git: a7148ab39c03 - main - openssl: Import OpenSSL 3.0.15.

From: Enji Cooper <ngie_at_FreeBSD.org>
Date: Sun, 08 Sep 2024 04:32:18 UTC
The branch main has been updated by ngie:

URL: https://cgit.FreeBSD.org/src/commit/?id=a7148ab39c03abd4d1a84997c70bf96f15dd2a09

commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09
Merge: 4086a0635d38 108164cf95d9
Author:     Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2024-09-08 04:30:17 +0000
Commit:     Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2024-09-08 04:31:22 +0000

    openssl: Import OpenSSL 3.0.15.
    
    This release incorporates the following bug fixes and mitigations:
    - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
    - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
    
    Release notes can be found at:
    https://openssl-library.org/news/openssl-3.0-notes/index.html
    
    Co-authored-by: gordon
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D46602
    
    Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'

 crypto/openssl/CHANGES.md                          |  34 ++
 crypto/openssl/CONTRIBUTING.md                     |   6 +-
 crypto/openssl/Configurations/10-main.conf         |  36 ++
 crypto/openssl/Configurations/15-ios.conf          |   2 +-
 crypto/openssl/Configure                           |  10 +-
 crypto/openssl/FAQ.md                              |   6 -
 crypto/openssl/INSTALL.md                          |   4 +-
 crypto/openssl/NEWS.md                             |  15 +
 crypto/openssl/VERSION.dat                         |   4 +-
 crypto/openssl/apps/cms.c                          |   4 +-
 crypto/openssl/apps/dgst.c                         |   9 +-
 crypto/openssl/apps/lib/opt.c                      |   4 +-
 crypto/openssl/apps/lib/s_cb.c                     |   3 +-
 crypto/openssl/apps/smime.c                        |   4 +-
 crypto/openssl/crypto/aes/asm/aesp8-ppc.pl         | 147 ++++--
 crypto/openssl/crypto/aes/build.info               |   4 +
 crypto/openssl/crypto/asn1/a_d2i_fp.c              |   5 +-
 crypto/openssl/crypto/asn1/a_mbstr.c               |  14 +-
 crypto/openssl/crypto/asn1/a_strex.c               |  11 +-
 crypto/openssl/crypto/asn1/a_verify.c              |   4 +-
 crypto/openssl/crypto/asn1/tasn_fre.c              |   8 +-
 crypto/openssl/crypto/bio/bf_readbuff.c            |   7 +-
 crypto/openssl/crypto/bio/bio_addr.c               |  12 +-
 crypto/openssl/crypto/cmp/cmp_vfy.c                |   4 +-
 crypto/openssl/crypto/conf/conf_def.c              |   4 +-
 crypto/openssl/crypto/conf/conf_lib.c              |   5 +-
 crypto/openssl/crypto/conf/conf_sap.c              |   4 +-
 crypto/openssl/crypto/context.c                    |   4 +-
 crypto/openssl/crypto/ec/ecdsa_ossl.c              |  12 +-
 crypto/openssl/crypto/engine/eng_table.c           |   8 +-
 crypto/openssl/crypto/evp/ctrl_params_translate.c  |   5 +-
 crypto/openssl/crypto/evp/digest.c                 |   4 +-
 crypto/openssl/crypto/evp/names.c                  |  36 +-
 crypto/openssl/crypto/evp/pmeth_lib.c              |  11 +-
 crypto/openssl/crypto/o_str.c                      |   6 +-
 crypto/openssl/crypto/pkcs12/p12_crt.c             |  17 +-
 crypto/openssl/crypto/pkcs7/pk7_doit.c             |  45 +-
 crypto/openssl/crypto/property/property.c          |  55 +-
 crypto/openssl/crypto/rand/randfile.c              |  13 +-
 crypto/openssl/crypto/rsa/rsa_oaep.c               |   4 +-
 crypto/openssl/crypto/x509/v3_utl.c                |   2 +-
 crypto/openssl/crypto/x509/x_name.c                |   6 +-
 crypto/openssl/doc/HOWTO/certificates.txt          |   2 +-
 crypto/openssl/doc/fingerprints.txt                |   3 -
 crypto/openssl/doc/man1/openssl-enc.pod.in         |  13 +-
 .../doc/man1/openssl-passphrase-options.pod        |  24 +-
 crypto/openssl/doc/man1/openssl-s_client.pod.in    |   8 +-
 crypto/openssl/doc/man1/openssl-s_server.pod.in    |   7 +-
 .../doc/man1/openssl-verification-options.pod      |   4 +-
 crypto/openssl/doc/man3/ASN1_INTEGER_new.pod       |   3 +-
 crypto/openssl/doc/man3/ASYNC_WAIT_CTX_new.pod     |   5 +-
 crypto/openssl/doc/man3/BIO_ADDR.pod               |   3 +-
 crypto/openssl/doc/man3/BIO_ADDRINFO.pod           |   4 +-
 crypto/openssl/doc/man3/BIO_f_base64.pod           |  26 +-
 crypto/openssl/doc/man3/BIO_meth_new.pod           |   4 +-
 crypto/openssl/doc/man3/BN_add.pod                 |  22 +-
 crypto/openssl/doc/man3/BN_generate_prime.pod      |   5 +-
 crypto/openssl/doc/man3/BN_set_bit.pod             |   9 +-
 crypto/openssl/doc/man3/BUF_MEM_new.pod            |   3 +-
 crypto/openssl/doc/man3/CRYPTO_THREAD_run_once.pod |  12 +-
 crypto/openssl/doc/man3/CTLOG_STORE_new.pod        |   4 +-
 crypto/openssl/doc/man3/CTLOG_new.pod              |   4 +-
 crypto/openssl/doc/man3/CT_POLICY_EVAL_CTX_new.pod |   5 +-
 crypto/openssl/doc/man3/DH_meth_new.pod            |   4 +-
 crypto/openssl/doc/man3/DSA_SIG_new.pod            |   3 +-
 crypto/openssl/doc/man3/DSA_meth_new.pod           |   4 +-
 crypto/openssl/doc/man3/ECDSA_SIG_new.pod          |   3 +-
 crypto/openssl/doc/man3/ENGINE_add.pod             |   5 +-
 crypto/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod   |   4 +-
 crypto/openssl/doc/man3/EVP_CIPHER_meth_new.pod    |   3 +-
 crypto/openssl/doc/man3/EVP_DigestInit.pod         |  10 +-
 crypto/openssl/doc/man3/EVP_EncodeInit.pod         |   4 +-
 crypto/openssl/doc/man3/EVP_EncryptInit.pod        |  19 +-
 crypto/openssl/doc/man3/EVP_KEM_free.pod           |   3 +-
 crypto/openssl/doc/man3/EVP_KEYEXCH_free.pod       |   4 +-
 crypto/openssl/doc/man3/EVP_KEYMGMT.pod            |   3 +-
 crypto/openssl/doc/man3/EVP_MD_meth_new.pod        |   3 +-
 crypto/openssl/doc/man3/EVP_PKEY_ASN1_METHOD.pod   |   4 +-
 crypto/openssl/doc/man3/EVP_PKEY_meth_new.pod      |   4 +-
 crypto/openssl/doc/man3/EVP_RAND.pod               |   4 +-
 crypto/openssl/doc/man3/EVP_SIGNATURE.pod          |   4 +-
 crypto/openssl/doc/man3/HMAC.pod                   |   4 +-
 crypto/openssl/doc/man3/MD5.pod                    |  15 +-
 crypto/openssl/doc/man3/NCONF_new_ex.pod           |   4 +-
 crypto/openssl/doc/man3/OCSP_REQUEST_new.pod       |   3 +-
 crypto/openssl/doc/man3/OCSP_cert_to_id.pod        |   3 +-
 crypto/openssl/doc/man3/OCSP_response_status.pod   |   3 +-
 crypto/openssl/doc/man3/OPENSSL_LH_COMPFUNC.pod    |   4 +-
 crypto/openssl/doc/man3/OPENSSL_init_crypto.pod    |   3 +-
 crypto/openssl/doc/man3/OPENSSL_malloc.pod         |   5 +-
 crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod  |   8 +-
 crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod       |   8 +-
 crypto/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod   |   3 +-
 crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod  |   9 +-
 crypto/openssl/doc/man3/OSSL_DECODER.pod           |   3 +-
 crypto/openssl/doc/man3/OSSL_DECODER_CTX.pod       |   3 +-
 .../doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod     |   4 +-
 crypto/openssl/doc/man3/OSSL_ENCODER.pod           |   3 +-
 crypto/openssl/doc/man3/OSSL_ENCODER_CTX.pod       |   3 +-
 crypto/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod      |   3 +-
 crypto/openssl/doc/man3/OSSL_LIB_CTX.pod           |   4 +-
 crypto/openssl/doc/man3/OSSL_PARAM_BLD.pod         |   3 +-
 crypto/openssl/doc/man3/OSSL_PARAM_dup.pod         |   3 +-
 crypto/openssl/doc/man3/OSSL_SELF_TEST_new.pod     |   3 +-
 crypto/openssl/doc/man3/OSSL_STORE_INFO.pod        |   3 +-
 crypto/openssl/doc/man3/OSSL_STORE_LOADER.pod      |  23 +-
 crypto/openssl/doc/man3/OSSL_STORE_SEARCH.pod      |   3 +-
 .../openssl/doc/man3/PEM_read_bio_PrivateKey.pod   |   6 +-
 crypto/openssl/doc/man3/RAND_set_DRBG_type.pod     |   4 +-
 crypto/openssl/doc/man3/RSA_meth_new.pod           |   4 +-
 crypto/openssl/doc/man3/SCT_new.pod                |   8 +-
 .../doc/man3/SSL_CTX_set_alpn_select_cb.pod        |  28 +-
 .../openssl/doc/man3/SSL_CTX_set_cipher_list.pod   |   4 +-
 .../doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod  |   8 +-
 crypto/openssl/doc/man3/TS_RESP_CTX_new.pod        |   3 +-
 crypto/openssl/doc/man3/X509V3_get_d2i.pod         |   3 +-
 crypto/openssl/doc/man3/X509_LOOKUP.pod            |   3 +-
 crypto/openssl/doc/man3/X509_LOOKUP_meth_new.pod   |   3 +-
 crypto/openssl/doc/man3/X509_STORE_new.pod         |   3 +-
 crypto/openssl/doc/man3/X509_dup.pod               |   2 +-
 crypto/openssl/doc/man3/X509_new.pod               |   7 +-
 crypto/openssl/doc/man3/d2i_X509.pod               |   6 +-
 crypto/openssl/doc/man7/EVP_KEYEXCH-DH.pod         |  11 +-
 crypto/openssl/doc/man7/EVP_PKEY-DH.pod            |  62 +--
 crypto/openssl/doc/man7/ossl_store.pod             |   9 +-
 crypto/openssl/fuzz/bignum.c                       |   9 +-
 crypto/openssl/include/crypto/aes_platform.h       |   4 +-
 crypto/openssl/include/crypto/bn.h                 |   2 +-
 crypto/openssl/include/openssl/tls1.h              |   4 +-
 crypto/openssl/providers/fips-sources.checksums    |  18 +-
 crypto/openssl/providers/fips.checksum             |   2 +-
 .../implementations/encode_decode/decode_der2key.c |  35 +-
 .../openssl/providers/implementations/rands/drbg.c |   5 +
 crypto/openssl/ssl/bio_ssl.c                       |   4 +-
 crypto/openssl/ssl/ssl_lib.c                       |  63 ++-
 crypto/openssl/ssl/ssl_sess.c                      |  34 +-
 crypto/openssl/ssl/statem/extensions.c             |  14 +-
 crypto/openssl/ssl/statem/extensions_clnt.c        |  29 +-
 crypto/openssl/ssl/statem/extensions_srvr.c        |  34 +-
 crypto/openssl/ssl/statem/statem_lib.c             |   6 +-
 crypto/openssl/ssl/t1_lib.c                        |   2 +
 crypto/openssl/test/build.info                     |   6 +-
 crypto/openssl/test/crltest.c                      |  65 ++-
 crypto/openssl/test/endecode_test.c                |  22 +-
 crypto/openssl/test/evp_byname_test.c              |  40 ++
 crypto/openssl/test/evp_extra_test.c               |  21 +
 crypto/openssl/test/helpers/handshake.c            |   8 +-
 crypto/openssl/test/hexstr_test.c                  |  11 +-
 crypto/openssl/test/prov_config_test.c             |   9 +-
 crypto/openssl/test/provider_fallback_test.c       |  14 +-
 crypto/openssl/test/provider_internal_test.c       |   4 +-
 crypto/openssl/test/provider_test.c                |   3 +-
 crypto/openssl/test/recipes/03-test_fipsinstall.t  |  44 +-
 crypto/openssl/test/recipes/04-test_conf.t         |   3 +-
 .../recipes/04-test_conf_data/oversized_line.cnf   |   3 +
 .../recipes/04-test_conf_data/oversized_line.txt   |   4 +
 crypto/openssl/test/recipes/25-test_eai_data.t     |   2 +-
 crypto/openssl/test/recipes/30-test_evp_byname.t   |  16 +
 .../test/recipes/30-test_evp_data/evppkey_dsa.txt  |   6 +-
 .../recipes/30-test_evp_data/evppkey_ecdsa.txt     |   3 +-
 .../30-test_evp_data/evppkey_rsa_common.txt        |   3 +-
 crypto/openssl/test/recipes/70-test_npn.t          |  73 +++
 crypto/openssl/test/ssl-tests/08-npn.cnf           | 553 ++++++++++++---------
 crypto/openssl/test/ssl-tests/08-npn.cnf.in        |  37 +-
 crypto/openssl/test/ssl-tests/09-alpn.cnf          |  66 ++-
 crypto/openssl/test/ssl-tests/09-alpn.cnf.in       |  35 +-
 crypto/openssl/test/sslapitest.c                   | 370 +++++++++++++-
 crypto/openssl/util/check-format-commit.sh         | 171 +++++++
 crypto/openssl/util/check-format-test-negatives.c  |   5 +-
 crypto/openssl/util/check-format.pl                |  13 +-
 crypto/openssl/util/perl/OpenSSL/Test/Utils.pm     |  18 +-
 crypto/openssl/util/perl/TLSProxy/Message.pm       |  11 +-
 crypto/openssl/util/perl/TLSProxy/NextProto.pm     |  54 ++
 crypto/openssl/util/perl/TLSProxy/Proxy.pm         |   3 +-
 174 files changed, 2312 insertions(+), 812 deletions(-)

diff --cc crypto/openssl/CONTRIBUTING.md
index fec6616e21fe,000000000000..cced15347d05
mode 100644,000000..100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@@ -1,112 -1,0 +1,112 @@@
 +HOW TO CONTRIBUTE TO OpenSSL
 +============================
 +
 +Please visit our [Getting Started] page for other ideas about how to contribute.
 +
-   [Getting Started]: <https://www.openssl.org/community/getting-started.html>
++  [Getting Started]: <https://openssl-library.org/community/getting-started>
 +
 +Development is done on GitHub in the [openssl/openssl] repository.
 +
 +  [openssl/openssl]: <https://github.com/openssl/openssl>
 +
 +To request a new feature, ask a question, or report a bug,
 +please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
 +
 +To submit a patch or implement a new feature, please open a
 +[pull request on GitHub](https://github.com/openssl/openssl/pulls).
 +If you are thinking of making a large contribution,
 +open an issue for it before starting work, to get comments from the community.
 +Someone may be already working on the same thing,
 +or there may be special reasons why a feature is not implemented.
 +
 +To make it easier to review and accept your pull request, please follow these
 +guidelines:
 +
 + 1. Anything other than a trivial contribution requires a [Contributor
 +    License Agreement] (CLA), giving us permission to use your code.
 +    If your contribution is too small to require a CLA (e.g., fixing a spelling
 +    mistake), then place the text "`CLA: trivial`" on a line by itself below
 +    the rest of your commit message separated by an empty line, like this:
 +
 +    ```
 +        One-line summary of trivial change
 +
 +        Optional main body of commit message. It might contain a sentence
 +        or two explaining the trivial change.
 +
 +        CLA: trivial
 +    ```
 +
 +    It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
 +    pull request description.
 +
 +    [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
 +
 +    To amend a missing "`CLA: trivial`" line after submission, do the following:
 +
 +    ```
 +        git commit --amend
 +        # add the line, save and quit the editor
 +        git push -f [<repository> [<branch>]]
 +    ```
 +
 + 2. All source files should start with the following text (with
 +    appropriate comment characters at the start of each line and the
 +    year(s) updated):
 +
 +    ```
 +        Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
 +
 +        Licensed under the Apache License 2.0 (the "License").  You may not use
 +        this file except in compliance with the License.  You can obtain a copy
 +        in the file LICENSE in the source distribution or at
 +        https://www.openssl.org/source/license.html
 +    ```
 +
 + 3. Patches should be as current as possible; expect to have to rebase
 +    often. We do not accept merge commits, you will have to remove them
 +    (usually by rebasing) before it will be acceptable.
 +
 + 4. Code provided should follow our [coding style] and [documentation policy]
 +    and compile without warnings.
 +    There is a [Perl tool](util/check-format.pl) that helps
 +    finding code formatting mistakes and other coding style nits.
 +    Where `gcc` or `clang` is available, you should use the
 +    `--strict-warnings` `Configure` option.  OpenSSL compiles on many varied
 +    platforms: try to ensure you only use portable features.
 +    Clean builds via GitHub Actions are required. They are started automatically
 +    whenever a PR is created or updated by committers.
 +
-     [coding style]: https://www.openssl.org/policies/technical/coding-style.html
-     [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
++    [coding style]: https://openssl-library.org/policies/technical/coding-style/
++    [documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
 +
 + 5. When at all possible, code contributions should include tests. These can
 +    either be added to an existing test, or completely new.  Please see
 +    [test/README.md](test/README.md) for information on the test framework.
 +
 + 6. New features or changed functionality must include
 +    documentation. Please look at the `.pod` files in `doc/man[1357]` for
 +    examples of our style. Run `make doc-nits` to make sure that your
 +    documentation changes are clean.
 +
 + 7. For user visible changes (API changes, behaviour changes, ...),
 +    consider adding a note in [CHANGES.md](CHANGES.md).
 +    This could be a summarising description of the change, and could
 +    explain the grander details.
 +    Have a look through existing entries for inspiration.
 +    Please note that this is NOT simply a copy of git-log one-liners.
 +    Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
 +    This file helps users get more in-depth information of what comes
 +    with a specific release without having to sift through the higher
 +    noise ratio in git-log.
 +
 + 8. For larger or more important user visible changes, as well as
 +    security fixes, please add a line in [NEWS.md](NEWS.md).
 +    On exception, it might be worth adding a multi-line entry (such as
 +    the entry that announces all the types that became opaque with
 +    OpenSSL 1.1.0).
 +    This file helps users get a very quick summary of what comes with a
 +    specific release, to see if an upgrade is worth the effort.
 +
 + 9. Guidelines how to integrate error output of new crypto library modules
 +    can be found in [crypto/err/README.md](crypto/err/README.md).
diff --cc crypto/openssl/test/evp_byname_test.c
index 000000000000,e16e27a3a5ec..e16e27a3a5ec
mode 000000,100644..100644
--- a/crypto/openssl/test/evp_byname_test.c
+++ b/crypto/openssl/test/evp_byname_test.c
diff --cc crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf
index 000000000000,08988a2e0f1d..08988a2e0f1d
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf
+++ b/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.cnf
diff --cc crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt
index 000000000000,c15b654300c7..c15b654300c7
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt
+++ b/crypto/openssl/test/recipes/04-test_conf_data/oversized_line.txt
diff --cc crypto/openssl/test/recipes/30-test_evp_byname.t
index 000000000000,d06e874fe927..d06e874fe927
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/30-test_evp_byname.t
+++ b/crypto/openssl/test/recipes/30-test_evp_byname.t
diff --cc crypto/openssl/test/recipes/70-test_npn.t
index 000000000000,f82e71af6aca..f82e71af6aca
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/70-test_npn.t
+++ b/crypto/openssl/test/recipes/70-test_npn.t
diff --cc crypto/openssl/util/check-format-commit.sh
index 000000000000,7e712dc48cf6..7e712dc48cf6
mode 000000,100755..100755
--- a/crypto/openssl/util/check-format-commit.sh
+++ b/crypto/openssl/util/check-format-commit.sh
diff --cc crypto/openssl/util/perl/TLSProxy/NextProto.pm
index 000000000000,0e1834754667..0e1834754667
mode 000000,100644..100644
--- a/crypto/openssl/util/perl/TLSProxy/NextProto.pm
+++ b/crypto/openssl/util/perl/TLSProxy/NextProto.pm