deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1

PR-URL: #51614
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>

deps/openssl/openssl/CHANGES.md

@@ -28,12 +28,96 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
-### Changes between 3.0.12 and 3.0.12+quic [24 Oct 2023]
+### Changes between 3.0.13 and 3.0.13+quic [30 Jan 2024]
 
 * Add QUIC API support from BoringSSL
 
    *Todd Short*
 
+### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
+
+ * A file in PKCS12 format can contain certificates and keys and may come from
+   an untrusted source. The PKCS12 specification allows certain fields to be
+   NULL, but OpenSSL did not correctly check for this case. A fix has been
+   applied to prevent a NULL pointer dereference that results in OpenSSL
+   crashing. If an application processes PKCS12 files from an untrusted source
+   using the OpenSSL APIs then that application will be vulnerable to this
+   issue prior to this fix.
+
+   OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
+   PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
+   and PKCS12_newpass().
+
+   We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
+   function is related to writing data we do not consider it security
+   significant.
+
+   ([CVE-2024-0727])
+
+   *Matt Caswell*
+
+ * When function EVP_PKEY_public_check() is called on RSA public keys,
+   a computation is done to confirm that the RSA modulus, n, is composite.
+   For valid RSA keys, n is a product of two or more large primes and this
+   computation completes quickly. However, if n is an overly large prime,
+   then this computation would take a long time.
+
+   An application that calls EVP_PKEY_public_check() and supplies an RSA key
+   obtained from an untrusted source could be vulnerable to a Denial of Service
+   attack.
+
+   The function EVP_PKEY_public_check() is not called from other OpenSSL
+   functions however it is called from the OpenSSL pkey command line
+   application. For that reason that application is also vulnerable if used
+   with the "-pubin" and "-check" options on untrusted data.
+
+   To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
+   now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
+
+   ([CVE-2023-6237])
+
+   *Tomáš Mráz*
+
+ * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
+   have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
+   rather than SM2.
+
+   *Richard Levitte*
+
+ * The POLY1305 MAC (message authentication code) implementation in OpenSSL
+   for PowerPC CPUs saves the contents of vector registers in different
+   order than they are restored. Thus the contents of some of these vector
+   registers is corrupted when returning to the caller. The vulnerable code is
+   used only on newer PowerPC processors supporting the PowerISA 2.07
+   instructions.
+
+   The consequences of this kind of internal application state corruption can
+   be various - from no consequences, if the calling application does not
+   depend on the contents of non-volatile XMM registers at all, to the worst
+   consequences, where the attacker could get complete control of the
+   application process. However unless the compiler uses the vector registers
+   for storing pointers, the most likely consequence, if any, would be an
+   incorrect result of some application dependent calculations or a crash
+   leading to a denial of service.
+
+   ([CVE-2023-6129])
+
+   *Rohan McLure*
+
+ * Fix excessive time spent in DH check / generation with large Q parameter
+   value.
+
+   Applications that use the functions DH_generate_key() to generate an
+   X9.42 DH key may experience long delays. Likewise, applications that use
+   DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
+   to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
+   Where the key or parameters that are being checked have been obtained from
+   an untrusted source this may lead to a Denial of Service.
+
+   ([CVE-2023-5678])
+
+   *Richard Levitte*
+
 ### Changes between 3.0.11 and 3.0.12 [24 Oct 2023]
 
  * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
@@ -19746,6 +19830,10 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
+[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817

deps/openssl/openssl/CONTRIBUTING.md

@@ -9,31 +9,45 @@ Development is done on GitHub in the [openssl/openssl] repository.
 
   [openssl/openssl]: <https://github.com/openssl/openssl>
 
-To request new features or report bugs, please open an issue on GitHub
+To request new a feature, ask a question, or report a bug,
+please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
 
-To submit a patch, please open a pull request on GitHub.  If you are thinking
-of making a large contribution, open an issue for it before starting work,
-to get comments from the community.  Someone may be already working on
-the same thing or there may be reasons why that feature isn't implemented.
+To submit a patch or implement a new feature, please open a
+[pull request on GitHub](https://github.com/openssl/openssl/pulls).
+If you are thinking of making a large contribution,
+open an issue for it before starting work, to get comments from the community.
+Someone may be already working on the same thing,
+or there may be special reasons why a feature is not implemented.
 
 To make it easier to review and accept your pull request, please follow these
 guidelines:
 
  1. Anything other than a trivial contribution requires a [Contributor
     License Agreement] (CLA), giving us permission to use your code.
-    If your contribution is too small to require a CLA (e.g. fixing a spelling
-    mistake), place the text "`CLA: trivial`" on a line by itself separated by
-    an empty line from the rest of the commit message. It is not sufficient to
-    only place the text in the GitHub pull request description.
+    If your contribution is too small to require a CLA (e.g., fixing a spelling
+    mistake), then place the text "`CLA: trivial`" on a line by itself below
+    the rest of your commit message separated by an empty line, like this:
+
+    ```
+        One-line summary of trivial change
+
+        Optional main body of commit message. It might contain a sentence
+        or two explaining the trivial change.
+
+        CLA: trivial
+    ```
+
+    It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
+    pull request description.
 
     [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
 
     To amend a missing "`CLA: trivial`" line after submission, do the following:
 
     ```
         git commit --amend
-        [add the line, save and quit the editor]
-        git push -f
+        # add the line, save and quit the editor
+        git push -f [<repository> [<branch>]]
     ```
 
  2. All source files should start with the following text (with
@@ -53,22 +67,24 @@ guidelines:
     often. We do not accept merge commits, you will have to remove them
     (usually by rebasing) before it will be acceptable.
 
- 4. Patches should follow our [coding style] and compile without warnings.
-    Where `gcc` or `clang` is available you should use the
+ 4. Code provided should follow our [coding style] and compile without warnings.
+    There is a [Perl tool](util/check-format.pl) that helps
+    finding code formatting mistakes and other coding style nits.
+    Where `gcc` or `clang` is available, you should use the
     `--strict-warnings` `Configure` option.  OpenSSL compiles on many varied
-    platforms: try to ensure you only use portable features.  Clean builds via
-    GitHub Actions and AppVeyor are required, and they are started automatically
-    whenever a PR is created or updated.
+    platforms: try to ensure you only use portable features.
+    Clean builds via GitHub Actions are required. They are started automatically
+    whenever a PR is created or updated by committers.
 
     [coding style]: https://www.openssl.org/policies/technical/coding-style.html
 
- 5. When at all possible, patches should include tests. These can
+ 5. When at all possible, code contributions should include tests. These can
     either be added to an existing test, or completely new.  Please see
     [test/README.md](test/README.md) for information on the test framework.
 
  6. New features or changed functionality must include
-    documentation. Please look at the "pod" files in doc/man[1357] for
-    examples of our style. Run "make doc-nits" to make sure that your
+    documentation. Please look at the `.pod` files in `doc/man[1357]` for
+    examples of our style. Run `make doc-nits` to make sure that your
     documentation changes are clean.
 
  7. For user visible changes (API changes, behaviour changes, ...),
@@ -78,7 +94,7 @@ guidelines:
     Have a look through existing entries for inspiration.
     Please note that this is NOT simply a copy of git-log one-liners.
     Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
-    This file helps users get more in depth information of what comes
+    This file helps users get more in-depth information of what comes
     with a specific release without having to sift through the higher
     noise ratio in git-log.
 

deps/openssl/openssl/Configurations/10-main.conf

@@ -1941,5 +1941,15 @@ my %targets = (
         inherit_from     => [ "vms-generic" ],
         bn_ops           => "SIXTY_FOUR_BIT",
         pointer_size     => "",
+    },
+    "vms-x86_64-p32" => {
+        inherit_from     => [ "vms-x86_64" ],
+        cflags           => add("/POINTER_SIZE=32"),
+        pointer_size     => "32",
+    },
+    "vms-x86_64-p64" => {
+        inherit_from     => [ "vms-x86_64" ],
+        cflags           => add("/POINTER_SIZE=64=ARGV"),
+        pointer_size     => "64",
     }
 );

deps/openssl/openssl/Configurations/descrip.mms.tmpl

@@ -478,7 +478,8 @@ build_all_generated : $(GENERATED_MANDATORY) $(GENERATED) build_docs
 all : build_sw build_docs
 
 test : tests
-{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep run_tests
+{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep
+	$(MMS) $(MMSQUALIFIERS) run_tests
 run_tests :
         @ ! {- output_off() if $disabled{tests}; "" -}
         DEFINE SRCTOP "$(SRCDIR)"
@@ -710,13 +711,15 @@ vmsconfig.pm : configdata.pm
         WRITE CONFIG "  shlib_version => '","{- $config{shlib_version} -}","',"
         WRITE CONFIG "  shlib_major => '","{- $config{shlib_major} -}","',"
         WRITE CONFIG "  shlib_minor => '","{- $config{shlib_minor} -}","',"
-        WRITE CONFIG "  no_shared => '","{- $disabled{shared} -}","',"
         WRITE CONFIG "  INSTALLTOP => '$(INSTALLTOP)',"
         WRITE CONFIG "  OPENSSLDIR => '$(OPENSSLDIR)',"
+        WRITE CONFIG ");"
+        WRITE CONFIG "our %target = ("
         WRITE CONFIG "  pointer_size => '","{- $target{pointer_size} -}","',"
         WRITE CONFIG ");"
-        WRITE CONFIG "our %target = ();"
-        WRITE CONFIG "our %disabled = ();"
+        WRITE CONFIG "our %disabled = ("
+        WRITE CONFIG "  shared => '","{- $disabled{shared} -}","',"
+        WRITE CONFIG ");"
         WRITE CONFIG "our %withargs = ();"
         WRITE CONFIG "our %unified_info = ();"
         WRITE CONFIG "1;"

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

@@ -526,8 +526,9 @@ build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) build_docs
 all: build_sw build_docs
 
 test: tests
-{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils run_tests
-run_tests:
+{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
+	$(MAKE) run_tests
+run_tests: FORCE
 	@ : {- output_off() if $disabled{tests}; "" -}
 	( SRCTOP=$(SRCDIR) \
 	  BLDTOP=$(BLDDIR) \

deps/openssl/openssl/Configurations/windows-makefile.tmpl

@@ -294,7 +294,7 @@ RCOUTFLAG={- $target{rcoutflag} -}$(OSSL_EMPTY)
 
 CNF_ASFLAGS={- join(' ', $target{asflags} || (),
                          @{$config{asflags}}) -}
-CNF_CPPFLAGS={- our $cppfags2 =
+CNF_CPPFLAGS={- our $cppflags2 =
                     join(' ', $target{cppflags} || (),
                               (map { '-D'.quotify1($_) } @{$target{defines}},
                                                          @{$config{defines}}),
@@ -440,6 +440,8 @@ all: build_sw build_docs
 
 test: tests
 {- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep copy-utils
+	$(MAKE) /$(MAKEFLAGS) run_tests
+run_tests:
 	@{- output_off() if $disabled{tests}; "\@rem" -}
 	cmd /C "set "SRCTOP=$(SRCDIR)" & set "BLDTOP=$(BLDDIR)" & set "PERL=$(PERL)" & set "FIPSKEY=$(FIPSKEY)" & "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS)"
 	@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}