deps: upgrade openssl sources to 1.1.1j

This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1j.tar.gz
    $ mv openssl-1.1.1j openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37412
Backport-PR-URL: #37413
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>

deps/openssl/openssl/AUTHORS

@@ -13,6 +13,8 @@ Ben Kaduk
 Bernd Edlinger
 Bodo Möller
 David Benjamin
+David von Oheimb
+Dmitry Belyavskiy (Дмитрий Белявский)
 Emilia Käsper
 Eric Young
 Geoff Thorpe
@@ -22,14 +24,19 @@ Lutz Jänicke
 Mark J. Cox
 Matt Caswell
 Matthias St. Pierre
+Nicola Tuveri
 Nils Larsch
+Patrick Steuer
 Paul Dale
 Paul C. Sutton
+Paul Yang
 Ralf S. Engelschall
 Rich Salz
 Richard Levitte
+Shane Lontis
 Stephen Henson
 Steve Marquess
 Tim Hudson
+Tomáš Mráz
 Ulf Möller
 Viktor Dukhovni

deps/openssl/openssl/CHANGES

@@ -7,6 +7,43 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
+     create a unique hash value based on the issuer and serial number data
+     contained within an X509 certificate. However it was failing to correctly
+     handle any errors that may occur while parsing the issuer field (which might
+     occur if the issuer field is maliciously constructed). This may subsequently
+     result in a NULL pointer deref and a crash leading to a potential denial of
+     service attack.
+     (CVE-2021-23841)
+     [Matt Caswell]
+
+  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+     padding mode to correctly check for rollback attacks. This is considered a
+     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+     CVE-2021-23839.
+     [Matt Caswell]
+
+  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+     functions. Previously they could overflow the output length argument in some
+     cases where the input length is close to the maximum permissable length for
+     an integer on the platform. In such cases the return value from the function
+     call would be 1 (indicating success), but the output length value would be
+     negative. This could cause applications to behave incorrectly or crash.
+     (CVE-2021-23840)
+     [Matt Caswell]
+
+  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
+     implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
+     could be exploited in a side channel attack to recover the password. Since
+     the attack is local host only this is outside of the current OpenSSL
+     threat model and therefore no CVE is assigned.
+
+     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
+     issue.
+     [Matt Caswell]
+
  Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
 
   *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
@@ -52,7 +89,7 @@
      types.  The same applies with the corresponding "min_protocol" and
      "max_protocol" command-line switches, in case some application uses both TLS
      and DTLS.
-
+  
      SSL_CTX instances that are created for a fixed protocol version (e.g.
      TLSv1_server_method()) also silently ignore version bounds.  Previously
      attempts to apply bounds to these protocol versions would result in an

deps/openssl/openssl/CONTRIBUTING

@@ -41,8 +41,8 @@ guidelines:
     https://www.openssl.org/policies/codingstyle.html) and compile
     without warnings. Where gcc or clang is available you should use the
     --strict-warnings Configure option.  OpenSSL compiles on many varied
-    platforms: try to ensure you only use portable features.  Clean builds
-    via Travis and AppVeyor are required, and they are started automatically
+    platforms: try to ensure you only use portable features.  Clean builds via
+    GitHub Actions and AppVeyor are required, and they are started automatically
     whenever a PR is created or updated.
 
     5.  When at all possible, patches should include tests. These can

deps/openssl/openssl/Configurations/10-main.conf

@@ -663,6 +663,7 @@ my %targets = (
     "linux-ppc" => {
         inherit_from     => [ "linux-generic32", asm("ppc32_asm") ],
         perlasm_scheme   => "linux32",
+        lib_cppflags     => add("-DB_ENDIAN"),
     },
     "linux-ppc64" => {
         inherit_from     => [ "linux-generic64", asm("ppc64_asm") ],

deps/openssl/openssl/Configurations/descrip.mms.tmpl

@@ -377,8 +377,13 @@ NODEBUG=@
         $(NODEBUG) !
         $(NODEBUG) ! Installation logical names
         $(NODEBUG) !
-        $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
-        $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+        $(NODEBUG) ! This also creates a few DCL variables that are used for
+        $(NODEBUG) ! the "install_msg" target.
+        $(NODEBUG) !
+        $(NODEBUG) installroot = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
+        $(NODEBUG) installtop = installroot + ".]"
+        $(NODEBUG) dataroot = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
+        $(NODEBUG) datatop = dataroot + ".]"
         $(NODEBUG) DEFINE ossl_installroot 'installtop'
         $(NODEBUG) DEFINE ossl_dataroot 'datatop'
         $(NODEBUG) !
@@ -455,30 +460,19 @@ list-tests :
         @ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options"
         @ ! {- output_on() if !$disabled{tests}; "" -}
 
-install : install_sw install_ssldirs install_docs
+install : install_sw install_ssldirs install_docs install_msg
+        @ !
+
+install_msg :
         @ WRITE SYS$OUTPUT ""
         @ WRITE SYS$OUTPUT "######################################################################"
         @ WRITE SYS$OUTPUT ""
         @ IF "$(DESTDIR)" .EQS. "" THEN -
-             PIPE ( WRITE SYS$OUTPUT "Installation complete" ; -
-                    WRITE SYS$OUTPUT "" ; -
-                    WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
-                    WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
-                    WRITE SYS$OUTPUT "" )
+             @{- sourcefile("VMS", "msg_install.com") -} "$(SYSTARTUP)" "{- $osslver -}"
         @ IF "$(DESTDIR)" .NES. "" THEN -
-             PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; -
-                    WRITE SYS$OUTPUT "" ; -
-                    WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; -
-                    WRITE SYS$OUTPUT staging_instdir ; -
-                    WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; -
-                    WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; -
-                    WRITE SYS$OUTPUT staging_datadir ; -
-                    WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; -
-                    WRITE SYS$OUTPUT "" ; -
-                    WRITE SYS$OUTPUT "When in its final destination," ; -
-                    WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
-                    WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
-                    WRITE SYS$OUTPUT "" )
+             @{- sourcefile("VMS", "msg_staging.com") -} -
+             "''installroot']" "''dataroot']" "$(INSTALLTOP)" "$(OPENSSLDIR)" -
+             "$(SYSTARTUP)" "{- $osslver -}"
 
 check_install :
         spawn/nolog @ossl_installroot:[SYSTEST]openssl_ivp{- $osslver -}.com

deps/openssl/openssl/Configure

@@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -1201,6 +1201,10 @@ foreach (keys %useradd) {
 # At this point, we can forget everything about %user and %useradd,
 # because it's now all been merged into the corresponding $config entry
 
+if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
+    disable('static', 'pic', 'threads');
+}
+
 # Allow overriding the build file name
 $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";
 
@@ -1521,10 +1525,6 @@ if ($strict_warnings)
                 }
         }
 
-if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
-    disable('static', 'pic', 'threads');
-}
-
 $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings'
                               ? @strict_warnings_collection
                               : ( $_ ) }
@@ -2611,19 +2611,22 @@ _____
         }
         print "\nEnabled features:\n\n";
         foreach my $what (@disablables) {
-            print "    $what\n" unless $disabled{$what};
+            print "    $what\n"
+                unless grep { $_ =~ /^${what}$/ } keys %disabled;
         }
         print "\nDisabled features:\n\n";
         foreach my $what (@disablables) {
-            if ($disabled{$what}) {
-                print "    $what", ' ' x ($longest - length($what) + 1),
-                    "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1);
-                print $disabled_info{$what}->{macro}
-                    if $disabled_info{$what}->{macro};
+            my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled;
+            my $what3 = $what2[0];
+            if ($what3) {
+                print "    $what3", ' ' x ($longest - length($what3) + 1),
+                    "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1);
+                print $disabled_info{$what3}->{macro}
+                    if $disabled_info{$what3}->{macro};
                 print ' (skip ',
-                    join(', ', @{$disabled_info{$what}->{skipped}}),
+                    join(', ', @{$disabled_info{$what3}->{skipped}}),
                     ')'
-                    if $disabled_info{$what}->{skipped};
+                    if $disabled_info{$what3}->{skipped};
                 print "\n";
             }
         }

deps/openssl/openssl/INSTALL

@@ -106,8 +106,7 @@
  This will build and install OpenSSL in the default location, which is:
 
   Unix:    normal installation directories under /usr/local
-  OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
-           OpenSSL version number with underscores instead of periods.
+  OpenVMS: SYS$COMMON:[OPENSSL]
   Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
 
  The installation directory should be appropriately protected to ensure
@@ -116,7 +115,9 @@
  your Operating System it is recommended that you do not overwrite the system
  version and instead install to somewhere else.
 
- If you want to install it anywhere else, run config like this:
+ If you want to install it anywhere else, run config like this (the options
+ --prefix and --openssldir are explained further down, and the values shown
+ here are mere examples):
 
   On Unix:
 
@@ -198,7 +199,7 @@
                    Unix:           /usr/local
                    Windows:        C:\Program Files\OpenSSL
                                 or C:\Program Files (x86)\OpenSSL
-                   OpenVMS:        SYS$COMMON:[OPENSSL-'version']
+                   OpenVMS:        SYS$COMMON:[OPENSSL]
 
   --release
                    Build OpenSSL without debugging symbols. This is the default.
@@ -961,9 +962,9 @@
          share/doc/openssl/html/man7
                         Contains the HTML rendition of the man-pages.
 
-       OpenVMS ('arch' is replaced with the architecture name, "Alpha"
-       or "ia64", 'sover' is replaced with the shared library version
-       (0101 for 1.1), and 'pz' is replaced with the pointer size
+       OpenVMS ('arch' is replaced with the architecture name, "ALPHA"
+       or "IA64", 'sover' is replaced with the shared library version
+       (0101 for 1.1.x), and 'pz' is replaced with the pointer size
        OpenSSL was built with):
 
          [.EXE.'arch']  Contains the openssl binary.

deps/openssl/openssl/NEWS

@@ -5,6 +5,16 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+      o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+        function (CVE-2021-23841)
+      o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+        padding mode to correctly check for rollback attacks
+      o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+        EVP_DecryptUpdate functions (CVE-2021-23840)
+      o Fixed SRP_Calc_client_key so that it runs in constant time
+
   Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
 
       o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

deps/openssl/openssl/NOTES.VMS

@@ -90,9 +90,9 @@
  Unix mount point.
 
  The easiest way to check if everything got through as it should is to
- check for one of the following files:
+ check that this file exists:
 
-   [.crypto]opensslconf^.h.in
+   [.include.openssl]opensslconf^.h.in
 
  The best way to get a correct distribution is to download the gzipped
  tar file from ftp://ftp.openssl.org/source/, use GZIP -d to uncompress
@@ -105,3 +105,11 @@
  Should you need it, you can find UnZip for VMS here:
 
    http://www.info-zip.org/UnZip.html
+
+
+ How the value of 'arch' is determined
+ -------------------------------------
+
+ 'arch' is mentioned in INSTALL.  It's value is determined like this:
+
+    arch = f$edit( f$getsyi( "arch_name"), "upcase")

deps/openssl/openssl/NOTES.WIN

@@ -62,8 +62,8 @@
 
  For VC-WIN32, the following defaults are use:
 
-     PREFIX:      %ProgramFiles(86)%\OpenSSL
-     OPENSSLDIR:  %CommonProgramFiles(86)%\SSL
+     PREFIX:      %ProgramFiles(x86)%\OpenSSL
+     OPENSSLDIR:  %CommonProgramFiles(x86)%\SSL
 
  For VC-WIN64, the following defaults are use:
 

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1i 8 Dec 2020
+ OpenSSL 1.1.1j 16 Feb 2021
 
  Copyright (c) 1998-2020 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

deps/openssl/openssl/VMS/msg_install.com

@@ -0,0 +1,19 @@
+$       ! Used by the main descrip.mms to print the installation complete
+$       ! message.
+$       ! Arguments:
+$       ! P1    startup / setup / shutdown scripts directory
+$       ! P2    distinguishing version number ("major version")
+$
+$       systartup = p1
+$       osslver = p2
+$
+$       WRITE SYS$OUTPUT "Installation complete"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The following commands need to be executed to enable you to use OpenSSL:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "- to set up OpenSSL logical names:"
+$       WRITE SYS$OUTPUT "  @''systartup'openssl_startup''osslver'"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "- to define the OpenSSL command"
+$       WRITE SYS$OUTPUT "  @''systartup'openssl_utils''osslver'"
+$       WRITE SYS$OUTPUT ""

deps/openssl/openssl/VMS/msg_staging.com

@@ -0,0 +1,37 @@
+$       ! Used by the main descrip.mms to print the statging installation
+$       ! complete
+$       ! message.
+$       ! Arguments:
+$       ! P1    staging software installation directory
+$       ! P2    staging data installation directory
+$       ! P3    final software installation directory
+$       ! P4    final data installation directory
+$       ! P5    startup / setup / shutdown scripts directory
+$       ! P6    distinguishing version number ("major version")
+$
+$       staging_instdir = p1
+$       staging_datadir = p2
+$       final_instdir = p3
+$       final_datadir = p4
+$       systartup = p5
+$       osslver = p6
+$
+$       WRITE SYS$OUTPUT "Staging installation complete"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the following directory"
+$       WRITE SYS$OUTPUT "trees end up being copied:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "- from ", staging_instdir
+$       WRITE SYS$OUTPUT "  to   ", final_instdir
+$       WRITE SYS$OUTPUT "- from ", staging_datadir
+$       WRITE SYS$OUTPUT "  to   ", final_datadir
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "When in its final destination, the following commands need to be executed"
+$       WRITE SYS$OUTPUT "to use OpenSSL:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "- to set up OpenSSL logical names:"
+$       WRITE SYS$OUTPUT "  @''systartup'openssl_startup''osslver'"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "- to define the OpenSSL command"
+$       WRITE SYS$OUTPUT "  @''systartup'openssl_utils''osslver'"
+$       WRITE SYS$OUTPUT ""