Log Message:
Update to 3.5.2. From the changelog:

- tls_signer: Replace ECDSA_METHOD with EC_KEY_METHOD
- doc: Note OpenSSL 3.0.0 compatibility in README

From the upstream LibreSSL changelog for 3.5.0:

* New Features
   - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
     regression tests were added and the code was cleaned up.
   - Certificate Transparency was ported from OpenSSL. Many internal
     improvements were made, resulting in cleaner and safer code.
     Regress coverage was added. libssl does not yet make use of it.
* Portable Improvements
   - Fixed various POSIX compliance and other portability issues
     found by the port to the Sortix operating system.
   - Add libmd as platform specific libraries for Solaris.
     Issue reported from (ihsan <at> opencsw org) on libressl ML.
   - Set IA-64 compiler flag only if it is HP-UX with IA-64.
     Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
   - Enabled and scheduled Coverity scan.
     Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
* Compatibility Changes
   - Most structs that were previously defined in the following headers
     are now opaque as they are in OpenSSL 1.1:
     bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
     x509.h, x509v3.h, x509_vfy.h
   - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
     OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
     of using something consistent with the previous naming. Various
     test suites expect these names (instead of checking for the much
     more sensible cipher numbers). The old names are still accepted
     as aliases.
   - Subject alternative names and name constraints are now validated
     when they are added to certificates. Various interoperability
     problems with stacks that validate certificates more strictly
     than OpenSSL can be avoided this way.
   - Attempt to opportunistically use the host name for SNI in s_client
* Bug fixes
   - In some situations, the verifier would discard the error on an
     unvalidated certificate chain. This would happen when the
     verification callback was in use, instructing the verifier to
     continue unconditionally. This could lead to incorrect decisions
     being made in software.
   - Avoid an infinite loop in SSL_shutdown()
   - Fix another return 0 bug in SSL_shutdown()
   - Handle zero byte reads/writes that trigger handshakes in the
     TLSv1.3 stack
   - A long standing memleak in libtls CRL handling was fixed
* Internal Improvements
   - Cache the SHA-512 hash instead of the SHA-1 hash and cache
     notBefore and notAfter times when X.509 certificates are parsed.
   - The X.509 lookup code has been simplified and cleaned up.
   - Fixed numerous issues flagged by coverity and the cryptofuzz
     project
   - Increased the number of Miller-Rabin checks in DH and DSA
     key/parameter generation
   - Started using the bytestring API in libcrypto for cleaner and
     safer code
   - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
     ASN1
   - Convert ASN1_OBJECT_new() to calloc()
   - Convert ASN1_STRING_type_new() to calloc()
   - Rewrite ASN1_STRING_cmp()
   - Use calloc() for X509_CRL_METHOD_new() instead of malloc()
   - Convert ASN1_PCTX_new() to calloc()
   - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
     function
   - Consolidate {d2i,i2d}_{pr,pu}.c
   - Remove handling of a NULL BUF_MEM from asn1_collect()
   - Pull the recursion depth check up to the top of asn1_collect()
   - Inline collect_data() in asn1_collect()
   - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
   - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
   - Consolidate ASN.1 universal tag type data
   - Rewrite ASN.1 identifier/length parsing in CBS
   - Make OBJ_obj2nid() work correctly with NID_undef
   - tlsext_tick_lifetime_hint is now an uint32_t
   - Untangle ssl3_get_message() return values
   - Rename tls13_buffer to tls_buffer
   - Fold DTLS_STATE_INTERNAL into DTLS1_STATE
   - Provide a way to determine our maximum legacy version
   - Mop up enc_read_ctx and read_hash
   - Fold SSL_SESSION_INTERNAL into SSL_SESSION
   - Use ssl_force_want_read in the DTLS code
   - Add record processing limit to DTLS code
   - Add explicit CBS_contains_zero_byte() check in CBS_strdup()
   - Improve SNI hostname validation
   - Ensure SSL_set_tlsext_host_name() is given a valid hostname
   - Fix a strange check in the auto DH codepath
   - Factor out/rewrite DHE key exchange
   - Convert server serialisation of DHE parameters/public key to new
     functions
   - Check DH public key in ssl_kex_peer_public_dhe()
   - Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
   - Clean up and refactor server side DHE key exchange
   - Provide CBS_get_last_u8()
   - Provide CBS_get_u64()
   - Provide CBS_add_u64()
   - Provide various CBS_peek_* functions
   - Use CBS_get_last_u8() to find the content type in TLSv1.3 records
   - unifdef TLS13_USE_LEGACY_CLIENT_AUTH
   - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
   - Only allow zero length key shares when we know we're doing HRR
   - Pull key share group/length CBB code up from
     tls13_key_share_public()
   - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
     validation
   - Return 0 on failure from send/get kex functions in the legacy
     stack
   - Rename tls13_key_share to tls_key_share
   - Allocate and free the EVP_AEAD_CTX struct in
     tls13_record_protection
   - Convert legacy TLS client to tls_key_share
   - Convert legacy TLS server to tls_key_share
   - Stop attempting to duplicate the public and private key of dh_tmp
   - Rename dh_tmp to dhe_params
   - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
   - Clean up pkey handling in ssl3_get_server_key_exchange()
   - Fix GOST skip certificate verify handling
   - Simplify tlsext_keyshare_server_parse()
   - Plumb decode errors through key share parsing code
   - Simplify SSL_get_peer_certificate()
   - Cleanup/simplify ssl_cert_type()
   - The S3I macro was removed
   - The openssl(1) cms and smime subcommands option handling was
     converted and the C source was cleaned up.
* Documentation improvements
   - 45 new manual pages, most of which were written from scratch.
     Documentation coverage of ASN.1 and X.509 code has been
     significantly improved.

Upstream 3.5.1 changelog:

* A malicious certificate can cause an infinite loop.
  Reported by and fix from Tavis Ormandy and David Benjamin, Google.

Upstream 3.5.2 changelog:

This is the first stable release for the 3.5.x branch, as shipped with
OpenBSD 7.1.