chore: bump node to v20.11.1 (main) (#41353)

* chore: bump node in DEPS to v20.11.1

* chore: update patches

* crypto: disable PKCS#1 padding for privateDecrypt

https://github.com/nodejs-private/node-private/pull/525

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <[email protected]>

DEPS

@@ -4,7 +4,7 @@ vars = {
   'chromium_version':
     '123.0.6296.0',
   'node_version':
-    'v20.11.0',
+    'v20.11.1',
   'nan_version':
     'e14bdcd1f72d62bca1d541b66da43130384ec213',
   'squirrel.mac_version':

patches/node/chore_allow_the_node_entrypoint_to_be_a_builtin_module.patch

@@ -26,10 +26,10 @@ index 1f3b719048f2477de183e2856b9b8eee8502f708..21116088c101f4679b5a5f41762ce710
          try {
            resolvedArgv = Module._resolveFilename(process.argv[1], null, false);
 diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
-index 9142fed75e9050fcc17c01208e82f1bc57923fcd..157a85623c7eb5338baa77aba5dc448a4614ded0 100644
+index cffffc28d3d703aab4beca6a150549f370281615..eb66f0e37b517a03be20e0829863e7572042c7ed 100644
 --- a/lib/internal/process/pre_execution.js
 +++ b/lib/internal/process/pre_execution.js
-@@ -232,12 +232,14 @@ function patchProcessObject(expandArgv1) {
+@@ -233,12 +233,14 @@ function patchProcessObject(expandArgv1) {
    if (expandArgv1 && process.argv[1] &&
        !StringPrototypeStartsWith(process.argv[1], '-')) {
      // Expand process.argv[1] into a full path.

patches/node/fix_crypto_tests_to_run_with_bssl.patch

@@ -549,7 +549,7 @@ index 1785f5eef3d202976666081d09850ed744d83446..e88227a215ba4f7fa196f7642ae694a5
    });
  
 diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js
-index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149ba4abc8c 100644
+index 438037acc867c2bd6e34ffdcd1e706f8d0ff6a57..65611c79d0e93bf7f91948b2a0105cdc3192b2f2 100644
 --- a/test/parallel/test-crypto-rsa-dsa.js
 +++ b/test/parallel/test-crypto-rsa-dsa.js
 @@ -28,12 +28,11 @@ const dsaPkcs8KeyPem = fixtures.readKey('dsa_private_pkcs8.pem');
@@ -570,7 +570,18 @@ index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149
  };
  
  const decryptError = common.hasOpenSSL3 ?
-@@ -397,7 +396,7 @@ assert.throws(() => {
+@@ -221,8 +220,8 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) {
+     oaepHash: encryptOaepHash
+   }, bufferToEncrypt);
+ 
+-
+-  if (padding === constants.RSA_PKCS1_PADDING) {
++  // BoringSSL does not support RSA_PKCS1_PADDING.
++  if (false) {
+     assert.throws(() => {
+       crypto.privateDecrypt({
+         key: rsaKeyPem,
+@@ -415,7 +414,7 @@ assert.throws(() => {
    assert.strictEqual(verify2.verify(publicKey, signature, 'hex'), true);
  }
  
@@ -579,7 +590,7 @@ index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149
  //
  // Test DSA signing and verification
  //
-@@ -472,3 +471,4 @@ const input = 'I AM THE WALRUS';
+@@ -490,3 +489,4 @@ const input = 'I AM THE WALRUS';
  
    assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true);
  }

patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch

@@ -17,10 +17,10 @@ Upstreams:
 - https://github.com/nodejs/node/pull/39136
 
 diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
-index 2e6e02d229b67bc97e0d15a2704e091d5289df9c..6fd0416820998bd0ba4c4cd4fe3093f144610f18 100644
+index 99a16a667baa20138715b0901e3255e41f5f1052..a7f210031085a348f752e7e7e963d2f040bc2000 100644
 --- a/src/crypto/crypto_cipher.cc
 +++ b/src/crypto/crypto_cipher.cc
-@@ -27,7 +27,8 @@ using v8::Value;
+@@ -28,7 +28,8 @@ using v8::Value;
  namespace crypto {
  namespace {
  bool IsSupportedAuthenticatedMode(const EVP_CIPHER* cipher) {
@@ -30,6 +30,23 @@ index 2e6e02d229b67bc97e0d15a2704e091d5289df9c..6fd0416820998bd0ba4c4cd4fe3093f1
    case EVP_CIPH_CCM_MODE:
    case EVP_CIPH_GCM_MODE:
  #ifndef OPENSSL_NO_OCB
+@@ -1062,7 +1063,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
+     if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) {
+       return ThrowCryptoError(env, ERR_get_error());
+     }
+-
++#ifndef OPENSSL_IS_BORINGSSL
+     int rsa_pkcs1_implicit_rejection =
+         EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1");
+     // From the doc -2 means that the option is not supported.
+@@ -1078,6 +1079,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
+           "RSA_PKCS1_PADDING is no longer supported for private decryption,"
+           " this can be reverted with --security-revert=CVE-2023-46809");
+     }
++#endif
+   }
+ 
+   const EVP_MD* digest = nullptr;
 diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc
 index c6120a655ec853aef11c66ed37d7ca0ffb957dd3..a52ca15cb0ab592d4196d4bd0f1133240967d70c 100644
 --- a/src/crypto/crypto_common.cc

patches/node/src_preload_function_for_environment.patch

@@ -20,10 +20,10 @@ running the main script, for example:
    extensions.
 
 diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
-index 157a85623c7eb5338baa77aba5dc448a4614ded0..701f91f1c9603c1da03e0fe6d20c8627c8d644fb 100644
+index eb66f0e37b517a03be20e0829863e7572042c7ed..4d5646b6067a1409df5915cc744bdc38d0191bd9 100644
 --- a/lib/internal/process/pre_execution.js
 +++ b/lib/internal/process/pre_execution.js
-@@ -185,6 +185,9 @@ function setupUserModules(forceDefaultLoader = false) {
+@@ -186,6 +186,9 @@ function setupUserModules(forceDefaultLoader = false) {
    initializeESMLoader(forceDefaultLoader);
    const CJSLoader = require('internal/modules/cjs/loader');
    assert(!CJSLoader.hasLoadedAnyUserCJSModule);
@@ -33,7 +33,7 @@ index 157a85623c7eb5338baa77aba5dc448a4614ded0..701f91f1c9603c1da03e0fe6d20c8627
    // Do not enable preload modules if custom loaders are disabled.
    // For example, loader workers are responsible for doing this themselves.
    // And preload modules are not supported in ShadowRealm as well.
-@@ -742,6 +745,10 @@ function initializeFrozenIntrinsics() {
+@@ -745,6 +748,10 @@ function initializeFrozenIntrinsics() {
    }
  }
  

script/node-disabled-tests.json

@@ -16,6 +16,8 @@
   "parallel/test-crypto-key-objects",
   "parallel/test-crypto-keygen",
   "parallel/test-crypto-keygen-deprecation",
+  "parallel/test-crypto-rsa-dsa-revert",
+  "parallel/test-crypto-rsa-dsa.js",
   "parallel/test-crypto-padding-aes256",
   "parallel/test-crypto-secure-heap",
   "parallel/test-dgram-send-cb-quelches-error",