deps: upgrade openssl sources to OpenSSL_1_1_1l

This updates all sources in deps/openssl/openssl by:
    $ git clone https://github.com/openssl/openssl
    $ cd openssl
    $ git checkout OpenSSL_1_1_1l
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

Author: richardlau

deps/openssl/openssl/CHANGES

@@ -7,6 +7,71 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+
+  *) Fixed an SM2 Decryption Buffer Overflow.
+
+     In order to decrypt SM2 encrypted data an application is expected to call the
+     API function EVP_PKEY_decrypt(). Typically an application will call this
+     function twice. The first time, on entry, the "out" parameter can be NULL and,
+     on exit, the "outlen" parameter is populated with the buffer size required to
+     hold the decrypted plaintext. The application can then allocate a sufficiently
+     sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
+     value for the "out" parameter.
+
+     A bug in the implementation of the SM2 decryption code means that the
+     calculation of the buffer size required to hold the plaintext returned by the
+     first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
+     the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
+     called by the application a second time with a buffer that is too small.
+
+     A malicious attacker who is able present SM2 content for decryption to an
+     application could cause attacker chosen data to overflow the buffer by up to a
+     maximum of 62 bytes altering the contents of other data held after the
+     buffer, possibly changing application behaviour or causing the application to
+     crash. The location of the buffer is application dependent but is typically
+     heap allocated.
+     (CVE-2021-3711)
+     [Matt Caswell]
+
+  *) Fixed various read buffer overruns processing ASN.1 strings
+
+     ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
+     structure which contains a buffer holding the string data and a field holding
+     the buffer length. This contrasts with normal C strings which are repesented as
+     a buffer for the string data which is terminated with a NUL (0) byte.
+
+     Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
+     own "d2i" functions (and other similar parsing functions) as well as any string
+     whose value has been set with the ASN1_STRING_set() function will additionally
+     NUL terminate the byte array in the ASN1_STRING structure.
+
+     However, it is possible for applications to directly construct valid ASN1_STRING
+     structures which do not NUL terminate the byte array by directly setting the
+     "data" and "length" fields in the ASN1_STRING array. This can also happen by
+     using the ASN1_STRING_set0() function.
+
+     Numerous OpenSSL functions that print ASN.1 data have been found to assume that
+     the ASN1_STRING byte array will be NUL terminated, even though this is not
+     guaranteed for strings that have been directly constructed. Where an application
+     requests an ASN.1 structure to be printed, and where that ASN.1 structure
+     contains ASN1_STRINGs that have been directly constructed by the application
+     without NUL terminating the "data" field, then a read buffer overrun can occur.
+
+     The same thing can also occur during name constraints processing of certificates
+     (for example if a certificate has been directly constructed by the application
+     instead of loading it via the OpenSSL parsing functions, and the certificate
+     contains non NUL terminated ASN1_STRING structures). It can also occur in the
+     X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
+
+     If a malicious actor can cause an application to directly construct an
+     ASN1_STRING and then process it through one of the affected OpenSSL functions
+     then this issue could be hit. This might result in a crash (causing a Denial of
+     Service attack). It could also result in the disclosure of private memory
+     contents (such as private keys, or sensitive plaintext).
+     (CVE-2021-3712)
+     [Matt Caswell]
+
  Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
 
   *) Fixed a problem with verifying a certificate chain when using the

deps/openssl/openssl/Configurations/10-main.conf

@@ -754,6 +754,13 @@ my %targets = (
         multilib         => "64",
     },
 
+    # riscv64 below refers to contemporary RISCV Architecture
+    # specifications,
+    "linux64-riscv64" => {
+        inherit_from     => [ "linux-generic64"],
+        perlasm_scheme   => "linux64",
+    },
+
     #### IA-32 targets...
     #### These two targets are a bit aged and are to be used on older Linux
     #### machines where gcc doesn't understand -m32 and -m64

deps/openssl/openssl/Configurations/15-android.conf

@@ -29,18 +29,18 @@
                 $ndk = $ENV{$ndk_var};
                 last if defined $ndk;
             }
-            die "\$ANDROID_NDK_HOME is not defined"  if (!$ndk);
-            if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") {
-                # $ndk/platforms is traditional "all-inclusive" NDK, while
-                # $ndk/AndroidVersion.txt is so-called standalone toolchain
-                # tailored for specific target down to API level.
+            die "\$ANDROID_NDK_HOME is not defined" if (!$ndk);
+            my $is_standalone_toolchain = -f "$ndk/AndroidVersion.txt";
+            my $ndk_src_props = "$ndk/source.properties";
+            my $is_ndk = -f $ndk_src_props;
+            if ($is_ndk == $is_standalone_toolchain) {
                 die "\$ANDROID_NDK_HOME=$ndk is invalid";
             }
             $ndk = canonpath($ndk);
 
             my $ndkver = undef;
 
-            if (open my $fh, "<$ndk/source.properties") {
+            if (open my $fh, "<$ndk_src_props") {
                 local $_;
                 while(<$fh>) {
                     if (m|Pkg\.Revision\s*=\s*([0-9]+)|) {
@@ -59,7 +59,7 @@
             if ($sysroot = $ENV{CROSS_SYSROOT}) {
                 $sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|;
                 ($api, $arch) = ($1, $2);
-            } elsif (-f "$ndk/AndroidVersion.txt") {
+            } elsif ($is_standalone_toolchain) {
                 $sysroot = "$ndk/sysroot";
             } else {
                 $api = "*";
@@ -72,17 +72,31 @@
                     }
                 }
 
-                # list available platforms (numerically)
-                my @platforms = sort { $a =~ m/-([0-9]+)$/; my $aa = $1;
-                                       $b =~ m/-([0-9]+)$/; $aa <=> $1;
-                                     } glob("$ndk/platforms/android-$api");
-                die "no $ndk/platforms/android-$api" if ($#platforms < 0);
+                if (-d "$ndk/platforms") {
+                    # list available platforms (numerically)
+                    my @platforms = sort { $a =~ m/-([0-9]+)$/; my $aa = $1;
+                                           $b =~ m/-([0-9]+)$/; $aa <=> $1;
+                                         } glob("$ndk/platforms/android-$api");
+                    die "no $ndk/platforms/android-$api" if ($#platforms < 0);
 
-                $sysroot = "@platforms[$#platforms]/arch-$arch";
-                $sysroot =~ m|/android-([0-9]+)/arch-$arch|;
-                $api = $1;
+                    $sysroot = "@platforms[$#platforms]/arch-$arch";
+                    $sysroot =~ m|/android-([0-9]+)/arch-$arch|;
+                    $api = $1;
+                } elsif ($api eq "*") {
+                    # r22 Removed platforms dir, use this JSON file
+                    my $path = "$ndk/meta/platforms.json";
+                    open my $fh, $path or die "Could not open '$path' $!";
+                    while (<$fh>) {
+                        if (/"max": (\d+),/) {
+                            $api = $1;
+                            last;
+                        }
+                    }
+                    close $fh;
+                }
+                die "Could not get default API Level" if ($api eq "*");
             }
-            die "no sysroot=$sysroot"   if (!-d $sysroot);
+            die "no sysroot=$sysroot" if (length $sysroot && !-d $sysroot);
 
             my $triarch = $triplet{$arch};
             my $cflags;
@@ -95,17 +109,21 @@
                 my $arm = $ndkver > 16 ? "armv7a" : "armv5te";
                 (my $tridefault = $triarch) =~ s/^arm-/$arm-/;
                 (my $tritools   = $triarch) =~ s/(?:x|i6)86(_64)?-.*/x86$1/;
-                $cflags .= " -target $tridefault "
-                        .  "-gcc-toolchain \$($ndk_var)/toolchains"
-                        .  "/$tritools-4.9/prebuilt/$host";
-                $user{CC} = "clang" if ($user{CC} !~ m|clang|);
+                if (length $sysroot) {
+                    $cflags .= " -target $tridefault "
+                            .  "-gcc-toolchain \$($ndk_var)/toolchains"
+                            .  "/$tritools-4.9/prebuilt/$host";
+                    $user{CC} = "clang" if ($user{CC} !~ m|clang|);
+                } else {
+                    $user{CC} = "$tridefault$api-clang";
+                }
                 $user{CROSS_COMPILE} = undef;
                 if (which("llvm-ar") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
                     $user{AR} = "llvm-ar";
                     $user{ARFLAGS} = [ "rs" ];
                     $user{RANLIB} = ":";
                 }
-            } elsif (-f "$ndk/AndroidVersion.txt") {    #"standalone toolchain"
+            } elsif ($is_standalone_toolchain) {
                 my $cc = $user{CC} // "clang";
                 # One can probably argue that both clang and gcc should be
                 # probed, but support for "standalone toolchain" was added
@@ -127,19 +145,21 @@
                 $user{CROSS_COMPILE} = "$triarch-";
             }
 
-            if (!-d "$sysroot/usr/include") {
-                my $incroot = "$ndk/sysroot/usr/include";
-                die "no $incroot"          if (!-d $incroot);
-                die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
-                $incroot =~ s|^$ndk/||;
-                $cppflags  = "-D__ANDROID_API__=$api";
-                $cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch";
-                $cppflags .= " -isystem \$($ndk_var)/$incroot";
+            if (length $sysroot) {
+                if (!-d "$sysroot/usr/include") {
+                    my $incroot = "$ndk/sysroot/usr/include";
+                    die "no $incroot"          if (!-d $incroot);
+                    die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
+                    $incroot =~ s|^$ndk/||;
+                    $cppflags  = "-D__ANDROID_API__=$api";
+                    $cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch";
+                    $cppflags .= " -isystem \$($ndk_var)/$incroot";
+                }
+                $sysroot =~ s|^$ndk/||;
+                $sysroot = " --sysroot=\$($ndk_var)/$sysroot";
             }
-
-            $sysroot =~ s|^$ndk/||;
             $android_ndk = {
-                cflags   => "$cflags --sysroot=\$($ndk_var)/$sysroot",
+                cflags   => $cflags . $sysroot,
                 cppflags => $cppflags,
                 bn_ops   => $arch =~ m/64$/ ? "SIXTY_FOUR_BIT_LONG"
                                             : "BN_LLONG",

deps/openssl/openssl/Configurations/90-team.norelease.conf

@@ -0,0 +1,114 @@
+## -*- mode: perl; -*-
+## Build configuration targets for openssl-team members
+
+my %targets = (
+    "purify" => {
+        inherit_from     => [ 'BASE_unix' ],
+        cc               => "purify gcc",
+        CFLAGS           => "-g -Wall",
+        thread_scheme    => "(unknown)",
+        ex_libs          => add(" ","-lsocket -lnsl"),
+    },
+    "debug" => {
+        inherit_from     => [ 'BASE_unix' ],
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
+        thread_scheme    => "(unknown)",
+    },
+    "debug-erbridge" => {
+        inherit_from     => [ 'BASE_unix', "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => combine(join(' ', @gcc_devteam_warn),
+                                    "-DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-m64",
+        shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
+        multilib         => "64",
+    },
+    "debug-linux-pentium" => {
+        inherit_from     => [ 'BASE_unix', "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
+        bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
+        dso_scheme       => "dlfcn",
+    },
+    "debug-linux-ppro" => {
+        inherit_from     => [ 'BASE_unix', "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
+        bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
+        dso_scheme       => "dlfcn",
+    },
+    "debug-linux-ia32-aes" => {
+        inherit_from     => [ 'BASE_unix' ],
+        cc               => "gcc",
+        cflags           => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
+        bn_ops           => "BN_LLONG",
+        cpuid_asm_src    => "x86cpuid.s",
+        bn_asm_src       => "bn-586.s co-586.s x86-mont.s",
+        des_asm_src      => "des-586.s crypt586.s",
+        aes_asm_src      => "aes_x86core.s aes_cbc.s aesni-x86.s",
+        bf_asm_src       => "bf-586.s",
+        md5_asm_src      => "md5-586.s",
+        sha1_asm_src     => "sha1-586.s sha256-586.s sha512-586.s",
+        cast_asm_src     => "cast-586.s",
+        rc4_asm_src      => "rc4-586.s",
+        rmd160_asm_src   => "rmd-586.s",
+        rc5_asm_src      => "rc5-586.s",
+        wp_asm_src       => "wp_block.s wp-mmx.s",
+        modes_asm_src    => "ghash-x86.s",
+        padlock_asm_src  => "e_padlock-x86.s",
+        thread_scheme    => "pthreads",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
+    },
+    "debug-test-64-clang" => {
+        inherit_from     => [ 'BASE_unix', "x86_64_asm" ],
+        cc               => "clang",
+        cflags           => combine(join(' ', @gcc_devteam_warn),
+                                    "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "bsd-gcc-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
+    },
+    "darwin64-debug-test-64-clang" => {
+        inherit_from     => [ 'BASE_unix', "x86_64_asm" ],
+        cc               => "clang",
+        cflags           => combine("-arch x86_64 -DL_ENDIAN",
+                                    join(' ', @gcc_devteam_warn),
+                                    "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
+        sys_id           => "MACOSX",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
+        perlasm_scheme   => "macosx",
+        dso_scheme       => "dlfcn",
+        shared_target    => "darwin-shared",
+        shared_cflag     => "-fPIC -fno-common",
+        shared_ldflag    => "-arch x86_64 -dynamiclib",
+        shared_extension => ".\$(SHLIB_VERSION_NUMBER).dylib",
+    },
+);

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

@@ -523,7 +523,6 @@ clean: libclean
 	$(RM) -r test/test-runs
 	$(RM) openssl.pc libcrypto.pc libssl.pc
 	-$(RM) `find . -type l \! -name '.*' -print`
-	$(RM) $(TARFILE)
 
 distclean: clean
 	$(RM) configdata.pm