git: a7148ab39c03 - main - openssl: Import OpenSSL 3.0.15.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 08 Sep 2024 04:32:18 UTC
The branch main has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=a7148ab39c03abd4d1a84997c70bf96f15dd2a09
commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09
Merge: 4086a0635d38 108164cf95d9
Author: Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2024-09-08 04:30:17 +0000
Commit: Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2024-09-08 04:31:22 +0000
openssl: Import OpenSSL 3.0.15.
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html
Co-authored-by: gordon
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46602
Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
crypto/openssl/CHANGES.md | 34 ++
crypto/openssl/CONTRIBUTING.md | 6 +-
crypto/openssl/Configurations/10-main.conf | 36 ++
crypto/openssl/Configurations/15-ios.conf | 2 +-
crypto/openssl/Configure | 10 +-
crypto/openssl/FAQ.md | 6 -
crypto/openssl/INSTALL.md | 4 +-
crypto/openssl/NEWS.md | 15 +
crypto/openssl/VERSION.dat | 4 +-
crypto/openssl/apps/cms.c | 4 +-
crypto/openssl/apps/dgst.c | 9 +-
crypto/openssl/apps/lib/opt.c | 4 +-
crypto/openssl/apps/lib/s_cb.c | 3 +-
crypto/openssl/apps/smime.c | 4 +-
crypto/openssl/crypto/aes/asm/aesp8-ppc.pl | 147 ++++--
crypto/openssl/crypto/aes/build.info | 4 +
crypto/openssl/crypto/asn1/a_d2i_fp.c | 5 +-
crypto/openssl/crypto/asn1/a_mbstr.c | 14 +-
crypto/openssl/crypto/asn1/a_strex.c | 11 +-
crypto/openssl/crypto/asn1/a_verify.c | 4 +-
crypto/openssl/crypto/asn1/tasn_fre.c | 8 +-
crypto/openssl/crypto/bio/bf_readbuff.c | 7 +-
crypto/openssl/crypto/bio/bio_addr.c | 12 +-
crypto/openssl/crypto/cmp/cmp_vfy.c | 4 +-
crypto/openssl/crypto/conf/conf_def.c | 4 +-
crypto/openssl/crypto/conf/conf_lib.c | 5 +-
crypto/openssl/crypto/conf/conf_sap.c | 4 +-
crypto/openssl/crypto/context.c | 4 +-
crypto/openssl/crypto/ec/ecdsa_ossl.c | 12 +-
crypto/openssl/crypto/engine/eng_table.c | 8 +-
crypto/openssl/crypto/evp/ctrl_params_translate.c | 5 +-
crypto/openssl/crypto/evp/digest.c | 4 +-
crypto/openssl/crypto/evp/names.c | 36 +-
crypto/openssl/crypto/evp/pmeth_lib.c | 11 +-
crypto/openssl/crypto/o_str.c | 6 +-
crypto/openssl/crypto/pkcs12/p12_crt.c | 17 +-
crypto/openssl/crypto/pkcs7/pk7_doit.c | 45 +-
crypto/openssl/crypto/property/property.c | 55 +-
crypto/openssl/crypto/rand/randfile.c | 13 +-
crypto/openssl/crypto/rsa/rsa_oaep.c | 4 +-
crypto/openssl/crypto/x509/v3_utl.c | 2 +-
crypto/openssl/crypto/x509/x_name.c | 6 +-
crypto/openssl/doc/HOWTO/certificates.txt | 2 +-
crypto/openssl/doc/fingerprints.txt | 3 -
crypto/openssl/doc/man1/openssl-enc.pod.in | 13 +-
.../doc/man1/openssl-passphrase-options.pod | 24 +-
crypto/openssl/doc/man1/openssl-s_client.pod.in | 8 +-
crypto/openssl/doc/man1/openssl-s_server.pod.in | 7 +-
.../doc/man1/openssl-verification-options.pod | 4 +-
crypto/openssl/doc/man3/ASN1_INTEGER_new.pod | 3 +-
crypto/openssl/doc/man3/ASYNC_WAIT_CTX_new.pod | 5 +-
crypto/openssl/doc/man3/BIO_ADDR.pod | 3 +-
crypto/openssl/doc/man3/BIO_ADDRINFO.pod | 4 +-
crypto/openssl/doc/man3/BIO_f_base64.pod | 26 +-
crypto/openssl/doc/man3/BIO_meth_new.pod | 4 +-
crypto/openssl/doc/man3/BN_add.pod | 22 +-
crypto/openssl/doc/man3/BN_generate_prime.pod | 5 +-
crypto/openssl/doc/man3/BN_set_bit.pod | 9 +-
crypto/openssl/doc/man3/BUF_MEM_new.pod | 3 +-
crypto/openssl/doc/man3/CRYPTO_THREAD_run_once.pod | 12 +-
crypto/openssl/doc/man3/CTLOG_STORE_new.pod | 4 +-
crypto/openssl/doc/man3/CTLOG_new.pod | 4 +-
crypto/openssl/doc/man3/CT_POLICY_EVAL_CTX_new.pod | 5 +-
crypto/openssl/doc/man3/DH_meth_new.pod | 4 +-
crypto/openssl/doc/man3/DSA_SIG_new.pod | 3 +-
crypto/openssl/doc/man3/DSA_meth_new.pod | 4 +-
crypto/openssl/doc/man3/ECDSA_SIG_new.pod | 3 +-
crypto/openssl/doc/man3/ENGINE_add.pod | 5 +-
crypto/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod | 4 +-
crypto/openssl/doc/man3/EVP_CIPHER_meth_new.pod | 3 +-
crypto/openssl/doc/man3/EVP_DigestInit.pod | 10 +-
crypto/openssl/doc/man3/EVP_EncodeInit.pod | 4 +-
crypto/openssl/doc/man3/EVP_EncryptInit.pod | 19 +-
crypto/openssl/doc/man3/EVP_KEM_free.pod | 3 +-
crypto/openssl/doc/man3/EVP_KEYEXCH_free.pod | 4 +-
crypto/openssl/doc/man3/EVP_KEYMGMT.pod | 3 +-
crypto/openssl/doc/man3/EVP_MD_meth_new.pod | 3 +-
crypto/openssl/doc/man3/EVP_PKEY_ASN1_METHOD.pod | 4 +-
crypto/openssl/doc/man3/EVP_PKEY_meth_new.pod | 4 +-
crypto/openssl/doc/man3/EVP_RAND.pod | 4 +-
crypto/openssl/doc/man3/EVP_SIGNATURE.pod | 4 +-
crypto/openssl/doc/man3/HMAC.pod | 4 +-
crypto/openssl/doc/man3/MD5.pod | 15 +-
crypto/openssl/doc/man3/NCONF_new_ex.pod | 4 +-
crypto/openssl/doc/man3/OCSP_REQUEST_new.pod | 3 +-
crypto/openssl/doc/man3/OCSP_cert_to_id.pod | 3 +-
crypto/openssl/doc/man3/OCSP_response_status.pod | 3 +-
crypto/openssl/doc/man3/OPENSSL_LH_COMPFUNC.pod | 4 +-
crypto/openssl/doc/man3/OPENSSL_init_crypto.pod | 3 +-
crypto/openssl/doc/man3/OPENSSL_malloc.pod | 5 +-
crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod | 8 +-
crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod | 8 +-
crypto/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod | 3 +-
crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod | 9 +-
crypto/openssl/doc/man3/OSSL_DECODER.pod | 3 +-
crypto/openssl/doc/man3/OSSL_DECODER_CTX.pod | 3 +-
.../doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod | 4 +-
crypto/openssl/doc/man3/OSSL_ENCODER.pod | 3 +-
crypto/openssl/doc/man3/OSSL_ENCODER_CTX.pod | 3 +-
crypto/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod | 3 +-
crypto/openssl/doc/man3/OSSL_LIB_CTX.pod | 4 +-
crypto/openssl/doc/man3/OSSL_PARAM_BLD.pod | 3 +-
crypto/openssl/doc/man3/OSSL_PARAM_dup.pod | 3 +-
crypto/openssl/doc/man3/OSSL_SELF_TEST_new.pod | 3 +-
crypto/openssl/doc/man3/OSSL_STORE_INFO.pod | 3 +-
crypto/openssl/doc/man3/OSSL_STORE_LOADER.pod | 23 +-
crypto/openssl/doc/man3/OSSL_STORE_SEARCH.pod | 3 +-
.../openssl/doc/man3/PEM_read_bio_PrivateKey.pod | 6 +-
crypto/openssl/doc/man3/RAND_set_DRBG_type.pod | 4 +-
crypto/openssl/doc/man3/RSA_meth_new.pod | 4 +-
crypto/openssl/doc/man3/SCT_new.pod | 8 +-
.../doc/man3/SSL_CTX_set_alpn_select_cb.pod | 28 +-
.../openssl/doc/man3/SSL_CTX_set_cipher_list.pod | 4 +-
.../doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 8 +-
crypto/openssl/doc/man3/TS_RESP_CTX_new.pod | 3 +-
crypto/openssl/doc/man3/X509V3_get_d2i.pod | 3 +-
crypto/openssl/doc/man3/X509_LOOKUP.pod | 3 +-
crypto/openssl/doc/man3/X509_LOOKUP_meth_new.pod | 3 +-
crypto/openssl/doc/man3/X509_STORE_new.pod | 3 +-
crypto/openssl/doc/man3/X509_dup.pod | 2 +-
crypto/openssl/doc/man3/X509_new.pod | 7 +-
crypto/openssl/doc/man3/d2i_X509.pod | 6 +-
crypto/openssl/doc/man7/EVP_KEYEXCH-DH.pod | 11 +-
crypto/openssl/doc/man7/EVP_PKEY-DH.pod | 62 +--
crypto/openssl/doc/man7/ossl_store.pod | 9 +-
crypto/openssl/fuzz/bignum.c | 9 +-
crypto/openssl/include/crypto/aes_platform.h | 4 +-
crypto/openssl/include/crypto/bn.h | 2 +-
crypto/openssl/include/openssl/tls1.h | 4 +-
crypto/openssl/providers/fips-sources.checksums | 18 +-
crypto/openssl/providers/fips.checksum | 2 +-
.../implementations/encode_decode/decode_der2key.c | 35 +-
.../openssl/providers/implementations/rands/drbg.c | 5 +
crypto/openssl/ssl/bio_ssl.c | 4 +-
crypto/openssl/ssl/ssl_lib.c | 63 ++-
crypto/openssl/ssl/ssl_sess.c | 34 +-
crypto/openssl/ssl/statem/extensions.c | 14 +-
crypto/openssl/ssl/statem/extensions_clnt.c | 29 +-
crypto/openssl/ssl/statem/extensions_srvr.c | 34 +-
crypto/openssl/ssl/statem/statem_lib.c | 6 +-
crypto/openssl/ssl/t1_lib.c | 2 +
crypto/openssl/test/build.info | 6 +-
crypto/openssl/test/crltest.c | 65 ++-
crypto/openssl/test/endecode_test.c | 22 +-
crypto/openssl/test/evp_byname_test.c | 40 ++
crypto/openssl/test/evp_extra_test.c | 21 +
crypto/openssl/test/helpers/handshake.c | 8 +-
crypto/openssl/test/hexstr_test.c | 11 +-
crypto/openssl/test/prov_config_test.c | 9 +-
crypto/openssl/test/provider_fallback_test.c | 14 +-
crypto/openssl/test/provider_internal_test.c | 4 +-
crypto/openssl/test/provider_test.c | 3 +-
crypto/openssl/test/recipes/03-test_fipsinstall.t | 44 +-
crypto/openssl/test/recipes/04-test_conf.t | 3 +-
.../recipes/04-test_conf_data/oversized_line.cnf | 3 +
.../recipes/04-test_conf_data/oversized_line.txt | 4 +
crypto/openssl/test/recipes/25-test_eai_data.t | 2 +-
crypto/openssl/test/recipes/30-test_evp_byname.t | 16 +
.../test/recipes/30-test_evp_data/evppkey_dsa.txt | 6 +-
.../recipes/30-test_evp_data/evppkey_ecdsa.txt | 3 +-
.../30-test_evp_data/evppkey_rsa_common.txt | 3 +-
crypto/openssl/test/recipes/70-test_npn.t | 73 +++
crypto/openssl/test/ssl-tests/08-npn.cnf | 553 ++++++++++++---------
crypto/openssl/test/ssl-tests/08-npn.cnf.in | 37 +-
crypto/openssl/test/ssl-tests/09-alpn.cnf | 66 ++-
crypto/openssl/test/ssl-tests/09-alpn.cnf.in | 35 +-
crypto/openssl/test/sslapitest.c | 370 +++++++++++++-
crypto/openssl/util/check-format-commit.sh | 171 +++++++
crypto/openssl/util/check-format-test-negatives.c | 5 +-
crypto/openssl/util/check-format.pl | 13 +-
crypto/openssl/util/perl/OpenSSL/Test/Utils.pm | 18 +-
crypto/openssl/util/perl/TLSProxy/Message.pm | 11 +-
crypto/openssl/util/perl/TLSProxy/NextProto.pm | 54 ++
crypto/openssl/util/perl/TLSProxy/Proxy.pm | 3 +-
174 files changed, 2312 insertions(+), 812 deletions(-)
diff --cc crypto/openssl/CONTRIBUTING.md
index fec6616e21fe,000000000000..cced15347d05
mode 100644,000000..100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@@ -1,112 -1,0 +1,112 @@@
+HOW TO CONTRIBUTE TO OpenSSL
+============================
+
+Please visit our [Getting Started] page for other ideas about how to contribute.
+
- [Getting Started]: <https://www.openssl.org/community/getting-started.html>
++ [Getting Started]: <https://openssl-library.org/community/getting-started>
+
+Development is done on GitHub in the [openssl/openssl] repository.
+
+ [openssl/openssl]: <https://github.com/openssl/openssl>
+
+To request a new feature, ask a question, or report a bug,
+please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
+
+To submit a patch or implement a new feature, please open a
+[pull request on GitHub](https://github.com/openssl/openssl/pulls).
+If you are thinking of making a large contribution,
+open an issue for it before starting work, to get comments from the community.
+Someone may be already working on the same thing,
+or there may be special reasons why a feature is not implemented.
+
+To make it easier to review and accept your pull request, please follow these
+guidelines:
+
+ 1. Anything other than a trivial contribution requires a [Contributor
+ License Agreement] (CLA), giving us permission to use your code.
+ If your contribution is too small to require a CLA (e.g., fixing a spelling
+ mistake), then place the text "`CLA: trivial`" on a line by itself below
+ the rest of your commit message separated by an empty line, like this:
+
+ ```
+ One-line summary of trivial change
+
+ Optional main body of commit message. It might contain a sentence
+ or two explaining the trivial change.
+
+ CLA: trivial
+ ```
+
+ It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
+ pull request description.
+
+ [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
+
+ To amend a missing "`CLA: trivial`" line after submission, do the following:
+
+ ```
+ git commit --amend
+ # add the line, save and quit the editor
+ git push -f [<repository> [<branch>]]
+ ```
+
+ 2. All source files should start with the following text (with
+ appropriate comment characters at the start of each line and the
+ year(s) updated):
+
+ ```
+ Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
+
+ Licensed under the Apache License 2.0 (the "License"). You may not use
+ this file except in compliance with the License. You can obtain a copy
+ in the file LICENSE in the source distribution or at
+ https://www.openssl.org/source/license.html
+ ```
+
+ 3. Patches should be as current as possible; expect to have to rebase
+ often. We do not accept merge commits, you will have to remove them
+ (usually by rebasing) before it will be acceptable.
+
+ 4. Code provided should follow our [coding style] and [documentation policy]
+ and compile without warnings.
+ There is a [Perl tool](util/check-format.pl) that helps
+ finding code formatting mistakes and other coding style nits.
+ Where `gcc` or `clang` is available, you should use the
+ `--strict-warnings` `Configure` option. OpenSSL compiles on many varied
+ platforms: try to ensure you only use portable features.
+ Clean builds via GitHub Actions are required. They are started automatically
+ whenever a PR is created or updated by committers.
+
- [coding style]: https://www.openssl.org/policies/technical/coding-style.html
- [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
++ [coding style]: https://openssl-library.org/policies/technical/coding-style/
++ [documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
+
+ 5. When at all possible, code contributions should include tests. These can
+ either be added to an existing test, or completely new. Please see
+ [test/README.md](test/README.md) for information on the test framework.
+
+ 6. New features or changed functionality must include
+ documentation. Please look at the `.pod` files in `doc/man[1357]` for
+ examples of our style. Run `make doc-nits` to make sure that your
+ documentation changes are clean.
+
+ 7. For user visible changes (API changes, behaviour changes, ...),
+ consider adding a note in [CHANGES.md](CHANGES.md).
+ This could be a summarising description of the change, and could
+ explain the grander details.
+ Have a look through existing entries for inspiration.
+ Please note that this is NOT simply a copy of git-log one-liners.
+ Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
+ This file helps users get more in-depth information of what comes
+ with a specific release without having to sift through the higher
+ noise ratio in git-log.
+
+ 8. For larger or more important user visible changes, as well as
+ security fixes, please add a line in [NEWS.md](NEWS.md).
+ On exception, it might be worth adding a multi-line entry (such as
+ the entry that announces all the types that became opaque with
+ OpenSSL 1.1.0).
+ This file helps users get a very quick summary of what comes with a
+ specific release, to see if an upgrade is worth the effort.
+
+ 9. Guidelines how to integrate error output of new crypto library modules
+ can be found in [crypto/err/README.md](crypto/err/README.md).
diff --cc crypto/openssl/test/evp_byname_test.c
index 000000000000,e16e27a3a5ec..e16e27a3a5ec
mode 000000,100644..100644
--- a/crypto/openssl/test/evp_byname_test.c
+++ b/crypto/openssl/test/evp_byname_test.c
diff --cc crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf
index 000000000000,08988a2e0f1d..08988a2e0f1d
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf
+++ b/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf
diff --cc crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt
index 000000000000,c15b654300c7..c15b654300c7
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt
+++ b/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt
diff --cc crypto/openssl/test/recipes/30-test_evp_byname.t
index 000000000000,d06e874fe927..d06e874fe927
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/30-test_evp_byname.t
+++ b/crypto/openssl/test/recipes/30-test_evp_byname.t
diff --cc crypto/openssl/test/recipes/70-test_npn.t
index 000000000000,f82e71af6aca..f82e71af6aca
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/70-test_npn.t
+++ b/crypto/openssl/test/recipes/70-test_npn.t
diff --cc crypto/openssl/util/check-format-commit.sh
index 000000000000,7e712dc48cf6..7e712dc48cf6
mode 000000,100755..100755
--- a/crypto/openssl/util/check-format-commit.sh
+++ b/crypto/openssl/util/check-format-commit.sh
diff --cc crypto/openssl/util/perl/TLSProxy/NextProto.pm
index 000000000000,0e1834754667..0e1834754667
mode 000000,100644..100644
--- a/crypto/openssl/util/perl/TLSProxy/NextProto.pm
+++ b/crypto/openssl/util/perl/TLSProxy/NextProto.pm