal operation.
+
+   ([CVE-2024-2511])
+
+   *Matt Caswell*
+
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+   is registered when libcrypto is unloaded. This can be used on platforms
+   where using atexit() from shared libraries causes crashes on exit.
+
+   *Randall S. Becker*
+
 ### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
 
  * A file in PKCS12 format can contain certificates and keys and may come from
@@ -19824,6 +19890,9 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
 
@@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository.
 
   [openssl/openssl]: <https://github.com/openssl/openssl>
 
-To request new a feature, ask a question, or report a bug,
+To request a new feature, ask a question, or report a bug,
 please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
 
 To submit a patch or implement a new feature, please open a
@@ -67,7 +67,8 @@ guidelines:
     often. We do not accept merge commits, you will have to remove them
     (usually by rebasing) before it will be acceptable.
 
- 4. Code provided should follow our [coding style] and compile without warnings.
+ 4. Code provided should follow our [coding style] and [documentation policy]
+    and compile without warnings.
     There is a [Perl tool](util/check-format.pl) that helps
     finding code formatting mistakes and other coding style nits.
     Where `gcc` or `clang` is available, you should use the
@@ -77,6 +78,7 @@ guidelines:
     whenever a PR is created or updated by committers.
 
     [coding style]: https://www.openssl.org/policies/technical/coding-style.html
+    [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
 
  5. When at all possible, code contributions should include tests. These can
     either be added to an existing test, or completely new.  Please see
 
@@ -784,7 +784,14 @@ my %targets = (
         asm_arch         => 'aarch64',
         perlasm_scheme   => "linux64",
     },
-
+    "linux-arm64ilp32-clang" => {  # clang config abi by --target
+        inherit_from     => [ "linux-generic32" ],
+        CC               => "clang",
+        CXX              => "clang++",
+        bn_ops           => "SIXTY_FOUR_BIT RC4_CHAR",
+        asm_arch         => 'aarch64',
+        perlasm_scheme   => "linux64",
+    },
     "linux-mips32" => {
         # Configure script adds minimally required -march for assembly
         # support, if no -march was specified at command line.
 
@@ -49,16 +49,16 @@ my %targets = (
 #
     "iphoneos-cross" => {
         inherit_from     => [ "ios-common" ],
-        cflags           => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"),
+        cflags           => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"),
     },
     "ios-cross" => {
         inherit_from     => [ "ios-xcrun" ],
         CC               => "cc",
-        cflags           => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
+        cflags           => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
     },
     "ios64-cross" => {
         inherit_from     => [ "ios64-xcrun" ],
         CC               => "cc",
-        cflags           => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
+        cflags           => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
     },
 );
@@ -21,7 +21,7 @@
      sub dependmagic {
          my $target = shift;
 
-         return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
+         return "$target: build_generated\n\t\"\$(MAKE)\" depend && \"\$(MAKE)\" _$target\n_$target";
      }
 
      our $COLUMNS = $ENV{COLUMNS};
@@ -527,7 +527,7 @@ all: build_sw build_docs
 
 test: tests
 {- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
-	$(MAKE) run_tests
+	"$(MAKE)" run_tests
 run_tests: FORCE
 	@ : {- output_off() if $disabled{tests}; "" -}
 	( SRCTOP=$(SRCDIR) \
@@ -542,7 +542,7 @@ run_tests: FORCE
 
 list-tests:
 	@ : {- output_off() if $disabled{tests}; "" -}
-	$(MAKE) run_tests TESTS=list
+	"$(MAKE)" run_tests TESTS=list
 	@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
 	@echo "Tests are not supported with your chosen Configure options"
 	@ : {- output_on() if !$disabled{tests}; "" -}
@@ -1193,12 +1193,12 @@ providers/fips.module.sources.new: configdata.pm
 	  cd sources-tmp \
 	  && $$srcdir/Configure --banner=Configured enable-fips -O0 \
 	  && ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \
-	  && $(MAKE) -sj 4 build_generated providers/fips.so \
+	  && "$(MAKE)" -sj 4 build_generated providers/fips.so \
 	  && find . -name '*.d' | xargs cat > dep1 \
-          && $(MAKE) distclean \
+          && "$(MAKE)" distclean \
 	  && $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \
 	  && ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \
-	  && $(MAKE) -sj 4 build_generated providers/fips.so \
+	  && "$(MAKE)" -sj 4 build_generated providers/fips.so \
 	  && find . -name '*.d' | xargs cat > dep2 \
 	  && cat sources1 sources2 \
 	     | grep -v ' : \\$$' | grep -v util/providers.num \
@@ -1332,7 +1332,7 @@ ordinals: build_generated
                 $(SSLHEADERS)
 
 test_ordinals:
-	$(MAKE) run_tests TESTS=test_ordinals
+	"$(MAKE)" run_tests TESTS=test_ordinals
 
 tags TAGS: FORCE
 	rm -f TAGS tags
 
@@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -405,6 +405,7 @@ my @disablables = (
     "asan",
     "asm",
     "async",
+    "atexit",
     "autoalginit",
     "autoerrinit",
     "autoload-config",
 
@@ -480,7 +480,7 @@ Setting the FIPS HMAC key
 
 As part of its self-test validation, the FIPS module must verify itself
 by performing a SHA-256 HMAC computation on itself. The default key is
-the SHA256 value of "the holy handgrenade of antioch" and is sufficient
+the SHA256 value of "holy hand grenade of antioch" and is sufficient
 for meeting the FIPS requirements.
 
 To change the key to a different value, use this flag. The value should
@@ -546,6 +546,13 @@ be used even with this option.
 
 Do not build support for async operations.
 
+### no-atexit
+
+Do not use `atexit()` in libcrypto builds.
+
+`atexit()` has varied semantics between platforms and can cause SIGSEGV in some
+circumstances. This option disables the atexit registration of OPENSSL_cleanup.
+
 ### no-autoalginit
 
 Don't automatically load all supported ciphers and digests.
 
@@ -18,6 +18,18 @@ OpenSSL Releases
 OpenSSL 3.0
 -----------
 
+### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
+
+  * Fixed potential use after free after SSL_free_buffers() is called
+    ([CVE-2024-4741])
+
+  * Fixed an issue where checking excessively long DSA keys or parameters may
+    be very slow
+    ([CVE-2024-4603])
+
+  * Fixed unbounded memory growth with session handling in TLSv1.3
+    ([CVE-2024-2511])
+
 ### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
 
   * Fixed PKCS12 Decoding crashes
@@ -1470,6 +1482,9 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
 
@@ -56,7 +56,10 @@ relating to `atexit()` processing when a shared library is unloaded and when
 the program terminates. This limitation applies to all OpenSSL shared library
 components.
 
-A resolution to this situation is under investigation.
+It is possible to configure the build with `no-atexit` to avoid the SIGSEGV.
+Preferably, you can explicitly call `OPENSSL_cleanup()` from your application.
+It is not mandatory as it just deallocates various global data structures
+OpenSSL allocated.
 
 About Prefix and OpenSSLDir
 ---------------------------
 
@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=0
-PATCH=13
+PATCH=14
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="30 Jan 2024"
+RELEASE_DATE="4 Jun 2024"
 SHLIB_VERSION=3
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1318,7 +1318,8 @@ int ssl_load_stores(SSL_CTX *ctx,
         if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
             goto err;
         add_crls_store(vfy, crls);
-        SSL_CTX_set1_verify_cert_store(ctx, vfy);
+        if (SSL_CTX_set1_verify_cert_store(ctx, vfy) == 0)
+            goto err;
         if (crl_download)
             store_setup_crl_download(vfy);
     }
@@ -1332,7 +1333,8 @@ int ssl_load_stores(SSL_CTX *ctx,
             goto err;
         if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
             goto err;
-        SSL_CTX_set1_chain_cert_store(ctx, ch);
+        if (SSL_CTX_set1_chain_cert_store(ctx, ch) == 0)
+            goto err;
     }
     rv = 1;
  err:
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1230,6 +1230,7 @@ static void list_provider_info(void)
     }
 
     if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) {
+        sk_OSSL_PROVIDER_free(providers);
         BIO_printf(bio_err, "ERROR: Memory allocation\n");
         return;
     }
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -11,7 +11,7 @@
 
 #ifdef OPENSSL_SYS_VMS
   /* So fd_set and friends get properly defined on OpenVMS */
-# define _XOPEN_SOURCE_EXTENDED
+# define _XOPEN_SOURCE_EXTENDED 1
 #endif
 
 #include <stdio.h>
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -712,9 +712,6 @@ int pkcs12_main(int argc, char **argv)
     in = bio_open_default(infile, 'r', FORMAT_PKCS12);
     if (in == NULL)
         goto end;
-    out = bio_open_owner(outfile, FORMAT_PEM, private);
-    if (out == NULL)
-        goto end;
 
     p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq());
     if (p12 == NULL) {
@@ -814,6 +811,11 @@ int pkcs12_main(int argc, char **argv)
 
  dump:
     assert(private);
+
+    out = bio_open_owner(outfile, FORMAT_PEM, private);
+    if (out == NULL)
+        goto end;
+
     if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) {
         BIO_printf(bio_err, "Error outputting keys and certificates\n");
         ERR_print_errors(bio_err);
@@ -855,7 +857,11 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
         } else if (bagnid == NID_pkcs7_encrypted) {
             if (options & INFO) {
                 BIO_printf(bio_err, "PKCS7 Encrypted data: ");
-                alg_print(p7->d.encrypted->enc_data->algorithm);
+                if (p7->d.encrypted == NULL) {
+                    BIO_printf(bio_err, "<no data>\n");
+                } else {
+                    alg_print(p7->d.encrypted->enc_data->algorithm);
+                }
             }
             bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
         } else {
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.`
	`2`	`+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License 2.0 (the "License"). You may not use`
`5`	`5`	`* this file except in compliance with the License. You can obtain a copy`
`@@ -1230,6 +1230,7 @@ static void list_provider_info(void)`
`1230`	`1230`	`}`
`1231`	`1231`
`1232`	`1232`	`if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) {`
	`1233`	`+ sk_OSSL_PROVIDER_free(providers);`
`1233`	`1234`	`BIO_printf(bio_err, "ERROR: Memory allocation\n");`
`1234`	`1235`	`return;`
`1235`	`1236`	`}`