openssl: Import OpenSSL 3.0.15.vendor/openssl/3.0.15

This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

4 files changed, 83 insertions, 3 deletions

diff --git a/util/perl/OpenSSL/Test/Utils.pm b/util/perl/OpenSSL/Test/Utils.pm
index dcff6a5c9967..34eafc4659a5 100644
--- a/util/perl/OpenSSL/Test/Utils.pm
+++ b/util/perl/OpenSSL/Test/Utils.pm
@@ -1,4 +1,4 @@
-# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -72,6 +72,8 @@ Returns an item from the %config hash in \$TOP/configdata.pm.
 =item B<have_IPv6>
 
 Return true if IPv4 / IPv6 is possible to use on the current system.
+Additionally, B<have_IPv6> also checks how OpenSSL was configured,
+i.e. if IPv6 was explicitly disabled with -DOPENSSL_USE_IPv6=0.
 
 =back
 
@@ -80,6 +82,7 @@ Return true if IPv4 / IPv6 is possible to use on the current system.
 our %available_protocols;
 our %disabled;
 our %config;
+our %target;
 my $configdata_loaded = 0;
 
 sub load_configdata {
@@ -91,6 +94,7 @@ sub load_configdata {
 	   %available_protocols = %configdata::available_protocols;
 	   %disabled = %configdata::disabled;
 	   %config = %configdata::config;
+	   %target = %configdata::target;
     };
     $configdata_loaded = 1;
 }
@@ -222,6 +226,18 @@ sub have_IPv4 {
 
 sub have_IPv6 {
     if ($have_IPv6 < 0) {
+        load_configdata() unless $configdata_loaded;
+        # If OpenSSL is configured with IPv6 explicitly disabled, no IPv6
+        # related tests should be performed.  In other words, pretend IPv6
+        # isn't present.
+        $have_IPv6 = 0
+            if grep { $_ eq 'OPENSSL_USE_IPV6=0' } @{$config{CPPDEFINES}};
+        # Similarly, if a config target has explicitly disabled IPv6, no
+        # IPv6 related tests should be performed.
+        $have_IPv6 = 0
+            if grep { $_ eq 'OPENSSL_USE_IPV6=0' } @{$target{defines}};
+    }
+    if ($have_IPv6 < 0) {
         $have_IPv6 = check_IP("::1");
     }
     return $have_IPv6;
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index 2c1bdb3837e2..193aa2554f19 100644
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -1,4 +1,4 @@
-# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -379,6 +379,15 @@ sub create_message
             [@message_frag_lens]
         );
         $message->parse();
+    }  elsif ($mt == MT_NEXT_PROTO) {
+        $message = TLSProxy::NextProto->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
     } else {
         #Unknown message type
         $message = TLSProxy::Message->new(
diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
new file mode 100644
index 000000000000..0e1834754667
--- /dev/null
+++ b/util/perl/TLSProxy/NextProto.pm
@@ -0,0 +1,54 @@
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::NextProto;
+
+use vars '@ISA';
+push @ISA, 'TLSProxy::Message';
+
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+
+    my $self = $class->SUPER::new(
+        $server,
+        TLSProxy::Message::MT_NEXT_PROTO,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens);
+
+    return $self;
+}
+
+sub parse
+{
+    # We don't support parsing at the moment
+}
+
+# This is supposed to reconstruct the on-the-wire message data following changes.
+# For now though since we don't support parsing we just create an empty NextProto
+# message - this capability is used in test_npn
+sub set_message_contents
+{
+    my $self = shift;
+    my $data;
+
+    $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                 0x00, 0x00, 0x00);
+    $self->data($data);
+}
+1;
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 3de10eccb94e..7ad7c939ad52 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -1,4 +1,4 @@
-# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
 use TLSProxy::CertificateVerify;
 use TLSProxy::ServerKeyExchange;
 use TLSProxy::NewSessionTicket;
+use TLSProxy::NextProto;
 
 my $have_IPv6;
 my $IP_factory;