git: 44096ebd22dd - main - Update to OpenSSL 3.0.14

From: Enji Cooper <ngie_at_FreeBSD.org>
Date: Wed, 26 Jun 2024 23:51:52 UTC
The branch main has been updated by ngie:

URL: https://cgit.FreeBSD.org/src/commit/?id=44096ebd22ddd0081a357011714eff8963614b65

commit 44096ebd22ddd0081a357011714eff8963614b65
Merge: 8c5c57212566 1070e7dca822
Author:     Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2024-06-26 23:50:13 +0000
Commit:     Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2024-06-26 23:50:13 +0000

    Update to OpenSSL 3.0.14
    
    This release resolves 3 upstream found CVEs:
    - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
    - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
    - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
    
    MFC after:      3 days
    Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'

 crypto/openssl/CHANGES.md                          |  69 ++++
 crypto/openssl/CONTRIBUTING.md                     |   6 +-
 crypto/openssl/Configurations/10-main.conf         |   9 +-
 crypto/openssl/Configurations/15-ios.conf          |   6 +-
 crypto/openssl/Configurations/unix-Makefile.tmpl   |  14 +-
 crypto/openssl/Configure                           |   3 +-
 crypto/openssl/INSTALL.md                          |   9 +-
 crypto/openssl/NEWS.md                             |  15 +
 crypto/openssl/NOTES-NONSTOP.md                    |   5 +-
 crypto/openssl/VERSION.dat                         |   4 +-
 crypto/openssl/apps/lib/s_cb.c                     |   8 +-
 crypto/openssl/apps/list.c                         |   3 +-
 crypto/openssl/apps/ocsp.c                         |   4 +-
 crypto/openssl/apps/pkcs12.c                       |  16 +-
 crypto/openssl/apps/req.c                          |   2 +-
 crypto/openssl/apps/speed.c                        |   6 +-
 crypto/openssl/apps/ts.c                           |  11 +-
 crypto/openssl/crypto/aes/build.info               |   2 +-
 crypto/openssl/crypto/bio/bio_lib.c                |  10 +-
 crypto/openssl/crypto/bio/bio_sock.c               |   6 +-
 crypto/openssl/crypto/bn/bn_lib.c                  |  53 ++-
 crypto/openssl/crypto/bn/bn_rand.c                 | 166 ++++++--
 crypto/openssl/crypto/bn/bn_shift.c                |   8 +-
 crypto/openssl/crypto/dsa/dsa_check.c              |  46 ++-
 crypto/openssl/crypto/dsa/dsa_ossl.c               |  11 +-
 crypto/openssl/crypto/dsa/dsa_sign.c               |   9 +-
 crypto/openssl/crypto/ec/build.info                |   2 +-
 .../openssl/crypto/ec/curve448/arch_64/f_impl64.c  |   8 +-
 crypto/openssl/crypto/ec/ecdsa_ossl.c              |  15 +-
 crypto/openssl/crypto/encode_decode/encoder_lib.c  |   7 +-
 crypto/openssl/crypto/engine/eng_pkey.c            |  44 +--
 crypto/openssl/crypto/err/openssl.ec               |   4 +-
 crypto/openssl/crypto/ess/ess_lib.c                |   4 +-
 crypto/openssl/crypto/evp/keymgmt_lib.c            |   9 +-
 crypto/openssl/crypto/evp/p_lib.c                  |  12 +-
 crypto/openssl/crypto/evp/pmeth_lib.c              |  69 +++-
 crypto/openssl/crypto/evp/signature.c              |  33 +-
 crypto/openssl/crypto/init.c                       |  14 +-
 crypto/openssl/crypto/o_str.c                      |   4 +-
 crypto/openssl/crypto/property/property_parse.c    |   3 +-
 crypto/openssl/crypto/provider_core.c              |  11 +-
 crypto/openssl/crypto/sha/build.info               |   2 +-
 crypto/openssl/crypto/sm2/sm2_crypt.c              |  37 +-
 crypto/openssl/crypto/sm2/sm2_sign.c               |  18 +-
 crypto/openssl/crypto/x509/v3_addr.c               |   4 +-
 crypto/openssl/demos/digest/EVP_MD_demo.c          |   4 +-
 crypto/openssl/demos/digest/EVP_MD_stdin.c         |   4 +-
 crypto/openssl/doc/fingerprints.txt                |   3 +
 crypto/openssl/doc/internal/man3/OPTIONS.pod       |   4 +-
 .../doc/internal/man3/ossl_method_construct.pod    |   4 +-
 .../doc/internal/man3/ossl_provider_new.pod        |   4 +-
 .../internal/man3/ossl_random_add_conf_module.pod  |   4 +-
 crypto/openssl/doc/internal/man7/EVP_PKEY.pod      |   4 +-
 crypto/openssl/doc/man1/openssl-crl.pod.in         |   5 +-
 crypto/openssl/doc/man1/openssl-mac.pod.in         |  17 +-
 crypto/openssl/doc/man1/openssl-req.pod.in         |  33 +-
 crypto/openssl/doc/man1/openssl-smime.pod.in       |  18 +-
 crypto/openssl/doc/man1/openssl-storeutl.pod.in    |   5 +-
 crypto/openssl/doc/man1/openssl-ts.pod.in          |   8 +-
 crypto/openssl/doc/man3/DEFINE_STACK_OF.pod        |   6 +-
 crypto/openssl/doc/man3/EVP_DigestInit.pod         |   4 +-
 crypto/openssl/doc/man3/EVP_KDF.pod                |   4 +-
 .../openssl/doc/man3/EVP_PKEY_CTX_set_params.pod   |   6 +-
 crypto/openssl/doc/man3/EVP_PKEY_check.pod         |   7 +-
 crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod    |   4 +-
 crypto/openssl/doc/man3/SSL_CTX_set_cert_store.pod |   6 +-
 crypto/openssl/doc/man3/SSL_CTX_set_verify.pod     |   5 +-
 .../openssl/doc/man3/SSL_CTX_use_certificate.pod   |   5 +-
 .../openssl/doc/man3/SSL_load_client_CA_file.pod   |  20 +-
 crypto/openssl/doc/man7/EVP_PKEY-SM2.pod           |   5 +-
 crypto/openssl/doc/man7/migration_guide.pod        |  28 +-
 crypto/openssl/e_os.h                              |  20 +-
 crypto/openssl/engines/e_afalg.c                   |   6 +-
 crypto/openssl/engines/e_dasync.c                  |   4 +-
 crypto/openssl/fuzz/asn1.c                         |  16 +-
 crypto/openssl/include/crypto/bn.h                 |  10 +-
 crypto/openssl/include/internal/constant_time.h    |  25 +-
 crypto/openssl/include/openssl/sslerr.h            |   4 +-
 crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy  |  23 ++
 crypto/openssl/providers/fips-sources.checksums    | 272 ++++++-------
 crypto/openssl/providers/fips.checksum             |   2 +-
 crypto/openssl/providers/fips/fipsprov.c           |   4 +-
 .../providers/implementations/exchange/kdf_exch.c  |  44 ++-
 .../implementations/include/prov/ciphercommon.h    |  15 +-
 .../openssl/providers/implementations/kdfs/hkdf.c  |  10 +-
 .../openssl/providers/implementations/rands/drbg.c |   5 +-
 .../providers/implementations/rands/drbg_ctr.c     |   7 +-
 .../providers/implementations/rands/drbg_hash.c    |   5 +-
 .../providers/implementations/rands/drbg_hmac.c    |   5 +-
 .../providers/implementations/rands/drbg_local.h   |   3 +-
 crypto/openssl/ssl/record/rec_layer_s3.c           |  15 +
 crypto/openssl/ssl/record/record.h                 |   3 +-
 crypto/openssl/ssl/record/ssl3_buffer.c            |   4 +-
 crypto/openssl/ssl/ssl_err.c                       |   6 +-
 crypto/openssl/ssl/ssl_lib.c                       |  10 +-
 crypto/openssl/ssl/ssl_sess.c                      |  36 +-
 crypto/openssl/ssl/statem/statem_srvr.c            |   9 +-
 crypto/openssl/ssl/t1_lib.c                        |   5 +-
 crypto/openssl/test/bad_dtls_test.c                |   4 +-
 crypto/openssl/test/build.info                     |   1 +
 crypto/openssl/test/cmp_hdr_test.c                 |  51 ++-
 crypto/openssl/test/ct_test.c                      |  11 +-
 crypto/openssl/test/dsatest.c                      |  10 +-
 crypto/openssl/test/ecdsatest.c                    |  30 +-
 crypto/openssl/test/ecstresstest.c                 |   4 +-
 crypto/openssl/test/evp_extra_test.c               |  48 ++-
 crypto/openssl/test/evp_pkey_provided_test.c       |  63 ++-
 crypto/openssl/test/evp_test.c                     |  15 +-
 crypto/openssl/test/helpers/ssltestlib.c           |  35 +-
 crypto/openssl/test/helpers/ssltestlib.h           |   3 +-
 crypto/openssl/test/keymgmt_internal_test.c        |  10 +-
 crypto/openssl/test/pathed.cnf                     |  22 ++
 crypto/openssl/test/pkey_meth_kdf_test.c           |  55 ++-
 crypto/openssl/test/prov_config_test.c             |  56 ++-
 .../invalid/p10240_q256_too_big.pem                |  57 +++
 crypto/openssl/test/recipes/25-test_req.t          |   3 +-
 crypto/openssl/test/recipes/30-test_prov_config.t  |   8 +-
 crypto/openssl/test/recipes/80-test_pkcs12.t       |  14 +-
 crypto/openssl/test/recipes/90-test_shlibload.t    |   3 +-
 crypto/openssl/test/sm2_internal_test.c            |  37 +-
 crypto/openssl/test/ssl-tests/14-curves.cnf.in     |   7 +-
 crypto/openssl/test/ssl-tests/20-cert-select.cnf   | 216 +++++------
 .../openssl/test/ssl-tests/20-cert-select.cnf.in   |  70 ++--
 crypto/openssl/test/ssl-tests/28-seclevel.cnf.in   |   8 +-
 crypto/openssl/test/sslapitest.c                   | 426 ++++++++++++++++++---
 crypto/openssl/test/sslbuffertest.c                | 176 ++++++++-
 crypto/openssl/test/test.cnf                       |   6 +
 crypto/openssl/test/tls-provider.c                 |  13 +-
 crypto/openssl/test/v3ext.c                        |  17 +-
 129 files changed, 2301 insertions(+), 764 deletions(-)

diff --cc crypto/openssl/CONTRIBUTING.md
index 15490fd9f620,000000000000..fec6616e21fe
mode 100644,000000..100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@@ -1,110 -1,0 +1,112 @@@
 +HOW TO CONTRIBUTE TO OpenSSL
 +============================
 +
 +Please visit our [Getting Started] page for other ideas about how to contribute.
 +
 +  [Getting Started]: <https://www.openssl.org/community/getting-started.html>
 +
 +Development is done on GitHub in the [openssl/openssl] repository.
 +
 +  [openssl/openssl]: <https://github.com/openssl/openssl>
 +
- To request new a feature, ask a question, or report a bug,
++To request a new feature, ask a question, or report a bug,
 +please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
 +
 +To submit a patch or implement a new feature, please open a
 +[pull request on GitHub](https://github.com/openssl/openssl/pulls).
 +If you are thinking of making a large contribution,
 +open an issue for it before starting work, to get comments from the community.
 +Someone may be already working on the same thing,
 +or there may be special reasons why a feature is not implemented.
 +
 +To make it easier to review and accept your pull request, please follow these
 +guidelines:
 +
 + 1. Anything other than a trivial contribution requires a [Contributor
 +    License Agreement] (CLA), giving us permission to use your code.
 +    If your contribution is too small to require a CLA (e.g., fixing a spelling
 +    mistake), then place the text "`CLA: trivial`" on a line by itself below
 +    the rest of your commit message separated by an empty line, like this:
 +
 +    ```
 +        One-line summary of trivial change
 +
 +        Optional main body of commit message. It might contain a sentence
 +        or two explaining the trivial change.
 +
 +        CLA: trivial
 +    ```
 +
 +    It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
 +    pull request description.
 +
 +    [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
 +
 +    To amend a missing "`CLA: trivial`" line after submission, do the following:
 +
 +    ```
 +        git commit --amend
 +        # add the line, save and quit the editor
 +        git push -f [<repository> [<branch>]]
 +    ```
 +
 + 2. All source files should start with the following text (with
 +    appropriate comment characters at the start of each line and the
 +    year(s) updated):
 +
 +    ```
 +        Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
 +
 +        Licensed under the Apache License 2.0 (the "License").  You may not use
 +        this file except in compliance with the License.  You can obtain a copy
 +        in the file LICENSE in the source distribution or at
 +        https://www.openssl.org/source/license.html
 +    ```
 +
 + 3. Patches should be as current as possible; expect to have to rebase
 +    often. We do not accept merge commits, you will have to remove them
 +    (usually by rebasing) before it will be acceptable.
 +
-  4. Code provided should follow our [coding style] and compile without warnings.
++ 4. Code provided should follow our [coding style] and [documentation policy]
++    and compile without warnings.
 +    There is a [Perl tool](util/check-format.pl) that helps
 +    finding code formatting mistakes and other coding style nits.
 +    Where `gcc` or `clang` is available, you should use the
 +    `--strict-warnings` `Configure` option.  OpenSSL compiles on many varied
 +    platforms: try to ensure you only use portable features.
 +    Clean builds via GitHub Actions are required. They are started automatically
 +    whenever a PR is created or updated by committers.
 +
 +    [coding style]: https://www.openssl.org/policies/technical/coding-style.html
++    [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
 +
 + 5. When at all possible, code contributions should include tests. These can
 +    either be added to an existing test, or completely new.  Please see
 +    [test/README.md](test/README.md) for information on the test framework.
 +
 + 6. New features or changed functionality must include
 +    documentation. Please look at the `.pod` files in `doc/man[1357]` for
 +    examples of our style. Run `make doc-nits` to make sure that your
 +    documentation changes are clean.
 +
 + 7. For user visible changes (API changes, behaviour changes, ...),
 +    consider adding a note in [CHANGES.md](CHANGES.md).
 +    This could be a summarising description of the change, and could
 +    explain the grander details.
 +    Have a look through existing entries for inspiration.
 +    Please note that this is NOT simply a copy of git-log one-liners.
 +    Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
 +    This file helps users get more in-depth information of what comes
 +    with a specific release without having to sift through the higher
 +    noise ratio in git-log.
 +
 + 8. For larger or more important user visible changes, as well as
 +    security fixes, please add a line in [NEWS.md](NEWS.md).
 +    On exception, it might be worth adding a multi-line entry (such as
 +    the entry that announces all the types that became opaque with
 +    OpenSSL 1.1.0).
 +    This file helps users get a very quick summary of what comes with a
 +    specific release, to see if an upgrade is worth the effort.
 +
 + 9. Guidelines how to integrate error output of new crypto library modules
 +    can be found in [crypto/err/README.md](crypto/err/README.md).
diff --cc crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy
index 000000000000,285dd5bebae8..285dd5bebae8
mode 000000,100644..100644
--- a/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy
+++ b/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy
diff --cc crypto/openssl/test/pathed.cnf
index 000000000000,07bdc1fdb209..07bdc1fdb209
mode 000000,100644..100644
--- a/crypto/openssl/test/pathed.cnf
+++ b/crypto/openssl/test/pathed.cnf
diff --cc crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
index 000000000000,e85e2953b7a2..e85e2953b7a2
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+++ b/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem