deps: upgrade openssl sources to openssl-3.5.6

PR-URL: #62629
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>

Author: nodejs-github-bot

deps/openssl/openssl/CHANGES.md

@@ -27,6 +27,18 @@ communication before submitting many pull requests. In addition,
 contributors should personally evaluate potential patches generated by
 automated tools.
 
+Provide a clear description of the issue or feature being addressed,
+including any relevant implementation details and, for performance
+improvements, benchmark results.
+
+Pull requests and commits should be self-contained, enabling readers to
+understand what changed and why without needing to reference related
+issues or having prior knowledge.  Commit messages should include all
+relevant details to help future contributors follow the git history,
+with clear explanations of what is changing and why.  Long descriptions
+are encouraged if they aid understanding.  Commit message titles (their
+first line) should be kept to 50-70 characters if possible.
+
 To make it easier to review and accept your pull request, please follow these
 guidelines:
 

deps/openssl/openssl/CONTRIBUTING.md

@@ -5,7 +5,8 @@
 my $vc_win64a_info = {};
 sub vc_win64a_info {
     unless (%$vc_win64a_info) {
-        if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) {
+        # Minimum NASM version is 2.09 otherwise SHA3 might be miscompiled
+        if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+)\.([0-9]+)/ && ($1 > 2 || ($1 == 2 && $2 >= 9))) {
             $vc_win64a_info = { AS        => "nasm",
                                 ASFLAGS   => "-g",
                                 asflags   => "-Ox -f win64 -DNEAR",

deps/openssl/openssl/Configurations/10-main.conf

@@ -72,6 +72,7 @@ OPTIONS={- $config{options} -}
 CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
 SRCDIR={- $config{sourcedir} -}
 BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)/test-runs
 FIPSKEY={- $config{FIPSKEY} -}
 
 VERSION={- "$config{full_version}" -}
@@ -642,7 +643,7 @@ clean: libclean ## Clean the workspace, keep the configuration
 	-find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
 	$(RM) core
 	$(RM) tags TAGS doc-nits md-nits
-	$(RM) -r test/test-runs
+	$(RM) -r $(RESULT_D)
 	$(RM) providers/fips*.new
 	-find . -type l \! -name '.*' -exec $(RM) {} \;
 

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

@@ -38,6 +38,7 @@
 PLATFORM={- $config{target} -}
 SRCDIR={- $config{sourcedir} -}
 BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)\test-runs
 FIPSKEY={- $config{FIPSKEY} -}
 
 VERSION={- "$config{full_version}" -}
@@ -222,7 +223,7 @@ OPENSSLDIR_dir={- canonpath($openssldir_dir) -}
 LIBDIR={- our $libdir = $config{libdir} || "lib";
           file_name_is_absolute($libdir) ? "" : $libdir -}
 MODULESDIR_dev={- use File::Spec::Functions qw(:DEFAULT splitpath catpath);
-                  our $modulesprefix = catdir($prefix,$libdir);
+                  our $modulesprefix = file_name_is_absolute($libdir) ? $libdir : catdir($prefix,$libdir);
                   our ($modulesprefix_dev, $modulesprefix_dir,
                        $modulesprefix_file) =
                       splitpath($modulesprefix, 1);
@@ -484,7 +485,7 @@ clean: libclean
 	-del /Q /S /F engines\*.lib engines\*.exp
 	-del /Q /S /F apps\*.lib apps\*.rc apps\*.res apps\*.exp
 	-del /Q /S /F test\*.exp
-	-rd /Q /S test\test-runs
+	-@if exist "$(RESULT_D)" rd /Q /S "$(RESULT_D)"
 
 distclean: clean
 	-del /Q /F include\openssl\configuration.h

deps/openssl/openssl/Configurations/windows-makefile.tmpl

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=5
-PATCH=5
+PATCH=6
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="27 Jan 2026"
+RELEASE_DATE="7 Apr 2026"
 SHLIB_VERSION=3

deps/openssl/openssl/NEWS.md

@@ -1,5 +1,5 @@
 /*
- * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
  *
@@ -1421,7 +1421,10 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
         out_vpm = X509_STORE_get0_param(out_trusted);
         X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME);
 
-        (void)OSSL_CMP_CTX_set_certConf_cb_arg(ctx, out_trusted);
+        if (!OSSL_CMP_CTX_set_certConf_cb_arg(ctx, out_trusted)) {
+            X509_STORE_free(out_trusted);
+            return 0;
+        }
     }
 
     if (opt_disable_confirm)
@@ -3390,6 +3393,12 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec)
             int paramtype;
             const void *param;
 
+            /* NULL check to prevent dereferencing a NULL pointer when print_keyspec is called */
+            if (alg == NULL) {
+                BIO_puts(mem, "Key algorithm: <absent>\n");
+                break;
+            }
+
             X509_ALGOR_get0(&oid, &paramtype, &param, alg);
             BIO_printf(mem, "Key algorithm: ");
             i2a_ASN1_OBJECT(mem, oid);
@@ -3789,8 +3798,7 @@ int cmp_main(int argc, char **argv)
     if (opt_ignore_keyusage)
         (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, 1);
     if (opt_no_cache_extracerts)
-        (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS,
-            1);
+        (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, 1);
 
     if (opt_reqout_only == NULL && (opt_use_mock_srv
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
@@ -3806,7 +3814,7 @@ int cmp_main(int argc, char **argv)
 
         srv_cmp_ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx);
         if (!OSSL_CMP_CTX_set_log_cb(srv_cmp_ctx, print_to_bio_err)) {
-            CMP_err1("cannot set up error reporting and logging for %s", prog);
+            CMP_err1("cannot set up server-side error reporting and logging for %s", prog);
             goto err;
         }
         OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);

deps/openssl/openssl/VERSION.dat

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2026 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Siemens AG 2018-2020
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -19,6 +19,8 @@
 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
     const char *propq);
 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
+OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx,
+    const OSSL_CMP_MSG *req);
 
 int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
@@ -34,6 +36,7 @@ int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
     int fail_info, const char *text);
 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
+int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
 

deps/openssl/openssl/apps/cmp.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2026 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -47,6 +47,7 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name)
         app_providers = sk_OSSL_PROVIDER_new_null();
     if (app_providers == NULL
         || !sk_OSSL_PROVIDER_push(app_providers, prov)) {
+        OSSL_PROVIDER_unload(prov);
         app_providers_cleanup();
         return 0;
     }