From nobody Wed Jun 26 23:51:52 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W8dlf3831z5QTxk; Wed, 26 Jun 2024 23:51:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W8dld3qr3z4cp6; Wed, 26 Jun 2024 23:51:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719445917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sNInyB3eWimWzoMZDMTL6Q52NPX25O693C+Kn+lcOmc=; b=UErp0lJtgCIijaH7cEwjw4oeYQeKXhBSRTXup+Hdo9qpFoSuxaCTErz+zYLUQ8kdewMbRw HacgR6HiWYCaAlxkiz8daRT++g4Qz62nXRAYc5sOXZNEjkh9Y10C08SKhDnjhxJuMi59jk qrsxZU85UeutEBHoq7MipkkW+nR/+tWm80MKHS/r+Uxro0rxSmGoue8HHocjTfb953ha97 4zNGN9EDxJQNcaY5cL2ycGDoGJoow/vxZZr2Cmt/TkDst2Ms0xup+fDpO/ed7aWPYm4Ktu KJs3YimZ6LzC+LXpQ4tUliCGqFUS7mJVuhXD/TZlyzzzxx79LcwuZM2atOySPA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719445917; a=rsa-sha256; cv=none; b=wll/aNCsA7FuZbSR7XCh1VA2/TvBo7ykxErgGXO+4CJMXeUJEtuod5Kze7wDX4MhBwqDxR rdKpxsgvGOLDewCzY05igWGpxiaKmScVTwBs29JzfMlIGIKNVuSZtDfzld5rMwyiYRcnT8 LgRkTKTM+ilB2Gxti9N7x+OgKJ+V6UIJrA7mLwgZxW3DD3M6OKPe8xTKQ6YynGAohZzvd/ GbgPj3xxIRARlFa41X2xoIGZq+pwTIYNN2FD2xT6XNEun9E/zzlZob4l/XNY49rQxVUAlw V5wT3FUUiYcX4vm9FioT5SS3/sb57vcgToMLfbCTIOaI3856yboJs5221EnGOA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719445917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sNInyB3eWimWzoMZDMTL6Q52NPX25O693C+Kn+lcOmc=; b=igwb5nOJPH385Nv25KHmnijX3gLdmEklXWpm8uXI+qNgw8bhZKMaNDvxuQchG3OFz0/hfY bmL96/Q5UrwLvUWRW04yEPZ7WDfFMye4JbDy3mhz8NIYfg3btKqGqGwNrc5mDbvUiKMxAo 3rqVrLkRCJw8Ighrh5r3bAspJSZsg85XnkEribKkj/Xir5uTkmgHdi8wfSoN3m5xhqbabZ bnn9xk2GBXISpYIioj6sjKRHmgIFRMmm2x4R3cgoZNbgD9gTGpQAcyRpSBWyImYG+rmqQ1 Vpm0QYSPiZJPq5snfwziqHF3NVflZXSiISNssMgHjA/7J12tyPi9gF9i+VQVXw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W8dld3Mkrz15L6; Wed, 26 Jun 2024 23:51:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45QNpvQb094340; Wed, 26 Jun 2024 23:51:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45QNpq2w094322; Wed, 26 Jun 2024 23:51:52 GMT (envelope-from git) Date: Wed, 26 Jun 2024 23:51:52 GMT Message-Id: <202406262351.45QNpq2w094322@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Enji Cooper Subject: git: 44096ebd22dd - main - Update to OpenSSL 3.0.14 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ngie X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 44096ebd22ddd0081a357011714eff8963614b65 Auto-Submitted: auto-generated The branch main has been updated by ngie: URL: https://cgit.FreeBSD.org/src/commit/?id=44096ebd22ddd0081a357011714eff8963614b65 commit 44096ebd22ddd0081a357011714eff8963614b65 Merge: 8c5c57212566 1070e7dca822 Author: Enji Cooper AuthorDate: 2024-06-26 23:50:13 +0000 Commit: Enji Cooper CommitDate: 2024-06-26 23:50:13 +0000 Update to OpenSSL 3.0.14 This release resolves 3 upstream found CVEs: - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) MFC after: 3 days Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c' crypto/openssl/CHANGES.md | 69 ++++ crypto/openssl/CONTRIBUTING.md | 6 +- crypto/openssl/Configurations/10-main.conf | 9 +- crypto/openssl/Configurations/15-ios.conf | 6 +- crypto/openssl/Configurations/unix-Makefile.tmpl | 14 +- crypto/openssl/Configure | 3 +- crypto/openssl/INSTALL.md | 9 +- crypto/openssl/NEWS.md | 15 + crypto/openssl/NOTES-NONSTOP.md | 5 +- crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/lib/s_cb.c | 8 +- crypto/openssl/apps/list.c | 3 +- crypto/openssl/apps/ocsp.c | 4 +- crypto/openssl/apps/pkcs12.c | 16 +- crypto/openssl/apps/req.c | 2 +- crypto/openssl/apps/speed.c | 6 +- crypto/openssl/apps/ts.c | 11 +- crypto/openssl/crypto/aes/build.info | 2 +- crypto/openssl/crypto/bio/bio_lib.c | 10 +- crypto/openssl/crypto/bio/bio_sock.c | 6 +- crypto/openssl/crypto/bn/bn_lib.c | 53 ++- crypto/openssl/crypto/bn/bn_rand.c | 166 ++++++-- crypto/openssl/crypto/bn/bn_shift.c | 8 +- crypto/openssl/crypto/dsa/dsa_check.c | 46 ++- crypto/openssl/crypto/dsa/dsa_ossl.c | 11 +- crypto/openssl/crypto/dsa/dsa_sign.c | 9 +- crypto/openssl/crypto/ec/build.info | 2 +- .../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 15 +- crypto/openssl/crypto/encode_decode/encoder_lib.c | 7 +- crypto/openssl/crypto/engine/eng_pkey.c | 44 +-- crypto/openssl/crypto/err/openssl.ec | 4 +- crypto/openssl/crypto/ess/ess_lib.c | 4 +- crypto/openssl/crypto/evp/keymgmt_lib.c | 9 +- crypto/openssl/crypto/evp/p_lib.c | 12 +- crypto/openssl/crypto/evp/pmeth_lib.c | 69 +++- crypto/openssl/crypto/evp/signature.c | 33 +- crypto/openssl/crypto/init.c | 14 +- crypto/openssl/crypto/o_str.c | 4 +- crypto/openssl/crypto/property/property_parse.c | 3 +- crypto/openssl/crypto/provider_core.c | 11 +- crypto/openssl/crypto/sha/build.info | 2 +- crypto/openssl/crypto/sm2/sm2_crypt.c | 37 +- crypto/openssl/crypto/sm2/sm2_sign.c | 18 +- crypto/openssl/crypto/x509/v3_addr.c | 4 +- crypto/openssl/demos/digest/EVP_MD_demo.c | 4 +- crypto/openssl/demos/digest/EVP_MD_stdin.c | 4 +- crypto/openssl/doc/fingerprints.txt | 3 + crypto/openssl/doc/internal/man3/OPTIONS.pod | 4 +- .../doc/internal/man3/ossl_method_construct.pod | 4 +- .../doc/internal/man3/ossl_provider_new.pod | 4 +- .../internal/man3/ossl_random_add_conf_module.pod | 4 +- crypto/openssl/doc/internal/man7/EVP_PKEY.pod | 4 +- crypto/openssl/doc/man1/openssl-crl.pod.in | 5 +- crypto/openssl/doc/man1/openssl-mac.pod.in | 17 +- crypto/openssl/doc/man1/openssl-req.pod.in | 33 +- crypto/openssl/doc/man1/openssl-smime.pod.in | 18 +- crypto/openssl/doc/man1/openssl-storeutl.pod.in | 5 +- crypto/openssl/doc/man1/openssl-ts.pod.in | 8 +- crypto/openssl/doc/man3/DEFINE_STACK_OF.pod | 6 +- crypto/openssl/doc/man3/EVP_DigestInit.pod | 4 +- crypto/openssl/doc/man3/EVP_KDF.pod | 4 +- .../openssl/doc/man3/EVP_PKEY_CTX_set_params.pod | 6 +- crypto/openssl/doc/man3/EVP_PKEY_check.pod | 7 +- crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod | 4 +- crypto/openssl/doc/man3/SSL_CTX_set_cert_store.pod | 6 +- crypto/openssl/doc/man3/SSL_CTX_set_verify.pod | 5 +- .../openssl/doc/man3/SSL_CTX_use_certificate.pod | 5 +- .../openssl/doc/man3/SSL_load_client_CA_file.pod | 20 +- crypto/openssl/doc/man7/EVP_PKEY-SM2.pod | 5 +- crypto/openssl/doc/man7/migration_guide.pod | 28 +- crypto/openssl/e_os.h | 20 +- crypto/openssl/engines/e_afalg.c | 6 +- crypto/openssl/engines/e_dasync.c | 4 +- crypto/openssl/fuzz/asn1.c | 16 +- crypto/openssl/include/crypto/bn.h | 10 +- crypto/openssl/include/internal/constant_time.h | 25 +- crypto/openssl/include/openssl/sslerr.h | 4 +- crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy | 23 ++ crypto/openssl/providers/fips-sources.checksums | 272 ++++++------- crypto/openssl/providers/fips.checksum | 2 +- crypto/openssl/providers/fips/fipsprov.c | 4 +- .../providers/implementations/exchange/kdf_exch.c | 44 ++- .../implementations/include/prov/ciphercommon.h | 15 +- .../openssl/providers/implementations/kdfs/hkdf.c | 10 +- .../openssl/providers/implementations/rands/drbg.c | 5 +- .../providers/implementations/rands/drbg_ctr.c | 7 +- .../providers/implementations/rands/drbg_hash.c | 5 +- .../providers/implementations/rands/drbg_hmac.c | 5 +- .../providers/implementations/rands/drbg_local.h | 3 +- crypto/openssl/ssl/record/rec_layer_s3.c | 15 + crypto/openssl/ssl/record/record.h | 3 +- crypto/openssl/ssl/record/ssl3_buffer.c | 4 +- crypto/openssl/ssl/ssl_err.c | 6 +- crypto/openssl/ssl/ssl_lib.c | 10 +- crypto/openssl/ssl/ssl_sess.c | 36 +- crypto/openssl/ssl/statem/statem_srvr.c | 9 +- crypto/openssl/ssl/t1_lib.c | 5 +- crypto/openssl/test/bad_dtls_test.c | 4 +- crypto/openssl/test/build.info | 1 + crypto/openssl/test/cmp_hdr_test.c | 51 ++- crypto/openssl/test/ct_test.c | 11 +- crypto/openssl/test/dsatest.c | 10 +- crypto/openssl/test/ecdsatest.c | 30 +- crypto/openssl/test/ecstresstest.c | 4 +- crypto/openssl/test/evp_extra_test.c | 48 ++- crypto/openssl/test/evp_pkey_provided_test.c | 63 ++- crypto/openssl/test/evp_test.c | 15 +- crypto/openssl/test/helpers/ssltestlib.c | 35 +- crypto/openssl/test/helpers/ssltestlib.h | 3 +- crypto/openssl/test/keymgmt_internal_test.c | 10 +- crypto/openssl/test/pathed.cnf | 22 ++ crypto/openssl/test/pkey_meth_kdf_test.c | 55 ++- crypto/openssl/test/prov_config_test.c | 56 ++- .../invalid/p10240_q256_too_big.pem | 57 +++ crypto/openssl/test/recipes/25-test_req.t | 3 +- crypto/openssl/test/recipes/30-test_prov_config.t | 8 +- crypto/openssl/test/recipes/80-test_pkcs12.t | 14 +- crypto/openssl/test/recipes/90-test_shlibload.t | 3 +- crypto/openssl/test/sm2_internal_test.c | 37 +- crypto/openssl/test/ssl-tests/14-curves.cnf.in | 7 +- crypto/openssl/test/ssl-tests/20-cert-select.cnf | 216 +++++------ .../openssl/test/ssl-tests/20-cert-select.cnf.in | 70 ++-- crypto/openssl/test/ssl-tests/28-seclevel.cnf.in | 8 +- crypto/openssl/test/sslapitest.c | 426 ++++++++++++++++++--- crypto/openssl/test/sslbuffertest.c | 176 ++++++++- crypto/openssl/test/test.cnf | 6 + crypto/openssl/test/tls-provider.c | 13 +- crypto/openssl/test/v3ext.c | 17 +- 129 files changed, 2301 insertions(+), 764 deletions(-) diff --cc crypto/openssl/CONTRIBUTING.md index 15490fd9f620,000000000000..fec6616e21fe mode 100644,000000..100644 --- a/crypto/openssl/CONTRIBUTING.md +++ b/crypto/openssl/CONTRIBUTING.md @@@ -1,110 -1,0 +1,112 @@@ +HOW TO CONTRIBUTE TO OpenSSL +============================ + +Please visit our [Getting Started] page for other ideas about how to contribute. + + [Getting Started]: + +Development is done on GitHub in the [openssl/openssl] repository. + + [openssl/openssl]: + - To request new a feature, ask a question, or report a bug, ++To request a new feature, ask a question, or report a bug, +please open an [issue on GitHub](https://github.com/openssl/openssl/issues). + +To submit a patch or implement a new feature, please open a +[pull request on GitHub](https://github.com/openssl/openssl/pulls). +If you are thinking of making a large contribution, +open an issue for it before starting work, to get comments from the community. +Someone may be already working on the same thing, +or there may be special reasons why a feature is not implemented. + +To make it easier to review and accept your pull request, please follow these +guidelines: + + 1. Anything other than a trivial contribution requires a [Contributor + License Agreement] (CLA), giving us permission to use your code. + If your contribution is too small to require a CLA (e.g., fixing a spelling + mistake), then place the text "`CLA: trivial`" on a line by itself below + the rest of your commit message separated by an empty line, like this: + + ``` + One-line summary of trivial change + + Optional main body of commit message. It might contain a sentence + or two explaining the trivial change. + + CLA: trivial + ``` + + It is not sufficient to only place the text "`CLA: trivial`" in the GitHub + pull request description. + + [Contributor License Agreement]: + + To amend a missing "`CLA: trivial`" line after submission, do the following: + + ``` + git commit --amend + # add the line, save and quit the editor + git push -f [ []] + ``` + + 2. All source files should start with the following text (with + appropriate comment characters at the start of each line and the + year(s) updated): + + ``` + Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy + in the file LICENSE in the source distribution or at + https://www.openssl.org/source/license.html + ``` + + 3. Patches should be as current as possible; expect to have to rebase + often. We do not accept merge commits, you will have to remove them + (usually by rebasing) before it will be acceptable. + - 4. Code provided should follow our [coding style] and compile without warnings. ++ 4. Code provided should follow our [coding style] and [documentation policy] ++ and compile without warnings. + There is a [Perl tool](util/check-format.pl) that helps + finding code formatting mistakes and other coding style nits. + Where `gcc` or `clang` is available, you should use the + `--strict-warnings` `Configure` option. OpenSSL compiles on many varied + platforms: try to ensure you only use portable features. + Clean builds via GitHub Actions are required. They are started automatically + whenever a PR is created or updated by committers. + + [coding style]: https://www.openssl.org/policies/technical/coding-style.html ++ [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html + + 5. When at all possible, code contributions should include tests. These can + either be added to an existing test, or completely new. Please see + [test/README.md](test/README.md) for information on the test framework. + + 6. New features or changed functionality must include + documentation. Please look at the `.pod` files in `doc/man[1357]` for + examples of our style. Run `make doc-nits` to make sure that your + documentation changes are clean. + + 7. For user visible changes (API changes, behaviour changes, ...), + consider adding a note in [CHANGES.md](CHANGES.md). + This could be a summarising description of the change, and could + explain the grander details. + Have a look through existing entries for inspiration. + Please note that this is NOT simply a copy of git-log one-liners. + Also note that security fixes get an entry in [CHANGES.md](CHANGES.md). + This file helps users get more in-depth information of what comes + with a specific release without having to sift through the higher + noise ratio in git-log. + + 8. For larger or more important user visible changes, as well as + security fixes, please add a line in [NEWS.md](NEWS.md). + On exception, it might be worth adding a multi-line entry (such as + the entry that announces all the types that became opaque with + OpenSSL 1.1.0). + This file helps users get a very quick summary of what comes with a + specific release, to see if an upgrade is worth the effort. + + 9. Guidelines how to integrate error output of new crypto library modules + can be found in [crypto/err/README.md](crypto/err/README.md). diff --cc crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy index 000000000000,285dd5bebae8..285dd5bebae8 mode 000000,100644..100644 --- a/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy +++ b/crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy diff --cc crypto/openssl/test/pathed.cnf index 000000000000,07bdc1fdb209..07bdc1fdb209 mode 000000,100644..100644 --- a/crypto/openssl/test/pathed.cnf +++ b/crypto/openssl/test/pathed.cnf diff --cc crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem index 000000000000,e85e2953b7a2..e85e2953b7a2 mode 000000,100644..100644 --- a/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +++ b/crypto/openssl/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem