deps: upgrade openssl sources to quictls/openssl-3.0.4

This updates all sources in deps/openssl/openssl by:
    $ git clone git@github.com:quictls/openssl.git
    $ cd openssl
    $ git checkout openssl-3.0.4+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../../../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

deps/openssl/openssl/CHANGES.md

@@ -28,14 +28,47 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
-### Changes between 3.0.3 and 3.0.3+quic [3 May 2022]
+### Changes between 3.0.4 and 3.0.4+quic [21 Jun 2022]
 
  * Add QUIC API support from BoringSSL.
 
    *Todd Short*
 
+### Changes between 3.0.3 and 3.0.4 [21 Jun 2022]
+
+ * In addition to the c_rehash shell command injection identified in
+   CVE-2022-1292, further bugs where the c_rehash script does not
+   properly sanitise shell metacharacters to prevent command injection have been
+   fixed.
+
+   When the CVE-2022-1292 was fixed it was not discovered that there
+   are other places in the script where the file names of certificates
+   being hashed were possibly passed to a command executed through the shell.
+
+   This script is distributed by some operating systems in a manner where
+   it is automatically executed.  On such operating systems, an attacker
+   could execute arbitrary commands with the privileges of the script.
+
+   Use of the c_rehash script is considered obsolete and should be replaced
+   by the OpenSSL rehash command line tool.
+   (CVE-2022-2068)
+
+   *Daniel Fiala, Tomáš Mráz*
+
+ * Case insensitive string comparison no longer uses locales.  It has instead
+   been directly implemented.
+
+   *Paul Dale*
+
 ### Changes between 3.0.2 and 3.0.3 [3 May 2022]
 
+ * Case insensitive string comparison is reimplemented via new locale-agnostic
+   comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for
+   comparison. The previous implementation had problems when the Turkish locale
+   was used.
+
+   *Dmitry Belyavskiy*
+
  * Fixed a bug in the c_rehash script which was not properly sanitising shell
    metacharacters to prevent command injection.  This script is distributed by
    some operating systems in a manner where it is automatically executed.  On

deps/openssl/openssl/Configurations/10-main.conf

@@ -1062,6 +1062,14 @@ my %targets = (
         perlasm_scheme   => "elf",
     },
 
+    "BSD-aarch64" => {
+        inherit_from     => [ "BSD-generic64" ],
+        lib_cppflags     => add("-DL_ENDIAN"),
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        asm_arch         => 'aarch64',
+        perlasm_scheme   => "linux64",
+    },
+
     # riscv64 below refers to contemporary RISCV Architecture
     # specifications,
     "BSD-riscv64" => {

deps/openssl/openssl/Configurations/descrip.mms.tmpl

@@ -549,6 +549,7 @@ clean : libclean
         - DELETE []vmsconfig.pm;*
 
 distclean : clean
+        - DELETE [.include.openssl]configuration.h;*
         - DELETE configdata.pm;*
         - DELETE descrip.mms;*
 
@@ -981,7 +982,7 @@ EOF
               ? '' : ' --case-insensitive';
           return <<"EOF";
 $target : $gen0 $deps $mkdef
-	\$(PERL) $mkdef$ord_ver --ordinals $gen0 --name $ord_name "--OS" "VMS"$case_insensitive > $target
+	\$(PERL) $mkdef$ord_ver --type $args{intent} --ordinals $gen0 --name $ord_name "--OS" "VMS"$case_insensitive > $target
 EOF
       } elsif (platform->isasm($args{src})) {
           #

deps/openssl/openssl/Configurations/gentemplate.pm

@@ -56,7 +56,8 @@ sub emit {
     my $fh = $self->{output};
 
     die "No name?" unless $name;
-    print $fh "{-\n ", $name, '(', dump_data(\%opts), ');', " \n-}";
+    print $fh "{-\n ", $name, '(', dump_data(\%opts), ');', " \n-}"
+        unless defined $opts{attrs}->{skip};
 }
 
 my $debug_resolvedepends = $ENV{BUILDFILE_DEBUG_DEPENDS};
@@ -200,7 +201,7 @@ sub dogenerate {
     my $self = shift;
     my $src = shift;
     # Safety measure
-    return "" unless defined $self->{info}->{generate}->{$_};
+    return "" unless defined $self->{info}->{generate}->{$src};
     return "" if $cache{$src};
     my $obj = shift;
     my $bin = shift;
@@ -209,6 +210,7 @@ sub dogenerate {
         die "$src is generated by Configure, should not appear in build file\n"
             if ref $self->{info}->{generate}->{$src} eq "";
         my $script = $self->{info}->{generate}->{$src}->[0];
+        my %attrs = %{$self->{info}->{attributes}->{generate}->{$src} // {}};
         $self->emit('generatesrc',
              src => $src,
              product => $bin,
@@ -220,10 +222,15 @@ sub dogenerate {
                        defined $bin ? @{$self->{info}->{includes}->{$bin} // []} : () ],
              defs => [ defined $obj ? @{$self->{info}->{defines}->{$obj} // []} : (),
                        defined $bin ? @{$self->{info}->{defines}->{$bin} // []} : () ],
+             attrs => { %attrs },
              %opts);
         foreach (@{$self->{info}->{depends}->{$src} // []}) {
             $self->dogenerate($_, $obj, $bin, %opts);
         }
+        # The generator itself may be is generated
+        if ($self->{info}->{generate}->{$script}) {
+            $self->dogenerate($script, $obj, $bin, %opts);
+        }
     }
     $cache{$src} = 1;
 }

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

@@ -594,6 +594,7 @@ clean: libclean
 	-find . -type l \! -name '.*' -exec $(RM) {} \;
 
 distclean: clean
+	$(RM) include/openssl/configuration.h
 	$(RM) configdata.pm
 	$(RM) Makefile
 
@@ -1399,6 +1400,7 @@ libcrypto.pc:
 	    fi; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo 'enginesdir=$${libdir}/engines-{- $sover_dirname -}'; \
+	    echo 'modulesdir=$${libdir}/ossl-modules'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
 	    echo 'Description: OpenSSL cryptography library'; \
@@ -1548,7 +1550,7 @@ EOF
           my $ord_name = $args{generator}->[1] || $args{product};
           return <<"EOF";
 $target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl
-	\$(PERL) \$(SRCDIR)/util/mkdef.pl$ord_ver --ordinals $gen0  --name $ord_name --OS $mkdef_os > $target
+	\$(PERL) \$(SRCDIR)/util/mkdef.pl$ord_ver --type $args{intent} --ordinals $gen0  --name $ord_name --OS $mkdef_os > $target
 EOF
       } elsif (platform->isasm($args{src})) {
           #

deps/openssl/openssl/Configurations/windows-makefile.tmpl

@@ -478,6 +478,7 @@ clean: libclean
 	-rd /Q /S test\test-runs
 
 distclean: clean
+	-del /Q /F include\openssl\configuration.h
 	-del /Q /F configdata.pm
 	-del /Q /F makefile
 
@@ -744,7 +745,7 @@ EOF
               $args{generator}->[1] || platform->dsoname($args{product});
           return <<"EOF";
 $target: $gen0 $deps $mkdef
-	"\$(PERL)" $mkdef$ord_ver --ordinals $gen0 --name $ord_name --OS windows > $target
+	"\$(PERL)" "$mkdef"$ord_ver --type $args{intent} --ordinals $gen0 --name $ord_name --OS windows > $target
 EOF
       } elsif (platform->isasm($args{src})) {
           #
@@ -760,7 +761,7 @@ EOF
 
           my $generator;
           if ($gen0 =~ /\.pl$/) {
-              $generator = '"$(PERL)"'.$gen_incs.' '.$gen0.$gen_args
+              $generator = '"$(PERL)"'.$gen_incs.' "'.$gen0.'"'.$gen_args
                   .' "$(PERLASM_SCHEME)"'.$incs.' '.$cppflags.$defs.' $(PROCESSSOR)';
           } elsif ($gen0 =~ /\.S$/) {
               $generator = undef;
@@ -817,15 +818,15 @@ EOF
           $gen0 = platform->bin($gen0);
           return <<"EOF";
 $args{src}: $gen0 $deps "\$(BLDDIR)\\util\\wrap.pl"
-	"\$(PERL)" "\$(BLDDIR)\\util\\wrap.pl" $gen0$gen_args > \$@
+	"\$(PERL)" "\$(BLDDIR)\\util\\wrap.pl" "$gen0"$gen_args > \$@
 EOF
       } else {
           #
           # Generic generator using Perl
           #
           return <<"EOF";
 $args{src}: "$gen0" $deps
-	"\$(PERL)"$gen_incs $gen0$gen_args > \$@
+	"\$(PERL)"$gen_incs "$gen0"$gen_args > \$@
 EOF
       }
   }

deps/openssl/openssl/Configure

@@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -17,6 +17,7 @@ use lib "$FindBin::Bin/util/perl";
 use File::Basename;
 use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs splitdir/;
 use File::Path qw/mkpath/;
+use File::Compare qw(compare_text);
 use OpenSSL::fallback "$FindBin::Bin/external/perl/MODULES.txt";
 use OpenSSL::Glob;
 use OpenSSL::Template;
@@ -2214,9 +2215,10 @@ if ($builder eq "unified") {
                                 \$attributes{depends}, $+{ATTRIBS},
                                 tokenize($expand_variables->($+{VALUE})))
                          if !@skip || $skip[$#skip] > 0; },
-            qr/^\s* GENERATE ${index_re} \s* = \s* ${value_re} \s* $/x
+            qr/^\s* GENERATE ${index_re} ${attribs_re} \s* = \s* ${value_re} \s* $/x
             => sub { $push_to->(\%generate, $expand_variables->($+{INDEX}),
-                                undef, undef, $expand_variables->($+{VALUE}))
+                                \$attributes{generate}, $+{ATTRIBS},
+                                $expand_variables->($+{VALUE}))
                          if !@skip || $skip[$#skip] > 0; },
             qr/^\s* (?:\#.*)? $/x => sub { },
             "OTHERWISE" => sub { die "Something wrong with this line:\n$_\nat $sourced/$f" },
@@ -2384,6 +2386,10 @@ EOF
             $check_generate{$ddest}->{$generator[0]}++;
 
             $unified_info{generate}->{$ddest} = [ @generator ];
+            # Fix up associated attributes
+            $unified_info{attributes}->{generate}->{$ddest} =
+                $attributes{generate}->{$dest}->{$gen}
+                if defined $attributes{generate}->{$dest}->{$gen};
         }
 
         foreach (keys %depends) {
@@ -2774,7 +2780,7 @@ EOF
                                   keys %{$unified_info{htmldocs} // {}}),
                                  (map { @{$unified_info{mandocs}->{$_} // []} }
                                   keys %{$unified_info{mandocs} // {}}) ] );
-    foreach my $type (keys %loopinfo) {
+    foreach my $type (sort keys %loopinfo) {
         foreach my $product (@{$loopinfo{$type}}) {
             my %dirs = ();
             my $pd = dirname($product);
@@ -2795,7 +2801,7 @@ EOF
                 push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
                     if $d ne $pd;
             }
-            foreach (keys %dirs) {
+            foreach (sort keys %dirs) {
                 push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
                     $product;
             }
@@ -2830,7 +2836,6 @@ my %template_vars = (
     user_crossable => \@user_crossable,
 );
 my $configdata_outname = 'configdata.pm';
-print "Creating $configdata_outname\n";
 open CONFIGDATA, ">$configdata_outname.new"
     or die "Trying to create $configdata_outname.new: $!";
 my $configdata_tmplname = cleanfile($srcdir, "configdata.pm.in", $blddir);
@@ -2846,19 +2851,60 @@ $configdata_tmpl->fill_in(
               ] }
 ) or die $Text::Template::ERROR;
 close CONFIGDATA;
-rename "$configdata_outname.new", $configdata_outname;
-if ($builder_platform eq 'unix') {
-    my $mode = (0755 & ~umask);
-    chmod $mode, 'configdata.pm'
-        or warn sprintf("WARNING: Couldn't change mode for 'configdata.pm' to 0%03o: %s\n",$mode,$!);
-}
-
-print "Running $configdata_outname\n";
-my $perlcmd = (quotify("maybeshell", $config{PERL}))[0];
-my $cmd = "$perlcmd $configdata_outname";
-#print STDERR "DEBUG[run_dofile]: \$cmd = $cmd\n";
-system($cmd);
-exit 1 if $? != 0;
+
+# When using stat() on Windows, we can get it to perform better by avoid some
+# data.  This doesn't affect the mtime field, so we're not losing anything...
+${^WIN32_SLOPPY_STAT} = 1;
+
+my $update_configdata = 0;
+my $run_configdata = 0;
+if (-f $configdata_outname) {
+    my $Configure_mtime = (stat($0))[9];
+    my $configdata_mtime = (stat($configdata_outname))[9];
+
+    # If this script was updated after the last configdata.pm, or if
+    # configdata.pm.new differs from configdata.pm, we update configdata.pm
+    if ($configdata_mtime < $Configure_mtime
+        || compare_text("$configdata_outname.new", $configdata_outname) != 0) {
+        $update_configdata = 1;
+    } else {
+        # If nothing has changed, let's just drop the new one and pretend
+        # like nothing happened
+        unlink "$configdata_outname.new";
+
+        # We still run configdata.pm if one of the build file (Makefile) or
+        # the configuration header file are missing
+        $run_configdata =
+            !( -f $target{build_file} )
+            || !( -f catfile('include', 'openssl', 'configuration.h') );
+    }
+} else {
+    $update_configdata = 1;
+}
+
+if ($update_configdata) {
+    # If something did change, or there was no previous configdata.pm, we
+    # rename the new one, set permissions as needed, and run it.
+    rename "$configdata_outname.new", $configdata_outname;
+    if ($builder_platform eq 'unix') {
+        my $mode = (0755 & ~umask);
+        chmod $mode, 'configdata.pm'
+            or warn sprintf("WARNING: Couldn't change mode for 'configdata.pm' to 0%03o: %s\n",$mode,$!);
+    }
+    $run_configdata = 1;
+    print "Created $configdata_outname\n";
+}
+
+if ($run_configdata) {
+    print "Running $configdata_outname\n";
+    my $perlcmd = (quotify("maybeshell", $config{PERL}))[0];
+    my $cmd = "$perlcmd $configdata_outname";
+    #print STDERR "DEBUG[run_dofile]: \$cmd = $cmd\n";
+    system($cmd);
+    exit 1 if $? != 0;
+} else {
+    print "No changes in $configdata_outname, no need to run it\n";
+}
 
 $SIG{__DIE__} = $orig_death_handler;
 

deps/openssl/openssl/NEWS.md

@@ -18,6 +18,12 @@ OpenSSL Releases
 OpenSSL 3.0
 -----------
 
+### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022]
+
+  * Fixed additional bugs in the c_rehash script which was not properly
+    sanitising shell metacharacters to prevent command injection
+    ([CVE-2022-2068])
+
 ### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]
 
   * Fixed a bug in the c_rehash script which was not properly sanitising shell
@@ -111,7 +117,8 @@ OpenSSL 3.0
     RC4, RC5 and SEED cipher functions have been deprecated.
   * All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
     have been deprecated.
-  * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
+  * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0,
+    except when RSA key exchange without SHA1 is used.
   * Added providers, a new pluggability concept that will replace the
     ENGINE API and ENGINE implementations.
 

deps/openssl/openssl/README.md

@@ -4,7 +4,7 @@ What This Is
 This is a fork of [OpenSSL](https://www.openssl.org) to enable QUIC. In addition
 to the website, the official source distribution is at
 <https://github.com/openssl/openssl>. The OpenSSL `README` can be found at
-[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.3%2Bquic/README-OpenSSL.md)
+[README-OpenSSL.md](https://github.com/quictls/openssl/blob/openssl-3.0.4%2Bquic/README-OpenSSL.md)
 
 This fork adds APIs that can be used by QUIC implementations for connection
 handshakes. Quoting the IETF Working group

deps/openssl/openssl/VERSION.dat

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=0
-PATCH=3
+PATCH=4
 PRE_RELEASE_TAG=
 BUILD_METADATA=quic
-RELEASE_DATE="3 May 2022"
+RELEASE_DATE="21 Jun 2022"
 SHLIB_VERSION=81.3