git: 44096ebd22dd - main - Update to OpenSSL 3.0.14
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 26 Jun 2024 23:51:52 UTC
The branch main has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=44096ebd22ddd0081a357011714eff8963614b65
commit 44096ebd22ddd0081a357011714eff8963614b65
Merge: 8c5c57212566 1070e7dca822
Author: Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2024-06-26 23:50:13 +0000
Commit: Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2024-06-26 23:50:13 +0000
Update to OpenSSL 3.0.14
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
MFC after: 3 days
Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
crypto/openssl/CHANGES.md | 69 ++++
crypto/openssl/CONTRIBUTING.md | 6 +-
crypto/openssl/Configurations/10-main.conf | 9 +-
crypto/openssl/Configurations/15-ios.conf | 6 +-
crypto/openssl/Configurations/unix-Makefile.tmpl | 14 +-
crypto/openssl/Configure | 3 +-
crypto/openssl/INSTALL.md | 9 +-
crypto/openssl/NEWS.md | 15 +
crypto/openssl/NOTES-NONSTOP.md | 5 +-
crypto/openssl/VERSION.dat | 4 +-
crypto/openssl/apps/lib/s_cb.c | 8 +-
crypto/openssl/apps/list.c | 3 +-
crypto/openssl/apps/ocsp.c | 4 +-
crypto/openssl/apps/pkcs12.c | 16 +-
crypto/openssl/apps/req.c | 2 +-
crypto/openssl/apps/speed.c | 6 +-
crypto/openssl/apps/ts.c | 11 +-
crypto/openssl/crypto/aes/build.info | 2 +-
crypto/openssl/crypto/bio/bio_lib.c | 10 +-
crypto/openssl/crypto/bio/bio_sock.c | 6 +-
crypto/openssl/crypto/bn/bn_lib.c | 53 ++-
crypto/openssl/crypto/bn/bn_rand.c | 166 ++++++--
crypto/openssl/crypto/bn/bn_shift.c | 8 +-
crypto/openssl/crypto/dsa/dsa_check.c | 46 ++-
crypto/openssl/crypto/dsa/dsa_ossl.c | 11 +-
crypto/openssl/crypto/dsa/dsa_sign.c | 9 +-
crypto/openssl/crypto/ec/build.info | 2 +-
.../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +-
crypto/openssl/crypto/ec/ecdsa_ossl.c | 15 +-
crypto/openssl/crypto/encode_decode/encoder_lib.c | 7 +-
crypto/openssl/crypto/engine/eng_pkey.c | 44 +--
crypto/openssl/crypto/err/openssl.ec | 4 +-
crypto/openssl/crypto/ess/ess_lib.c | 4 +-
crypto/openssl/crypto/evp/keymgmt_lib.c | 9 +-
crypto/openssl/crypto/evp/p_lib.c | 12 +-
crypto/openssl/crypto/evp/pmeth_lib.c | 69 +++-
crypto/openssl/crypto/evp/signature.c | 33 +-
crypto/openssl/crypto/init.c | 14 +-
crypto/openssl/crypto/o_str.c | 4 +-
crypto/openssl/crypto/property/property_parse.c | 3 +-
crypto/openssl/crypto/provider_core.c | 11 +-
crypto/openssl/crypto/sha/build.info | 2 +-
crypto/openssl/crypto/sm2/sm2_crypt.c | 37 +-
crypto/openssl/crypto/sm2/sm2_sign.c | 18 +-
crypto/openssl/crypto/x509/v3_addr.c | 4 +-
crypto/openssl/demos/digest/EVP_MD_demo.c | 4 +-
crypto/openssl/demos/digest/EVP_MD_stdin.c | 4 +-
crypto/openssl/doc/fingerprints.txt | 3 +
crypto/openssl/doc/internal/man3/OPTIONS.pod | 4 +-
.../doc/internal/man3/ossl_method_construct.pod | 4 +-
.../doc/internal/man3/ossl_provider_new.pod | 4 +-
.../internal/man3/ossl_random_add_conf_module.pod | 4 +-
crypto/openssl/doc/internal/man7/EVP_PKEY.pod | 4 +-
crypto/openssl/doc/man1/openssl-crl.pod.in | 5 +-
crypto/openssl/doc/man1/openssl-mac.pod.in | 17 +-
crypto/openssl/doc/man1/openssl-req.pod.in | 33 +-
crypto/openssl/doc/man1/openssl-smime.pod.in | 18 +-
crypto/openssl/doc/man1/openssl-storeutl.pod.in | 5 +-
crypto/openssl/doc/man1/openssl-ts.pod.in | 8 +-
crypto/openssl/doc/man3/DEFINE_STACK_OF.pod | 6 +-
crypto/openssl/doc/man3/EVP_DigestInit.pod | 4 +-
crypto/openssl/doc/man3/EVP_KDF.pod | 4 +-
.../openssl/doc/man3/EVP_PKEY_CTX_set_params.pod | 6 +-
crypto/openssl/doc/man3/EVP_PKEY_check.pod | 7 +-
crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod | 4 +-
crypto/openssl/doc/man3/SSL_CTX_set_cert_store.pod | 6 +-
crypto/openssl/doc/man3/SSL_CTX_set_verify.pod | 5 +-
.../openssl/doc/man3/SSL_CTX_use_certificate.pod | 5 +-
.../openssl/doc/man3/SSL_load_client_CA_file.pod | 20 +-
crypto/openssl/doc/man7/EVP_PKEY-SM2.pod | 5 +-
crypto/openssl/doc/man7/migration_guide.pod | 28 +-
crypto/openssl/e_os.h | 20 +-
crypto/openssl/engines/e_afalg.c | 6 +-
crypto/openssl/engines/e_dasync.c | 4 +-
crypto/openssl/fuzz/asn1.c | 16 +-
crypto/openssl/include/crypto/bn.h | 10 +-
crypto/openssl/include/internal/constant_time.h | 25 +-
crypto/openssl/include/openssl/sslerr.h | 4 +-
crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy | 23 ++
crypto/openssl/providers/fips-sources.checksums | 272 ++++++-------
crypto/openssl/providers/fips.checksum | 2 +-
crypto/openssl/providers/fips/fipsprov.c | 4 +-
.../providers/implementations/exchange/kdf_exch.c | 44 ++-
.../implementations/include/prov/ciphercommon.h | 15 +-
.../openssl/providers/implementations/kdfs/hkdf.c | 10 +-
.../openssl/providers/implementations/rands/drbg.c | 5 +-
.../providers/implementations/rands/drbg_ctr.c | 7 +-
.../providers/implementations/rands/drbg_hash.c | 5 +-
.../providers/implementations/rands/drbg_hmac.c | 5 +-
.../providers/implementations/rands/drbg_local.h | 3 +-
crypto/openssl/ssl/record/rec_layer_s3.c | 15 +
crypto/openssl/ssl/record/record.h | 3 +-
crypto/openssl/ssl/record/ssl3_buffer.c | 4 +-
crypto/openssl/ssl/ssl_err.c | 6 +-
crypto/openssl/ssl/ssl_lib.c | 10 +-
crypto/openssl/ssl/ssl_sess.c | 36 +-
crypto/openssl/ssl/statem/statem_srvr.c | 9 +-
crypto/openssl/ssl/t1_lib.c | 5 +-
crypto/openssl/test/bad_dtls_test.c | 4 +-
crypto/openssl/test/build.info | 1 +
crypto/openssl/test/cmp_hdr_test.c | 51 ++-
crypto/openssl/test/ct_test.c | 11 +-
crypto/openssl/test/dsatest.c | 10 +-
crypto/openssl/test/ecdsatest.c | 30 +-
crypto/openssl/test/ecstresstest.c | 4 +-
crypto/openssl/test/evp_extra_test.c | 48 ++-
crypto/openssl/test/evp_pkey_provided_test.c | 63 ++-
crypto/openssl/test/evp_test.c | 15 +-
crypto/openssl/test/helpers/ssltestlib.c | 35 +-
crypto/openssl/test/helpers/ssltestlib.h | 3 +-
crypto/openssl/test/keymgmt_internal_test.c | 10 +-
crypto/openssl/test/pathed.cnf | 22 ++
crypto/openssl/test/pkey_meth_kdf_test.c | 55 ++-
crypto/openssl/test/prov_config_test.c | 56 ++-
.../invalid/p10240_q256_too_big.pem | 57 +++
crypto/openssl/test/recipes/25-test_req.t | 3 +-
crypto/openssl/test/recipes/30-test_prov_config.t | 8 +-
crypto/openssl/test/recipes/80-test_pkcs12.t | 14 +-
crypto/openssl/test/recipes/90-test_shlibload.t | 3 +-
crypto/openssl/test/sm2_internal_test.c | 37 +-
crypto/openssl/test/ssl-tests/14-curves.cnf.in | 7 +-
crypto/openssl/test/ssl-tests/20-cert-select.cnf | 216 +++++------
.../openssl/test/ssl-tests/20-cert-select.cnf.in | 70 ++--
crypto/openssl/test/ssl-tests/28-seclevel.cnf.in | 8 +-
crypto/openssl/test/sslapitest.c | 426 ++++++++++++++++++---
crypto/openssl/test/sslbuffertest.c | 176 ++++++++-
crypto/openssl/test/test.cnf | 6 +
crypto/openssl/test/tls-provider.c | 13 +-
crypto/openssl/test/v3ext.c | 17 +-
129 files changed, 2301 insertions(+), 764 deletions(-)
diff --cc crypto/openssl/CONTRIBUTING.md
index 15490fd9f620,000000000000..fec6616e21fe
mode 100644,000000..100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@@ -1,110 -1,0 +1,112 @@@
+HOW TO CONTRIBUTE TO OpenSSL
+============================
+
+Please visit our [Getting Started] page for other ideas about how to contribute.
+
+ [Getting Started]: <https://www.openssl.org/community/getting-started.html>
+
+Development is done on GitHub in the [openssl/openssl] repository.
+
+ [openssl/openssl]: <https://github.com/openssl/openssl>
+
- To request new a feature, ask a question, or report a bug,
++To request a new feature, ask a question, or report a bug,
+please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
+
+To submit a patch or implement a new feature, please open a
+[pull request on GitHub](https://github.com/openssl/openssl/pulls).
+If you are thinking of making a large contribution,
+open an issue for it before starting work, to get comments from the community.
+Someone may be already working on the same thing,
+or there may be special reasons why a feature is not implemented.
+
+To make it easier to review and accept your pull request, please follow these
+guidelines:
+
+ 1. Anything other than a trivial contribution requires a [Contributor
+ License Agreement] (CLA), giving us permission to use your code.
+ If your contribution is too small to require a CLA (e.g., fixing a spelling
+ mistake), then place the text "`CLA: trivial`" on a line by itself below
+ the rest of your commit message separated by an empty line, like this:
+
+ ```
+ One-line summary of trivial change
+
+ Optional main body of commit message. It might contain a sentence
+ or two explaining the trivial change.
+
+ CLA: trivial
+ ```
+
+ It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
+ pull request description.
+
+ [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
+
+ To amend a missing "`CLA: trivial`" line after submission, do the following:
+
+ ```
+ git commit --amend
+ # add the line, save and quit the editor
+ git push -f [<repository> [<branch>]]
+ ```
+
+ 2. All source files should start with the following text (with
+ appropriate comment characters at the start of each line and the
+ year(s) updated):
+
+ ```
+ Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
+
+ Licensed under the Apache License 2.0 (the "License"). You may not use
+ this file except in compliance with the License. You can obtain a copy
+ in the file LICENSE in the source distribution or at
+ https://www.openssl.org/source/license.html
+ ```
+
+ 3. Patches should be as current as possible; expect to have to rebase
+ often. We do not accept merge commits, you will have to remove them
+ (usually by rebasing) before it will be acceptable.
+
- 4. Code provided should follow our [coding style] and compile without warnings.
++ 4. Code provided should follow our [coding style] and [documentation policy]
++ and compile without warnings.
+ There is a [Perl tool](util/check-format.pl) that helps
+ finding code formatting mistakes and other coding style nits.
+ Where `gcc` or `clang` is available, you should use the
+ `--strict-warnings` `Configure` option. OpenSSL compiles on many varied
+ platforms: try to ensure you only use portable features.
+ Clean builds via GitHub Actions are required. They are started automatically
+ whenever a PR is created or updated by committers.
+
+ [coding style]: https://www.openssl.org/policies/technical/coding-style.html
++ [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
+
+ 5. When at all possible, code contributions should include tests. These can
+ either be added to an existing test, or completely new. Please see
+ [test/README.md](test/README.md) for information on the test framework.
+
+ 6. New features or changed functionality must include
+ documentation. Please look at the `.pod` files in `doc/man[1357]` for
+ examples of our style. Run `make doc-nits` to make sure that your
+ documentation changes are clean.
+
+ 7. For user visible changes (API changes, behaviour changes, ...),
+ consider adding a note in [CHANGES.md](CHANGES.md).
+ This could be a summarising description of the change, and could
+ explain the grander details.
+ Have a look through existing entries for inspiration.
+ Please note that this is NOT simply a copy of git-log one-liners.
+ Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
+ This file helps users get more in-depth information of what comes
+ with a specific release without having to sift through the higher
+ noise ratio in git-log.
+
+ 8. For larger or more important user visible changes, as well as
+ security fixes, please add a line in [NEWS.md](NEWS.md).
+ On exception, it might be worth adding a multi-line entry (such as
+ the entry that announces all the types that became opaque with
+ OpenSSL 1.1.0).
+ This file helps users get a very quick summary of what comes with a
+ specific release, to see if an upgrade is worth the effort.
+
+ 9. Guidelines how to integrate error output of new crypto library modules
+ can be found in [crypto/err/README.md](crypto/err/README.md).
diff --cc crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy
index 000000000000,285dd5bebae8..285dd5bebae8
mode 000000,100644..100644
--- a/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy
+++ b/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy
diff --cc crypto/openssl/test/pathed.cnf
index 000000000000,07bdc1fdb209..07bdc1fdb209
mode 000000,100644..100644
--- a/crypto/openssl/test/pathed.cnf
+++ b/crypto/openssl/test/pathed.cnf
diff --cc crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
index 000000000000,e85e2953b7a2..e85e2953b7a2
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+++ b/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem