git: 44096ebd22dd - main - Update to OpenSSL 3.0.14
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 26 Jun 2024 23:51:52 UTC
The branch main has been updated by ngie: URL: https://cgit.FreeBSD.org/src/commit/?id=44096ebd22ddd0081a357011714eff8963614b65 commit 44096ebd22ddd0081a357011714eff8963614b65 Merge: 8c5c57212566 1070e7dca822 Author: Enji Cooper <ngie@FreeBSD.org> AuthorDate: 2024-06-26 23:50:13 +0000 Commit: Enji Cooper <ngie@FreeBSD.org> CommitDate: 2024-06-26 23:50:13 +0000 Update to OpenSSL 3.0.14 This release resolves 3 upstream found CVEs: - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) MFC after: 3 days Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c' crypto/openssl/CHANGES.md | 69 ++++ crypto/openssl/CONTRIBUTING.md | 6 +- crypto/openssl/Configurations/10-main.conf | 9 +- crypto/openssl/Configurations/15-ios.conf | 6 +- crypto/openssl/Configurations/unix-Makefile.tmpl | 14 +- crypto/openssl/Configure | 3 +- crypto/openssl/INSTALL.md | 9 +- crypto/openssl/NEWS.md | 15 + crypto/openssl/NOTES-NONSTOP.md | 5 +- crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/lib/s_cb.c | 8 +- crypto/openssl/apps/list.c | 3 +- crypto/openssl/apps/ocsp.c | 4 +- crypto/openssl/apps/pkcs12.c | 16 +- crypto/openssl/apps/req.c | 2 +- crypto/openssl/apps/speed.c | 6 +- crypto/openssl/apps/ts.c | 11 +- crypto/openssl/crypto/aes/build.info | 2 +- crypto/openssl/crypto/bio/bio_lib.c | 10 +- crypto/openssl/crypto/bio/bio_sock.c | 6 +- crypto/openssl/crypto/bn/bn_lib.c | 53 ++- crypto/openssl/crypto/bn/bn_rand.c | 166 ++++++-- crypto/openssl/crypto/bn/bn_shift.c | 8 +- crypto/openssl/crypto/dsa/dsa_check.c | 46 ++- crypto/openssl/crypto/dsa/dsa_ossl.c | 11 +- crypto/openssl/crypto/dsa/dsa_sign.c | 9 +- crypto/openssl/crypto/ec/build.info | 2 +- .../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 15 +- crypto/openssl/crypto/encode_decode/encoder_lib.c | 7 +- crypto/openssl/crypto/engine/eng_pkey.c | 44 +-- crypto/openssl/crypto/err/openssl.ec | 4 +- crypto/openssl/crypto/ess/ess_lib.c | 4 +- crypto/openssl/crypto/evp/keymgmt_lib.c | 9 +- crypto/openssl/crypto/evp/p_lib.c | 12 +- crypto/openssl/crypto/evp/pmeth_lib.c | 69 +++- crypto/openssl/crypto/evp/signature.c | 33 +- crypto/openssl/crypto/init.c | 14 +- crypto/openssl/crypto/o_str.c | 4 +- crypto/openssl/crypto/property/property_parse.c | 3 +- crypto/openssl/crypto/provider_core.c | 11 +- crypto/openssl/crypto/sha/build.info | 2 +- crypto/openssl/crypto/sm2/sm2_crypt.c | 37 +- crypto/openssl/crypto/sm2/sm2_sign.c | 18 +- crypto/openssl/crypto/x509/v3_addr.c | 4 +- crypto/openssl/demos/digest/EVP_MD_demo.c | 4 +- crypto/openssl/demos/digest/EVP_MD_stdin.c | 4 +- crypto/openssl/doc/fingerprints.txt | 3 + crypto/openssl/doc/internal/man3/OPTIONS.pod | 4 +- .../doc/internal/man3/ossl_method_construct.pod | 4 +- .../doc/internal/man3/ossl_provider_new.pod | 4 +- .../internal/man3/ossl_random_add_conf_module.pod | 4 +- crypto/openssl/doc/internal/man7/EVP_PKEY.pod | 4 +- crypto/openssl/doc/man1/openssl-crl.pod.in | 5 +- crypto/openssl/doc/man1/openssl-mac.pod.in | 17 +- crypto/openssl/doc/man1/openssl-req.pod.in | 33 +- crypto/openssl/doc/man1/openssl-smime.pod.in | 18 +- crypto/openssl/doc/man1/openssl-storeutl.pod.in | 5 +- crypto/openssl/doc/man1/openssl-ts.pod.in | 8 +- crypto/openssl/doc/man3/DEFINE_STACK_OF.pod | 6 +- crypto/openssl/doc/man3/EVP_DigestInit.pod | 4 +- crypto/openssl/doc/man3/EVP_KDF.pod | 4 +- .../openssl/doc/man3/EVP_PKEY_CTX_set_params.pod | 6 +- crypto/openssl/doc/man3/EVP_PKEY_check.pod | 7 +- crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod | 4 +- crypto/openssl/doc/man3/SSL_CTX_set_cert_store.pod | 6 +- crypto/openssl/doc/man3/SSL_CTX_set_verify.pod | 5 +- .../openssl/doc/man3/SSL_CTX_use_certificate.pod | 5 +- .../openssl/doc/man3/SSL_load_client_CA_file.pod | 20 +- crypto/openssl/doc/man7/EVP_PKEY-SM2.pod | 5 +- crypto/openssl/doc/man7/migration_guide.pod | 28 +- crypto/openssl/e_os.h | 20 +- crypto/openssl/engines/e_afalg.c | 6 +- crypto/openssl/engines/e_dasync.c | 4 +- crypto/openssl/fuzz/asn1.c | 16 +- crypto/openssl/include/crypto/bn.h | 10 +- crypto/openssl/include/internal/constant_time.h | 25 +- crypto/openssl/include/openssl/sslerr.h | 4 +- crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy | 23 ++ crypto/openssl/providers/fips-sources.checksums | 272 ++++++------- crypto/openssl/providers/fips.checksum | 2 +- crypto/openssl/providers/fips/fipsprov.c | 4 +- .../providers/implementations/exchange/kdf_exch.c | 44 ++- .../implementations/include/prov/ciphercommon.h | 15 +- .../openssl/providers/implementations/kdfs/hkdf.c | 10 +- .../openssl/providers/implementations/rands/drbg.c | 5 +- .../providers/implementations/rands/drbg_ctr.c | 7 +- .../providers/implementations/rands/drbg_hash.c | 5 +- .../providers/implementations/rands/drbg_hmac.c | 5 +- .../providers/implementations/rands/drbg_local.h | 3 +- crypto/openssl/ssl/record/rec_layer_s3.c | 15 + crypto/openssl/ssl/record/record.h | 3 +- crypto/openssl/ssl/record/ssl3_buffer.c | 4 +- crypto/openssl/ssl/ssl_err.c | 6 +- crypto/openssl/ssl/ssl_lib.c | 10 +- crypto/openssl/ssl/ssl_sess.c | 36 +- crypto/openssl/ssl/statem/statem_srvr.c | 9 +- crypto/openssl/ssl/t1_lib.c | 5 +- crypto/openssl/test/bad_dtls_test.c | 4 +- crypto/openssl/test/build.info | 1 + crypto/openssl/test/cmp_hdr_test.c | 51 ++- crypto/openssl/test/ct_test.c | 11 +- crypto/openssl/test/dsatest.c | 10 +- crypto/openssl/test/ecdsatest.c | 30 +- crypto/openssl/test/ecstresstest.c | 4 +- crypto/openssl/test/evp_extra_test.c | 48 ++- crypto/openssl/test/evp_pkey_provided_test.c | 63 ++- crypto/openssl/test/evp_test.c | 15 +- crypto/openssl/test/helpers/ssltestlib.c | 35 +- crypto/openssl/test/helpers/ssltestlib.h | 3 +- crypto/openssl/test/keymgmt_internal_test.c | 10 +- crypto/openssl/test/pathed.cnf | 22 ++ crypto/openssl/test/pkey_meth_kdf_test.c | 55 ++- crypto/openssl/test/prov_config_test.c | 56 ++- .../invalid/p10240_q256_too_big.pem | 57 +++ crypto/openssl/test/recipes/25-test_req.t | 3 +- crypto/openssl/test/recipes/30-test_prov_config.t | 8 +- crypto/openssl/test/recipes/80-test_pkcs12.t | 14 +- crypto/openssl/test/recipes/90-test_shlibload.t | 3 +- crypto/openssl/test/sm2_internal_test.c | 37 +- crypto/openssl/test/ssl-tests/14-curves.cnf.in | 7 +- crypto/openssl/test/ssl-tests/20-cert-select.cnf | 216 +++++------ .../openssl/test/ssl-tests/20-cert-select.cnf.in | 70 ++-- crypto/openssl/test/ssl-tests/28-seclevel.cnf.in | 8 +- crypto/openssl/test/sslapitest.c | 426 ++++++++++++++++++--- crypto/openssl/test/sslbuffertest.c | 176 ++++++++- crypto/openssl/test/test.cnf | 6 + crypto/openssl/test/tls-provider.c | 13 +- crypto/openssl/test/v3ext.c | 17 +- 129 files changed, 2301 insertions(+), 764 deletions(-) diff --cc crypto/openssl/CONTRIBUTING.md index 15490fd9f620,000000000000..fec6616e21fe mode 100644,000000..100644 --- a/crypto/openssl/CONTRIBUTING.md +++ b/crypto/openssl/CONTRIBUTING.md @@@ -1,110 -1,0 +1,112 @@@ +HOW TO CONTRIBUTE TO OpenSSL +============================ + +Please visit our [Getting Started] page for other ideas about how to contribute. + + [Getting Started]: <https://www.openssl.org/community/getting-started.html> + +Development is done on GitHub in the [openssl/openssl] repository. + + [openssl/openssl]: <https://github.com/openssl/openssl> + - To request new a feature, ask a question, or report a bug, ++To request a new feature, ask a question, or report a bug, +please open an [issue on GitHub](https://github.com/openssl/openssl/issues). + +To submit a patch or implement a new feature, please open a +[pull request on GitHub](https://github.com/openssl/openssl/pulls). +If you are thinking of making a large contribution, +open an issue for it before starting work, to get comments from the community. +Someone may be already working on the same thing, +or there may be special reasons why a feature is not implemented. + +To make it easier to review and accept your pull request, please follow these +guidelines: + + 1. Anything other than a trivial contribution requires a [Contributor + License Agreement] (CLA), giving us permission to use your code. + If your contribution is too small to require a CLA (e.g., fixing a spelling + mistake), then place the text "`CLA: trivial`" on a line by itself below + the rest of your commit message separated by an empty line, like this: + + ``` + One-line summary of trivial change + + Optional main body of commit message. It might contain a sentence + or two explaining the trivial change. + + CLA: trivial + ``` + + It is not sufficient to only place the text "`CLA: trivial`" in the GitHub + pull request description. + + [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html> + + To amend a missing "`CLA: trivial`" line after submission, do the following: + + ``` + git commit --amend + # add the line, save and quit the editor + git push -f [<repository> [<branch>]] + ``` + + 2. All source files should start with the following text (with + appropriate comment characters at the start of each line and the + year(s) updated): + + ``` + Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy + in the file LICENSE in the source distribution or at + https://www.openssl.org/source/license.html + ``` + + 3. Patches should be as current as possible; expect to have to rebase + often. We do not accept merge commits, you will have to remove them + (usually by rebasing) before it will be acceptable. + - 4. Code provided should follow our [coding style] and compile without warnings. ++ 4. Code provided should follow our [coding style] and [documentation policy] ++ and compile without warnings. + There is a [Perl tool](util/check-format.pl) that helps + finding code formatting mistakes and other coding style nits. + Where `gcc` or `clang` is available, you should use the + `--strict-warnings` `Configure` option. OpenSSL compiles on many varied + platforms: try to ensure you only use portable features. + Clean builds via GitHub Actions are required. They are started automatically + whenever a PR is created or updated by committers. + + [coding style]: https://www.openssl.org/policies/technical/coding-style.html ++ [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html + + 5. When at all possible, code contributions should include tests. These can + either be added to an existing test, or completely new. Please see + [test/README.md](test/README.md) for information on the test framework. + + 6. New features or changed functionality must include + documentation. Please look at the `.pod` files in `doc/man[1357]` for + examples of our style. Run `make doc-nits` to make sure that your + documentation changes are clean. + + 7. For user visible changes (API changes, behaviour changes, ...), + consider adding a note in [CHANGES.md](CHANGES.md). + This could be a summarising description of the change, and could + explain the grander details. + Have a look through existing entries for inspiration. + Please note that this is NOT simply a copy of git-log one-liners. + Also note that security fixes get an entry in [CHANGES.md](CHANGES.md). + This file helps users get more in-depth information of what comes + with a specific release without having to sift through the higher + noise ratio in git-log. + + 8. For larger or more important user visible changes, as well as + security fixes, please add a line in [NEWS.md](NEWS.md). + On exception, it might be worth adding a multi-line entry (such as + the entry that announces all the types that became opaque with + OpenSSL 1.1.0). + This file helps users get a very quick summary of what comes with a + specific release, to see if an upgrade is worth the effort. + + 9. Guidelines how to integrate error output of new crypto library modules + can be found in [crypto/err/README.md](crypto/err/README.md). diff --cc crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy index 000000000000,285dd5bebae8..285dd5bebae8 mode 000000,100644..100644 --- a/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy +++ b/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy diff --cc crypto/openssl/test/pathed.cnf index 000000000000,07bdc1fdb209..07bdc1fdb209 mode 000000,100644..100644 --- a/crypto/openssl/test/pathed.cnf +++ b/crypto/openssl/test/pathed.cnf diff --cc crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem index 000000000000,e85e2953b7a2..e85e2953b7a2 mode 000000,100644..100644 --- a/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +++ b/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem