deps: upgrade openssl sources to 1.1.1l

This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1l.tar.gz
    $ mv openssl-1.1.1l openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #39869
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Myles Borins <myles.borins@gmail.com>

deps/openssl/openssl/CHANGES

@@ -7,6 +7,71 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+
+  *) Fixed an SM2 Decryption Buffer Overflow.
+
+     In order to decrypt SM2 encrypted data an application is expected to call the
+     API function EVP_PKEY_decrypt(). Typically an application will call this
+     function twice. The first time, on entry, the "out" parameter can be NULL and,
+     on exit, the "outlen" parameter is populated with the buffer size required to
+     hold the decrypted plaintext. The application can then allocate a sufficiently
+     sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
+     value for the "out" parameter.
+
+     A bug in the implementation of the SM2 decryption code means that the
+     calculation of the buffer size required to hold the plaintext returned by the
+     first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
+     the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
+     called by the application a second time with a buffer that is too small.
+
+     A malicious attacker who is able present SM2 content for decryption to an
+     application could cause attacker chosen data to overflow the buffer by up to a
+     maximum of 62 bytes altering the contents of other data held after the
+     buffer, possibly changing application behaviour or causing the application to
+     crash. The location of the buffer is application dependent but is typically
+     heap allocated.
+     (CVE-2021-3711)
+     [Matt Caswell]
+
+  *) Fixed various read buffer overruns processing ASN.1 strings
+
+     ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
+     structure which contains a buffer holding the string data and a field holding
+     the buffer length. This contrasts with normal C strings which are repesented as
+     a buffer for the string data which is terminated with a NUL (0) byte.
+
+     Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
+     own "d2i" functions (and other similar parsing functions) as well as any string
+     whose value has been set with the ASN1_STRING_set() function will additionally
+     NUL terminate the byte array in the ASN1_STRING structure.
+
+     However, it is possible for applications to directly construct valid ASN1_STRING
+     structures which do not NUL terminate the byte array by directly setting the
+     "data" and "length" fields in the ASN1_STRING array. This can also happen by
+     using the ASN1_STRING_set0() function.
+
+     Numerous OpenSSL functions that print ASN.1 data have been found to assume that
+     the ASN1_STRING byte array will be NUL terminated, even though this is not
+     guaranteed for strings that have been directly constructed. Where an application
+     requests an ASN.1 structure to be printed, and where that ASN.1 structure
+     contains ASN1_STRINGs that have been directly constructed by the application
+     without NUL terminating the "data" field, then a read buffer overrun can occur.
+
+     The same thing can also occur during name constraints processing of certificates
+     (for example if a certificate has been directly constructed by the application
+     instead of loading it via the OpenSSL parsing functions, and the certificate
+     contains non NUL terminated ASN1_STRING structures). It can also occur in the
+     X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
+
+     If a malicious actor can cause an application to directly construct an
+     ASN1_STRING and then process it through one of the affected OpenSSL functions
+     then this issue could be hit. This might result in a crash (causing a Denial of
+     Service attack). It could also result in the disclosure of private memory
+     contents (such as private keys, or sensitive plaintext).
+     (CVE-2021-3712)
+     [Matt Caswell]
+
  Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
 
   *) Fixed a problem with verifying a certificate chain when using the

deps/openssl/openssl/Configurations/10-main.conf

@@ -754,6 +754,13 @@ my %targets = (
         multilib         => "64",
     },
 
+    # riscv64 below refers to contemporary RISCV Architecture
+    # specifications,
+    "linux64-riscv64" => {
+        inherit_from     => [ "linux-generic64"],
+        perlasm_scheme   => "linux64",
+    },
+
     #### IA-32 targets...
     #### These two targets are a bit aged and are to be used on older Linux
     #### machines where gcc doesn't understand -m32 and -m64

deps/openssl/openssl/Configurations/15-android.conf

@@ -29,18 +29,18 @@
                 $ndk = $ENV{$ndk_var};
                 last if defined $ndk;
             }
-            die "\$ANDROID_NDK_HOME is not defined"  if (!$ndk);
-            if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") {
-                # $ndk/platforms is traditional "all-inclusive" NDK, while
-                # $ndk/AndroidVersion.txt is so-called standalone toolchain
-                # tailored for specific target down to API level.
+            die "\$ANDROID_NDK_HOME is not defined" if (!$ndk);
+            my $is_standalone_toolchain = -f "$ndk/AndroidVersion.txt";
+            my $ndk_src_props = "$ndk/source.properties";
+            my $is_ndk = -f $ndk_src_props;
+            if ($is_ndk == $is_standalone_toolchain) {
                 die "\$ANDROID_NDK_HOME=$ndk is invalid";
             }
             $ndk = canonpath($ndk);
 
             my $ndkver = undef;
 
-            if (open my $fh, "<$ndk/source.properties") {
+            if (open my $fh, "<$ndk_src_props") {
                 local $_;
                 while(<$fh>) {
                     if (m|Pkg\.Revision\s*=\s*([0-9]+)|) {
@@ -59,7 +59,7 @@
             if ($sysroot = $ENV{CROSS_SYSROOT}) {
                 $sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|;
                 ($api, $arch) = ($1, $2);
-            } elsif (-f "$ndk/AndroidVersion.txt") {
+            } elsif ($is_standalone_toolchain) {
                 $sysroot = "$ndk/sysroot";
             } else {
                 $api = "*";
@@ -72,17 +72,31 @@
                     }
                 }
 
-                # list available platforms (numerically)
-                my @platforms = sort { $a =~ m/-([0-9]+)$/; my $aa = $1;
-                                       $b =~ m/-([0-9]+)$/; $aa <=> $1;
-                                     } glob("$ndk/platforms/android-$api");
-                die "no $ndk/platforms/android-$api" if ($#platforms < 0);
+                if (-d "$ndk/platforms") {
+                    # list available platforms (numerically)
+                    my @platforms = sort { $a =~ m/-([0-9]+)$/; my $aa = $1;
+                                           $b =~ m/-([0-9]+)$/; $aa <=> $1;
+                                         } glob("$ndk/platforms/android-$api");
+                    die "no $ndk/platforms/android-$api" if ($#platforms < 0);
 
-                $sysroot = "@platforms[$#platforms]/arch-$arch";
-                $sysroot =~ m|/android-([0-9]+)/arch-$arch|;
-                $api = $1;
+                    $sysroot = "@platforms[$#platforms]/arch-$arch";
+                    $sysroot =~ m|/android-([0-9]+)/arch-$arch|;
+                    $api = $1;
+                } elsif ($api eq "*") {
+                    # r22 Removed platforms dir, use this JSON file
+                    my $path = "$ndk/meta/platforms.json";
+                    open my $fh, $path or die "Could not open '$path' $!";
+                    while (<$fh>) {
+                        if (/"max": (\d+),/) {
+                            $api = $1;
+                            last;
+                        }
+                    }
+                    close $fh;
+                }
+                die "Could not get default API Level" if ($api eq "*");
             }
-            die "no sysroot=$sysroot"   if (!-d $sysroot);
+            die "no sysroot=$sysroot" if (length $sysroot && !-d $sysroot);
 
             my $triarch = $triplet{$arch};
             my $cflags;
@@ -95,17 +109,21 @@
                 my $arm = $ndkver > 16 ? "armv7a" : "armv5te";
                 (my $tridefault = $triarch) =~ s/^arm-/$arm-/;
                 (my $tritools   = $triarch) =~ s/(?:x|i6)86(_64)?-.*/x86$1/;
-                $cflags .= " -target $tridefault "
-                        .  "-gcc-toolchain \$($ndk_var)/toolchains"
-                        .  "/$tritools-4.9/prebuilt/$host";
-                $user{CC} = "clang" if ($user{CC} !~ m|clang|);
+                if (length $sysroot) {
+                    $cflags .= " -target $tridefault "
+                            .  "-gcc-toolchain \$($ndk_var)/toolchains"
+                            .  "/$tritools-4.9/prebuilt/$host";
+                    $user{CC} = "clang" if ($user{CC} !~ m|clang|);
+                } else {
+                    $user{CC} = "$tridefault$api-clang";
+                }
                 $user{CROSS_COMPILE} = undef;
                 if (which("llvm-ar") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
                     $user{AR} = "llvm-ar";
                     $user{ARFLAGS} = [ "rs" ];
                     $user{RANLIB} = ":";
                 }
-            } elsif (-f "$ndk/AndroidVersion.txt") {    #"standalone toolchain"
+            } elsif ($is_standalone_toolchain) {
                 my $cc = $user{CC} // "clang";
                 # One can probably argue that both clang and gcc should be
                 # probed, but support for "standalone toolchain" was added
@@ -127,19 +145,21 @@
                 $user{CROSS_COMPILE} = "$triarch-";
             }
 
-            if (!-d "$sysroot/usr/include") {
-                my $incroot = "$ndk/sysroot/usr/include";
-                die "no $incroot"          if (!-d $incroot);
-                die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
-                $incroot =~ s|^$ndk/||;
-                $cppflags  = "-D__ANDROID_API__=$api";
-                $cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch";
-                $cppflags .= " -isystem \$($ndk_var)/$incroot";
+            if (length $sysroot) {
+                if (!-d "$sysroot/usr/include") {
+                    my $incroot = "$ndk/sysroot/usr/include";
+                    die "no $incroot"          if (!-d $incroot);
+                    die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
+                    $incroot =~ s|^$ndk/||;
+                    $cppflags  = "-D__ANDROID_API__=$api";
+                    $cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch";
+                    $cppflags .= " -isystem \$($ndk_var)/$incroot";
+                }
+                $sysroot =~ s|^$ndk/||;
+                $sysroot = " --sysroot=\$($ndk_var)/$sysroot";
             }
-
-            $sysroot =~ s|^$ndk/||;
             $android_ndk = {
-                cflags   => "$cflags --sysroot=\$($ndk_var)/$sysroot",
+                cflags   => $cflags . $sysroot,
                 cppflags => $cppflags,
                 bn_ops   => $arch =~ m/64$/ ? "SIXTY_FOUR_BIT_LONG"
                                             : "BN_LLONG",

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

@@ -523,7 +523,6 @@ clean: libclean
 	$(RM) -r test/test-runs
 	$(RM) openssl.pc libcrypto.pc libssl.pc
 	-$(RM) `find . -type l \! -name '.*' -print`
-	$(RM) $(TARFILE)
 
 distclean: clean
 	$(RM) configdata.pm

deps/openssl/openssl/Configurations/windows-makefile.tmpl

@@ -324,15 +324,15 @@ build_apps build_tests: build_programs
 # Convenience target to prebuild all generated files, not just the mandatory
 # ones
 build_all_generated: $(GENERATED_MANDATORY) $(GENERATED)
-	@{- output_off() if $disabled{makedepend}; "" -}
+	@{- output_off() if $disabled{makedepend}; "\@rem" -}
 	@$(ECHO) "Warning: consider configuring with no-makedepend, because if"
 	@$(ECHO) "         target system doesn't have $(PERL),"
 	@$(ECHO) "         then make will fail..."
-	@{- output_on() if $disabled{makedepend}; "" -}
+	@{- output_on() if $disabled{makedepend}; "\@rem" -}
 
 test: tests
 {- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep
-	@{- output_off() if $disabled{tests}; "" -}
+	@{- output_off() if $disabled{tests}; "\@rem" -}
 	-mkdir $(BLDDIR)\test\test-runs
 	set SRCTOP=$(SRCDIR)
 	set BLDTOP=$(BLDDIR)
@@ -341,17 +341,17 @@ test: tests
 	set OPENSSL_ENGINES=$(MAKEDIR)\engines
 	set OPENSSL_DEBUG_MEMORY=on
 	"$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS)
-	@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+	@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "\@rem" -}
 	@$(ECHO) "Tests are not supported with your chosen Configure options"
-	@{- output_on() if !$disabled{tests}; "" -}
+	@{- output_on() if !$disabled{tests}; "\@rem" -}
 
 list-tests:
-	@{- output_off() if $disabled{tests}; "" -}
+	@{- output_off() if $disabled{tests}; "\@rem" -}
 	@set SRCTOP=$(SRCDIR)
 	@"$(PERL)" "$(SRCDIR)\test\run_tests.pl" list
-	@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+	@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "\@rem" -}
 	@$(ECHO) "Tests are not supported with your chosen Configure options"
-	@{- output_on() if !$disabled{tests}; "" -}
+	@{- output_on() if !$disabled{tests}; "\@rem" -}
 
 install: install_sw install_ssldirs install_docs
 
@@ -362,7 +362,7 @@ libclean:
 	-del /Q /F $(LIBS) libcrypto.* libssl.* ossl_static.pdb
 
 clean: libclean
-	{- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) -}
+	{- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) || "\@rem" -}
 	-del /Q /F $(ENGINES)
 	-del /Q /F $(SCRIPTS)
 	-del /Q /F $(GENERATED_MANDATORY)
@@ -378,9 +378,9 @@ distclean: clean
 	-del /Q /F makefile
 
 depend:
-	@ {- output_off() if $disabled{makedepend}; "" -}
+	@ {- output_off() if $disabled{makedepend}; "\@rem" -}
 	@ "$(PERL)" "$(SRCDIR)\util\add-depends.pl" "VC"
-	@ {- output_on() if $disabled{makedepend}; "" -}
+	@ {- output_on() if $disabled{makedepend}; "\@rem" -}
 
 # Install helper targets #############################################
 
@@ -413,10 +413,10 @@ install_dev: install_runtime_libs
 	@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
 	@$(ECHO) "*** Installing development files"
 	@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl"
-	@{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+	@{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "\@rem" -}
 	@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \
 				       "$(INSTALLTOP)\include\openssl"
-	@{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+	@{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "\@rem" -}
 	@"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \
 				       "$(SRCDIR)\include\openssl\*.h" \
 				       "$(INSTALLTOP)\include\openssl"

deps/openssl/openssl/NEWS

@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+
+      o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
+      o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)
+
   Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
 
       o Fixed a problem with verifying a certificate chain when using the

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1k 25 Mar 2021
+ OpenSSL 1.1.1l 24 Aug 2021
 
  Copyright (c) 1998-2021 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

deps/openssl/openssl/apps/crl2p7.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -120,19 +120,20 @@ int crl2pkcs7_main(int argc, char **argv)
 
     if (!ASN1_INTEGER_set(p7s->version, 1))
         goto end;
-    if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
-        goto end;
-    p7s->crl = crl_stack;
+
     if (crl != NULL) {
+        if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
+            goto end;
+        p7s->crl = crl_stack;
         sk_X509_CRL_push(crl_stack, crl);
         crl = NULL;             /* now part of p7 for OPENSSL_freeing */
     }
 
-    if ((cert_stack = sk_X509_new_null()) == NULL)
-        goto end;
-    p7s->cert = cert_stack;
+    if (certflst != NULL) {
+        if ((cert_stack = sk_X509_new_null()) == NULL)
+            goto end;
+        p7s->cert = cert_stack;
 
-    if (certflst != NULL)
         for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
             certfile = sk_OPENSSL_STRING_value(certflst, i);
             if (add_certs_from_file(cert_stack, certfile) < 0) {
@@ -141,6 +142,7 @@ int crl2pkcs7_main(int argc, char **argv)
                 goto end;
             }
         }
+    }
 
     out = bio_open_default(outfile, 'w', outformat);
     if (out == NULL)

deps/openssl/openssl/apps/enc.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -81,7 +81,7 @@ const OPTIONS enc_options[] = {
     {"", OPT_CIPHER, '-', "Any supported cipher"},
     OPT_R_OPTIONS,
 #ifdef ZLIB
-    {"z", OPT_Z, '-', "Use zlib as the 'encryption'"},
+    {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
 #endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},