deps: upgrade openssl sources to quictls/openssl-3.0.12+quic1

PR-URL: #50411 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
nodejs · Nov 15, 2023 · 3308189 · 3308189
1 parent 4e34f9a
commit 3308189
Show file tree

Hide file tree

Showing 207 changed files with 1,972 additions and 797 deletions.
diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md
@@ -28,12 +28,44 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
-### Changes between 3.0.10 and 3.0.10+quic [1 Aug 2023]
+### Changes between 3.0.12 and 3.0.12+quic [24 Oct 2023]
 
 * Add QUIC API support from BoringSSL
 
    *Todd Short*
 
+### Changes between 3.0.11 and 3.0.12 [24 Oct 2023]
+
+ * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
+   EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
+   that alter the key or IV length ([CVE-2023-5363]).
+
+   *Paul Dale*
+
+### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
+
+ * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+
+   The POLY1305 MAC (message authentication code) implementation in OpenSSL
+   does not save the contents of non-volatile XMM registers on Windows 64
+   platform when calculating the MAC of data larger than 64 bytes. Before
+   returning to the caller all the XMM registers are set to zero rather than
+   restoring their previous content. The vulnerable code is used only on newer
+   x86_64 processors supporting the AVX512-IFMA instructions.
+
+   The consequences of this kind of internal application state corruption can
+   be various - from no consequences, if the calling application does not
+   depend on the contents of non-volatile XMM registers at all, to the worst
+   consequences, where the attacker could get complete control of the
+   application process. However given the contents of the registers are just
+   zeroized so the attacker cannot put arbitrary values inside, the most likely
+   consequence, if any, would be an incorrect result of some application
+   dependent calculations or a crash leading to a denial of service.
+
+   ([CVE-2023-4807])
+
+   *Bernd Edlinger*
+
 ### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
 
  * Fix excessive time spent checking DH q parameter value.
@@ -19714,6 +19746,8 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
+[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975

diff --git a/deps/openssl/openssl/Configurations/10-main.conf b/deps/openssl/openssl/Configurations/10-main.conf
@@ -9,19 +9,22 @@ sub vc_win64a_info {
             $vc_win64a_info = { AS        => "nasm",
                                 ASFLAGS   => "-g",
                                 asflags   => "-Ox -f win64 -DNEAR",
-                                asoutflag => "-o " };
+                                asoutflag => "-o ",
+                                perlasm_scheme => "nasm" };
         } elsif ($disabled{asm}) {
             # assembler is still used to compile uplink shim
             $vc_win64a_info = { AS        => "ml64",
                                 ASFLAGS   => "/nologo /Zi",
                                 asflags   => "/c /Cp /Cx",
-                                asoutflag => "/Fo" };
+                                asoutflag => "/Fo",
+                                perlasm_scheme => "masm" };
         } else {
             $die->("NASM not found - make sure it's installed and available on %PATH%\n");
             $vc_win64a_info = { AS        => "{unknown}",
                                 ASFLAGS   => "",
                                 asflags   => "",
-                                asoutflag => "" };
+                                asoutflag => "",
+                                perlasm_scheme => "auto" };
         }
     }
     return $vc_win64a_info;
@@ -1416,7 +1419,7 @@ my %targets = (
         sys_id           => "WIN64A",
         uplink_arch      => 'x86_64',
         asm_arch         => 'x86_64',
-        perlasm_scheme   => "auto",
+        perlasm_scheme   => sub { vc_win64a_info()->{perlasm_scheme} },
         multilib         => "-x64",
     },
     "VC-WIN32" => {

diff --git a/deps/openssl/openssl/Configurations/README.md b/deps/openssl/openssl/Configurations/README.md
@@ -233,8 +233,14 @@ In each table entry, the following keys are significant:
                                                 is ILP32;
                            RC4_CHAR             RC4 key schedule is made
                                                 up of 'unsigned char's;
+                                                Note: should not be used
+                                                for new configuration
+                                                targets
                            RC4_INT              RC4 key schedule is made
                                                 up of 'unsigned int's;
+                                                Note: should not be used
+                                                for new configuration
+                                                targets
 
 [1] as part of the target configuration, one can have a key called
   `inherit_from` that indicates what other configurations to inherit