git: a7148ab39c03 - main - openssl: Import OpenSSL 3.0.15.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 08 Sep 2024 04:32:18 UTC
The branch main has been updated by ngie: URL: https://cgit.FreeBSD.org/src/commit/?id=a7148ab39c03abd4d1a84997c70bf96f15dd2a09 commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09 Merge: 4086a0635d38 108164cf95d9 Author: Enji Cooper <ngie@FreeBSD.org> AuthorDate: 2024-09-08 04:30:17 +0000 Commit: Enji Cooper <ngie@FreeBSD.org> CommitDate: 2024-09-08 04:31:22 +0000 openssl: Import OpenSSL 3.0.15. This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Co-authored-by: gordon MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46602 Merge commit '108164cf95d9594884c2dcccba2691335e6f221b' crypto/openssl/CHANGES.md | 34 ++ crypto/openssl/CONTRIBUTING.md | 6 +- crypto/openssl/Configurations/10-main.conf | 36 ++ crypto/openssl/Configurations/15-ios.conf | 2 +- crypto/openssl/Configure | 10 +- crypto/openssl/FAQ.md | 6 - crypto/openssl/INSTALL.md | 4 +- crypto/openssl/NEWS.md | 15 + crypto/openssl/VERSION.dat | 4 +- crypto/openssl/apps/cms.c | 4 +- crypto/openssl/apps/dgst.c | 9 +- crypto/openssl/apps/lib/opt.c | 4 +- crypto/openssl/apps/lib/s_cb.c | 3 +- crypto/openssl/apps/smime.c | 4 +- crypto/openssl/crypto/aes/asm/aesp8-ppc.pl | 147 ++++-- crypto/openssl/crypto/aes/build.info | 4 + crypto/openssl/crypto/asn1/a_d2i_fp.c | 5 +- crypto/openssl/crypto/asn1/a_mbstr.c | 14 +- crypto/openssl/crypto/asn1/a_strex.c | 11 +- crypto/openssl/crypto/asn1/a_verify.c | 4 +- crypto/openssl/crypto/asn1/tasn_fre.c | 8 +- crypto/openssl/crypto/bio/bf_readbuff.c | 7 +- crypto/openssl/crypto/bio/bio_addr.c | 12 +- crypto/openssl/crypto/cmp/cmp_vfy.c | 4 +- crypto/openssl/crypto/conf/conf_def.c | 4 +- crypto/openssl/crypto/conf/conf_lib.c | 5 +- crypto/openssl/crypto/conf/conf_sap.c | 4 +- crypto/openssl/crypto/context.c | 4 +- crypto/openssl/crypto/ec/ecdsa_ossl.c | 12 +- crypto/openssl/crypto/engine/eng_table.c | 8 +- crypto/openssl/crypto/evp/ctrl_params_translate.c | 5 +- crypto/openssl/crypto/evp/digest.c | 4 +- crypto/openssl/crypto/evp/names.c | 36 +- crypto/openssl/crypto/evp/pmeth_lib.c | 11 +- crypto/openssl/crypto/o_str.c | 6 +- crypto/openssl/crypto/pkcs12/p12_crt.c | 17 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 45 +- crypto/openssl/crypto/property/property.c | 55 +- crypto/openssl/crypto/rand/randfile.c | 13 +- crypto/openssl/crypto/rsa/rsa_oaep.c | 4 +- crypto/openssl/crypto/x509/v3_utl.c | 2 +- crypto/openssl/crypto/x509/x_name.c | 6 +- crypto/openssl/doc/HOWTO/certificates.txt | 2 +- crypto/openssl/doc/fingerprints.txt | 3 - crypto/openssl/doc/man1/openssl-enc.pod.in | 13 +- .../doc/man1/openssl-passphrase-options.pod | 24 +- crypto/openssl/doc/man1/openssl-s_client.pod.in | 8 +- crypto/openssl/doc/man1/openssl-s_server.pod.in | 7 +- .../doc/man1/openssl-verification-options.pod | 4 +- crypto/openssl/doc/man3/ASN1_INTEGER_new.pod | 3 +- crypto/openssl/doc/man3/ASYNC_WAIT_CTX_new.pod | 5 +- crypto/openssl/doc/man3/BIO_ADDR.pod | 3 +- crypto/openssl/doc/man3/BIO_ADDRINFO.pod | 4 +- crypto/openssl/doc/man3/BIO_f_base64.pod | 26 +- crypto/openssl/doc/man3/BIO_meth_new.pod | 4 +- crypto/openssl/doc/man3/BN_add.pod | 22 +- crypto/openssl/doc/man3/BN_generate_prime.pod | 5 +- crypto/openssl/doc/man3/BN_set_bit.pod | 9 +- crypto/openssl/doc/man3/BUF_MEM_new.pod | 3 +- crypto/openssl/doc/man3/CRYPTO_THREAD_run_once.pod | 12 +- crypto/openssl/doc/man3/CTLOG_STORE_new.pod | 4 +- crypto/openssl/doc/man3/CTLOG_new.pod | 4 +- crypto/openssl/doc/man3/CT_POLICY_EVAL_CTX_new.pod | 5 +- crypto/openssl/doc/man3/DH_meth_new.pod | 4 +- crypto/openssl/doc/man3/DSA_SIG_new.pod | 3 +- crypto/openssl/doc/man3/DSA_meth_new.pod | 4 +- crypto/openssl/doc/man3/ECDSA_SIG_new.pod | 3 +- crypto/openssl/doc/man3/ENGINE_add.pod | 5 +- crypto/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod | 4 +- crypto/openssl/doc/man3/EVP_CIPHER_meth_new.pod | 3 +- crypto/openssl/doc/man3/EVP_DigestInit.pod | 10 +- crypto/openssl/doc/man3/EVP_EncodeInit.pod | 4 +- crypto/openssl/doc/man3/EVP_EncryptInit.pod | 19 +- crypto/openssl/doc/man3/EVP_KEM_free.pod | 3 +- crypto/openssl/doc/man3/EVP_KEYEXCH_free.pod | 4 +- crypto/openssl/doc/man3/EVP_KEYMGMT.pod | 3 +- crypto/openssl/doc/man3/EVP_MD_meth_new.pod | 3 +- crypto/openssl/doc/man3/EVP_PKEY_ASN1_METHOD.pod | 4 +- crypto/openssl/doc/man3/EVP_PKEY_meth_new.pod | 4 +- crypto/openssl/doc/man3/EVP_RAND.pod | 4 +- crypto/openssl/doc/man3/EVP_SIGNATURE.pod | 4 +- crypto/openssl/doc/man3/HMAC.pod | 4 +- crypto/openssl/doc/man3/MD5.pod | 15 +- crypto/openssl/doc/man3/NCONF_new_ex.pod | 4 +- crypto/openssl/doc/man3/OCSP_REQUEST_new.pod | 3 +- crypto/openssl/doc/man3/OCSP_cert_to_id.pod | 3 +- crypto/openssl/doc/man3/OCSP_response_status.pod | 3 +- crypto/openssl/doc/man3/OPENSSL_LH_COMPFUNC.pod | 4 +- crypto/openssl/doc/man3/OPENSSL_init_crypto.pod | 3 +- crypto/openssl/doc/man3/OPENSSL_malloc.pod | 5 +- crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod | 8 +- crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod | 8 +- crypto/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod | 3 +- crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod | 9 +- crypto/openssl/doc/man3/OSSL_DECODER.pod | 3 +- crypto/openssl/doc/man3/OSSL_DECODER_CTX.pod | 3 +- .../doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod | 4 +- crypto/openssl/doc/man3/OSSL_ENCODER.pod | 3 +- crypto/openssl/doc/man3/OSSL_ENCODER_CTX.pod | 3 +- crypto/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod | 3 +- crypto/openssl/doc/man3/OSSL_LIB_CTX.pod | 4 +- crypto/openssl/doc/man3/OSSL_PARAM_BLD.pod | 3 +- crypto/openssl/doc/man3/OSSL_PARAM_dup.pod | 3 +- crypto/openssl/doc/man3/OSSL_SELF_TEST_new.pod | 3 +- crypto/openssl/doc/man3/OSSL_STORE_INFO.pod | 3 +- crypto/openssl/doc/man3/OSSL_STORE_LOADER.pod | 23 +- crypto/openssl/doc/man3/OSSL_STORE_SEARCH.pod | 3 +- .../openssl/doc/man3/PEM_read_bio_PrivateKey.pod | 6 +- crypto/openssl/doc/man3/RAND_set_DRBG_type.pod | 4 +- crypto/openssl/doc/man3/RSA_meth_new.pod | 4 +- crypto/openssl/doc/man3/SCT_new.pod | 8 +- .../doc/man3/SSL_CTX_set_alpn_select_cb.pod | 28 +- .../openssl/doc/man3/SSL_CTX_set_cipher_list.pod | 4 +- .../doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 8 +- crypto/openssl/doc/man3/TS_RESP_CTX_new.pod | 3 +- crypto/openssl/doc/man3/X509V3_get_d2i.pod | 3 +- crypto/openssl/doc/man3/X509_LOOKUP.pod | 3 +- crypto/openssl/doc/man3/X509_LOOKUP_meth_new.pod | 3 +- crypto/openssl/doc/man3/X509_STORE_new.pod | 3 +- crypto/openssl/doc/man3/X509_dup.pod | 2 +- crypto/openssl/doc/man3/X509_new.pod | 7 +- crypto/openssl/doc/man3/d2i_X509.pod | 6 +- crypto/openssl/doc/man7/EVP_KEYEXCH-DH.pod | 11 +- crypto/openssl/doc/man7/EVP_PKEY-DH.pod | 62 +-- crypto/openssl/doc/man7/ossl_store.pod | 9 +- crypto/openssl/fuzz/bignum.c | 9 +- crypto/openssl/include/crypto/aes_platform.h | 4 +- crypto/openssl/include/crypto/bn.h | 2 +- crypto/openssl/include/openssl/tls1.h | 4 +- crypto/openssl/providers/fips-sources.checksums | 18 +- crypto/openssl/providers/fips.checksum | 2 +- .../implementations/encode_decode/decode_der2key.c | 35 +- .../openssl/providers/implementations/rands/drbg.c | 5 + crypto/openssl/ssl/bio_ssl.c | 4 +- crypto/openssl/ssl/ssl_lib.c | 63 ++- crypto/openssl/ssl/ssl_sess.c | 34 +- crypto/openssl/ssl/statem/extensions.c | 14 +- crypto/openssl/ssl/statem/extensions_clnt.c | 29 +- crypto/openssl/ssl/statem/extensions_srvr.c | 34 +- crypto/openssl/ssl/statem/statem_lib.c | 6 +- crypto/openssl/ssl/t1_lib.c | 2 + crypto/openssl/test/build.info | 6 +- crypto/openssl/test/crltest.c | 65 ++- crypto/openssl/test/endecode_test.c | 22 +- crypto/openssl/test/evp_byname_test.c | 40 ++ crypto/openssl/test/evp_extra_test.c | 21 + crypto/openssl/test/helpers/handshake.c | 8 +- crypto/openssl/test/hexstr_test.c | 11 +- crypto/openssl/test/prov_config_test.c | 9 +- crypto/openssl/test/provider_fallback_test.c | 14 +- crypto/openssl/test/provider_internal_test.c | 4 +- crypto/openssl/test/provider_test.c | 3 +- crypto/openssl/test/recipes/03-test_fipsinstall.t | 44 +- crypto/openssl/test/recipes/04-test_conf.t | 3 +- .../recipes/04-test_conf_data/oversized_line.cnf | 3 + .../recipes/04-test_conf_data/oversized_line.txt | 4 + crypto/openssl/test/recipes/25-test_eai_data.t | 2 +- crypto/openssl/test/recipes/30-test_evp_byname.t | 16 + .../test/recipes/30-test_evp_data/evppkey_dsa.txt | 6 +- .../recipes/30-test_evp_data/evppkey_ecdsa.txt | 3 +- .../30-test_evp_data/evppkey_rsa_common.txt | 3 +- crypto/openssl/test/recipes/70-test_npn.t | 73 +++ crypto/openssl/test/ssl-tests/08-npn.cnf | 553 ++++++++++++--------- crypto/openssl/test/ssl-tests/08-npn.cnf.in | 37 +- crypto/openssl/test/ssl-tests/09-alpn.cnf | 66 ++- crypto/openssl/test/ssl-tests/09-alpn.cnf.in | 35 +- crypto/openssl/test/sslapitest.c | 370 +++++++++++++- crypto/openssl/util/check-format-commit.sh | 171 +++++++ crypto/openssl/util/check-format-test-negatives.c | 5 +- crypto/openssl/util/check-format.pl | 13 +- crypto/openssl/util/perl/OpenSSL/Test/Utils.pm | 18 +- crypto/openssl/util/perl/TLSProxy/Message.pm | 11 +- crypto/openssl/util/perl/TLSProxy/NextProto.pm | 54 ++ crypto/openssl/util/perl/TLSProxy/Proxy.pm | 3 +- 174 files changed, 2312 insertions(+), 812 deletions(-) diff --cc crypto/openssl/CONTRIBUTING.md index fec6616e21fe,000000000000..cced15347d05 mode 100644,000000..100644 --- a/crypto/openssl/CONTRIBUTING.md +++ b/crypto/openssl/CONTRIBUTING.md @@@ -1,112 -1,0 +1,112 @@@ +HOW TO CONTRIBUTE TO OpenSSL +============================ + +Please visit our [Getting Started] page for other ideas about how to contribute. + - [Getting Started]: <https://www.openssl.org/community/getting-started.html> ++ [Getting Started]: <https://openssl-library.org/community/getting-started> + +Development is done on GitHub in the [openssl/openssl] repository. + + [openssl/openssl]: <https://github.com/openssl/openssl> + +To request a new feature, ask a question, or report a bug, +please open an [issue on GitHub](https://github.com/openssl/openssl/issues). + +To submit a patch or implement a new feature, please open a +[pull request on GitHub](https://github.com/openssl/openssl/pulls). +If you are thinking of making a large contribution, +open an issue for it before starting work, to get comments from the community. +Someone may be already working on the same thing, +or there may be special reasons why a feature is not implemented. + +To make it easier to review and accept your pull request, please follow these +guidelines: + + 1. Anything other than a trivial contribution requires a [Contributor + License Agreement] (CLA), giving us permission to use your code. + If your contribution is too small to require a CLA (e.g., fixing a spelling + mistake), then place the text "`CLA: trivial`" on a line by itself below + the rest of your commit message separated by an empty line, like this: + + ``` + One-line summary of trivial change + + Optional main body of commit message. It might contain a sentence + or two explaining the trivial change. + + CLA: trivial + ``` + + It is not sufficient to only place the text "`CLA: trivial`" in the GitHub + pull request description. + + [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html> + + To amend a missing "`CLA: trivial`" line after submission, do the following: + + ``` + git commit --amend + # add the line, save and quit the editor + git push -f [<repository> [<branch>]] + ``` + + 2. All source files should start with the following text (with + appropriate comment characters at the start of each line and the + year(s) updated): + + ``` + Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy + in the file LICENSE in the source distribution or at + https://www.openssl.org/source/license.html + ``` + + 3. Patches should be as current as possible; expect to have to rebase + often. We do not accept merge commits, you will have to remove them + (usually by rebasing) before it will be acceptable. + + 4. Code provided should follow our [coding style] and [documentation policy] + and compile without warnings. + There is a [Perl tool](util/check-format.pl) that helps + finding code formatting mistakes and other coding style nits. + Where `gcc` or `clang` is available, you should use the + `--strict-warnings` `Configure` option. OpenSSL compiles on many varied + platforms: try to ensure you only use portable features. + Clean builds via GitHub Actions are required. They are started automatically + whenever a PR is created or updated by committers. + - [coding style]: https://www.openssl.org/policies/technical/coding-style.html - [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html ++ [coding style]: https://openssl-library.org/policies/technical/coding-style/ ++ [documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/ + + 5. When at all possible, code contributions should include tests. These can + either be added to an existing test, or completely new. Please see + [test/README.md](test/README.md) for information on the test framework. + + 6. New features or changed functionality must include + documentation. Please look at the `.pod` files in `doc/man[1357]` for + examples of our style. Run `make doc-nits` to make sure that your + documentation changes are clean. + + 7. For user visible changes (API changes, behaviour changes, ...), + consider adding a note in [CHANGES.md](CHANGES.md). + This could be a summarising description of the change, and could + explain the grander details. + Have a look through existing entries for inspiration. + Please note that this is NOT simply a copy of git-log one-liners. + Also note that security fixes get an entry in [CHANGES.md](CHANGES.md). + This file helps users get more in-depth information of what comes + with a specific release without having to sift through the higher + noise ratio in git-log. + + 8. For larger or more important user visible changes, as well as + security fixes, please add a line in [NEWS.md](NEWS.md). + On exception, it might be worth adding a multi-line entry (such as + the entry that announces all the types that became opaque with + OpenSSL 1.1.0). + This file helps users get a very quick summary of what comes with a + specific release, to see if an upgrade is worth the effort. + + 9. Guidelines how to integrate error output of new crypto library modules + can be found in [crypto/err/README.md](crypto/err/README.md). diff --cc crypto/openssl/test/evp_byname_test.c index 000000000000,e16e27a3a5ec..e16e27a3a5ec mode 000000,100644..100644 --- a/crypto/openssl/test/evp_byname_test.c +++ b/crypto/openssl/test/evp_byname_test.c diff --cc crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf index 000000000000,08988a2e0f1d..08988a2e0f1d mode 000000,100644..100644 --- a/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf +++ b/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf diff --cc crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt index 000000000000,c15b654300c7..c15b654300c7 mode 000000,100644..100644 --- a/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt +++ b/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt diff --cc crypto/openssl/test/recipes/30-test_evp_byname.t index 000000000000,d06e874fe927..d06e874fe927 mode 000000,100644..100644 --- a/crypto/openssl/test/recipes/30-test_evp_byname.t +++ b/crypto/openssl/test/recipes/30-test_evp_byname.t diff --cc crypto/openssl/test/recipes/70-test_npn.t index 000000000000,f82e71af6aca..f82e71af6aca mode 000000,100644..100644 --- a/crypto/openssl/test/recipes/70-test_npn.t +++ b/crypto/openssl/test/recipes/70-test_npn.t diff --cc crypto/openssl/util/check-format-commit.sh index 000000000000,7e712dc48cf6..7e712dc48cf6 mode 000000,100755..100755 --- a/crypto/openssl/util/check-format-commit.sh +++ b/crypto/openssl/util/check-format-commit.sh diff --cc crypto/openssl/util/perl/TLSProxy/NextProto.pm index 000000000000,0e1834754667..0e1834754667 mode 000000,100644..100644 --- a/crypto/openssl/util/perl/TLSProxy/NextProto.pm +++ b/crypto/openssl/util/perl/TLSProxy/NextProto.pm