deps: upgrade openssl sources to 1.1.1i

This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1i.tar.gz
    $ mv openssl-1.1.1i openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #36520
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>

Author: MylesBorins

deps/openssl/openssl/CHANGES

@@ -7,6 +7,69 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
+
+  *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
+     This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
+     If an attacker can control both items being compared  then this could lead
+     to a possible denial of service attack. OpenSSL itself uses the
+     GENERAL_NAME_cmp function for two purposes:
+     1) Comparing CRL distribution point names between an available CRL and a
+        CRL distribution point embedded in an X509 certificate
+     2) When verifying that a timestamp response token signer matches the
+        timestamp authority name (exposed via the API functions
+        TS_RESP_verify_response and TS_RESP_verify_token)
+     (CVE-2020-1971)
+     [Matt Caswell]
+
+  *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
+     [Stuart Carnie]
+
+  *) The security callback, which can be customised by application code, supports
+     the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+     in the "other" parameter. In most places this is what is passed. All these
+     places occur server side. However there was one client side call of this
+     security operation and it passed a DH object instead. This is incorrect
+     according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+     of the other locations. Therefore this client side call has been changed to
+     pass an EVP_PKEY instead.
+     [Matt Caswell]
+
+  *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
+     when validating a certificate path. This check is restored in 1.1.1i.
+     [David von Oheimb]
+
+ Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
+
+  *) Certificates with explicit curve parameters are now disallowed in
+     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
+     [Tomas Mraz]
+
+  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+     conversely, silently ignore DTLS protocol version bounds when configuring
+     TLS-based contexts.  The commands can be repeated to set bounds of both
+     types.  The same applies with the corresponding "min_protocol" and
+     "max_protocol" command-line switches, in case some application uses both TLS
+     and DTLS.
+  
+     SSL_CTX instances that are created for a fixed protocol version (e.g.
+     TLSv1_server_method()) also silently ignore version bounds.  Previously
+     attempts to apply bounds to these protocol versions would result in an
+     error.  Now only the "version-flexible" SSL_CTX instances are subject to
+     limits in configuration files in command-line options.
+     [Viktor Dukhovni]
+
+  *) Handshake now fails if Extended Master Secret extension is dropped
+     on renegotiation.
+     [Tomas Mraz]
+
+  *) Accidentally, an expired trusted (root) certificate is not anymore rejected
+     when validating a certificate path.
+     [David von Oheimb]
+
+  *) The Oracle Developer Studio compiler will start reporting deprecated APIs
+
  Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
 
   *) Fixed segmentation fault in SSL_check_chain()
@@ -115,9 +178,6 @@
 
  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
 
-  *) Implement BoringSSL's QUIC API
-     [Todd Short]
-
   *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
      number generator (RNG). This was intended to include protection in the
      event of a fork() system call in order to ensure that the parent and child

deps/openssl/openssl/Configurations/10-main.conf

@@ -741,7 +741,7 @@ my %targets = (
         inherit_from     => [ "linux-generic32", asm("mips64_asm") ],
         cflags           => add("-mabi=n32"),
         cxxflags         => add("-mabi=n32"),
-        bn_ops           => "SIXTY_FOUR_BIT RC4_CHAR",
+        bn_ops           => "RC4_CHAR",
         perlasm_scheme   => "n32",
         multilib         => "32",
     },
@@ -1125,7 +1125,7 @@ my %targets = (
         CFLAGS           => picker(debug   => "-O0 -g",
                                    release => "-O"),
         cflags           => add(threads("-pthread")),
-        ex_libs          => threads("-pthread"),
+        ex_libs          => add(threads("-pthread")),
         bn_ops           => "BN_LLONG RC4_CHAR",
         perlasm_scheme   => "aix32",
         shared_ldflag    => add_before("-shared -static-libgcc"),
@@ -1138,7 +1138,7 @@ my %targets = (
         CFLAGS           => picker(debug   => "-O0 -g",
                                    release => "-O"),
         cflags           => combine("-maix64", threads("-pthread")),
-        ex_libs          => threads("-pthread"),
+        ex_libs          => add(threads("-pthread")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
         perlasm_scheme   => "aix64",
         shared_ldflag    => add_before("-shared -static-libgcc"),
@@ -1154,7 +1154,7 @@ my %targets = (
         cflags           => combine("-q32 -qmaxmem=16384 -qro -qroconst",
                                     threads("-qthreaded")),
         cppflags         => threads("-D_THREAD_SAFE"),
-        ex_libs          => threads("-lpthreads"),
+        ex_libs          => add(threads("-lpthreads")),
         bn_ops           => "BN_LLONG RC4_CHAR",
         perlasm_scheme   => "aix32",
         shared_cflag     => "-qpic",
@@ -1169,7 +1169,7 @@ my %targets = (
         cflags           => combine("-q64 -qmaxmem=16384 -qro -qroconst",
                                     threads("-qthreaded")),
         cppflags         => threads("-D_THREAD_SAFE"),
-        ex_libs          => threads("-lpthreads"),
+        ex_libs          => add(threads("-lpthreads")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
         perlasm_scheme   => "aix64",
         dso_scheme       => "dlfcn",
@@ -1365,9 +1365,9 @@ my %targets = (
             }
             push @ex_libs, '$(PORTSDK_LIBPATH)/portlib.lib'
                 if (defined(env('PORTSDK_LIBPATH')));
-            push @ex_libs, ' /nodefaultlib coredll.lib corelibc.lib'
-                if (env('TARGETCPU') eq "X86");
-            return @ex_libs;
+            push @ex_libs, '/nodefaultlib coredll.lib corelibc.lib'
+                if (env('TARGETCPU') =~ /^X86|^ARMV4[IT]/);
+            return join(" ", @ex_libs);
         }),
     },
 

deps/openssl/openssl/Configurations/windows-makefile.tmpl

@@ -211,8 +211,8 @@ CNF_CPPFLAGS={- our $cppfags2 =
                     join(' ', $target{cppflags} || (),
                               (map { '-D'.quotify1($_) } @{$target{defines}},
                                                          @{$config{defines}}),
-                              (map { '-I'.quotify1($_) } @{$target{includes}},
-                                                         @{$config{includes}}),
+                              (map { '-I'.'"'.$_.'"' } @{$target{includes}},
+                                                       @{$config{includes}}),
                               @{$config{cppflags}}) -}
 CNF_CFLAGS={- join(' ', $target{cflags} || (),
                         @{$config{cflags}}) -}

deps/openssl/openssl/Configure

@@ -217,12 +217,22 @@ sub resolve_config;
 # Unified build supports separate build dir
 my $srcdir = catdir(absolutedir(dirname($0))); # catdir ensures local syntax
 my $blddir = catdir(absolutedir("."));         # catdir ensures local syntax
+
+# File::Spec::Unix doesn't detect case insensitivity, so we make sure to
+# check if the source and build directory are really the same, and make
+# them so.  This avoids all kinds of confusion later on.
+# We must check @File::Spec::ISA rather than using File::Spec->isa() to
+# know if File::Spec ended up loading File::Spec::Unix.
+$srcdir = $blddir
+    if (grep(/::Unix$/, @File::Spec::ISA)
+        && samedir($srcdir, $blddir));
+
 my $dofile = abs2rel(catfile($srcdir, "util/dofile.pl"));
 
 my $local_config_envname = 'OPENSSL_LOCAL_CONFIG_DIR';
 
-$config{sourcedir} = abs2rel($srcdir);
-$config{builddir} = abs2rel($blddir);
+$config{sourcedir} = abs2rel($srcdir, $blddir);
+$config{builddir} = abs2rel($blddir, $blddir);
 
 # Collect reconfiguration information if needed
 my @argvcopy=@ARGV;
@@ -391,7 +401,6 @@ my @disablables = (
     "poly1305",
     "posix-io",
     "psk",
-    "quic",
     "rc2",
     "rc4",
     "rc5",
@@ -508,8 +517,6 @@ my @disable_cascades = (
     sub { !$disabled{"unit-test"} } => [ "heartbeats" ],
 
     sub { !$disabled{"msan"} } => [ "asm" ],
-
-    "tls1_3"            => [ "quic" ],
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version
@@ -1052,6 +1059,9 @@ if (scalar(@seed_sources) == 0) {
     print "Using os-specific seed configuration\n";
     push @seed_sources, 'os';
 }
+if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
+    delete $disabled{'egd'};
+}
 if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
     warn <<_____ if scalar(@seed_sources) == 1;
@@ -3427,6 +3437,27 @@ sub absolutedir {
     return realpath($dir);
 }
 
+# Check if all paths are one and the same, using stat.  They must both exist
+# We need this for the cases when File::Spec doesn't detect case insensitivity
+# (File::Spec::Unix assumes case sensitivity)
+sub samedir {
+    die "samedir expects two arguments\n" unless scalar @_ == 2;
+
+    my @stat0 = stat($_[0]);    # First argument
+    my @stat1 = stat($_[1]);    # Second argument
+
+    die "Couldn't stat $_[0]" unless @stat0;
+    die "Couldn't stat $_[1]" unless @stat1;
+
+    # Compare device number
+    return 0 unless ($stat0[0] == $stat1[0]);
+    # Compare "inode".  The perl manual recommends comparing as
+    # string rather than as number.
+    return 0 unless ($stat0[1] eq $stat1[1]);
+
+    return 1;                   # All the same
+}
+
 sub quotify {
     my %processors = (
         perl    => sub { my $x = shift;

deps/openssl/openssl/INSTALL

@@ -456,9 +456,6 @@
   no-psk
                    Don't build support for Pre-Shared Key based ciphersuites.
 
-  no-quic
-                   Don't build with support for QUIC.
-
   no-rdrand
                    Don't use hardware RDRAND capabilities.
 

deps/openssl/openssl/NEWS

@@ -5,6 +5,18 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
+
+      o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
+
+  Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
+
+      o Disallow explicit curve parameters in verifications chains when
+        X509_V_FLAG_X509_STRICT is used
+      o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
+        contexts
+      o Oracle Developer Studio will start reporting deprecation warnings
+
   Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
 
       o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)

deps/openssl/openssl/NOTES.ANDROID

@@ -6,8 +6,8 @@
  -------------------
 
  Beside basic tools like perl and make you'll need to download the Android
- NDK. It's available for Linux, Mac OS X and Windows, but only Linux
- version was actually tested. There is no reason to believe that Mac OS X
+ NDK. It's available for Linux, macOS and Windows, but only Linux
+ version was actually tested. There is no reason to believe that macOS
  wouldn't work. And as for Windows, it's unclear which "shell" would be
  suitable, MSYS2 might have best chances. NDK version should play lesser
  role, the goal is to support a range of most recent versions.

deps/openssl/openssl/NOTES.PERL

@@ -109,7 +109,7 @@
 
         $ cpan -f -i Text::Template
 
-    Note: on VMS, you must quote any argument that contains upper case
+    Note: on VMS, you must quote any argument that contains uppercase
     characters, so the lines above would be:
 
         $ cpan -i "Text::Template"

deps/openssl/openssl/NOTES.VMS

@@ -18,7 +18,7 @@
  An ANSI C compiled is needed among other things.  This means that
  VAX C is not and will not be supported.
 
- We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require
+ We have only tested with DEC C (aka HP VMS C / VSI C) and require
  version 7.1 or later.  Compiling with a different ANSI C compiler may
  require some work.
 

deps/openssl/openssl/NOTES.WIN

@@ -12,11 +12,11 @@
  and require --cross-compile-prefix option. While on MSYS[2] it's solved
  rather by placing gcc that produces "MinGW binary" code 1st on $PATH.
  This is customarily source of confusion. "Hosted" applications "live" in
- emulated file system name space with POSIX-y root, mount points, /dev
+ emulated filesystem name space with POSIX-y root, mount points, /dev
  and even /proc. Confusion is intensified by the fact that MSYS2 shell
  (or rather emulated execve(2) call) examines the binary it's about to
  start, and if it's found *not* to be linked with MSYS2 POSIX-y thing,
- command line arguments that look like file names get translated from
+ command line arguments that look like filenames get translated from
  emulated name space to "native". For example '/c/some/where' becomes
  'c:\some\where', '/dev/null' - 'nul'. This creates an illusion that
  there is no difference between MSYS2 shell and "MinGW binary", but
@@ -26,7 +26,7 @@
  it's referred to in quotes here, as "MinGW binary", it's just as
  "native" as it can get.)
 
- Visual C++ builds, a.k.a. VC-*
+ Visual C++ builds, aka VC-*
  ==============================
 
  Requirement details
@@ -47,7 +47,7 @@
    the other hand oldest one is known not to work. Everything between
    falls into best-effort category.
 
- - Netwide Assembler, a.k.a. NASM, available from https://www.nasm.us,
+ - Netwide Assembler, aka NASM, available from https://www.nasm.us,
    is required. Note that NASM is the only supported assembler. Even
    though Microsoft provided assembler is NOT supported, contemporary
    64-bit version is exercised through continuous integration of
@@ -132,7 +132,7 @@
  If you link with static OpenSSL libraries then you're expected to
  additionally link your application with WS2_32.LIB, GDI32.LIB,
  ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those developing
- non-interactive service applications might feel concerned about
+ noninteractive service applications might feel concerned about
  linking with GDI32.LIB and USER32.LIB, as they are justly associated
  with interactive desktop, which is not available to service
  processes. The toolkit is designed to detect in which context it's

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1g 21 Apr 2020
+ OpenSSL 1.1.1i 8 Dec 2020
 
  Copyright (c) 1998-2020 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

deps/openssl/openssl/apps/ca.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1862,8 +1862,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     row[DB_exp_date][tm->length] = '\0';
     row[DB_rev_date] = NULL;
     row[DB_file] = OPENSSL_strdup("unknown");
-    if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
-        (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
+    if ((row[DB_type] == NULL) || (row[DB_file] == NULL)
+        || (row[DB_name] == NULL)) {
         BIO_printf(bio_err, "Memory allocation failure\n");
         goto end;
     }

deps/openssl/openssl/apps/cms.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -545,9 +545,11 @@ int cms_main(int argc, char **argv)
             if (key_param == NULL || key_param->idx != keyidx) {
                 cms_key_param *nparam;
                 nparam = app_malloc(sizeof(*nparam), "key param buffer");
-                nparam->idx = keyidx;
-                if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
+                if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
+                    OPENSSL_free(nparam);
                     goto end;
+                }
+                nparam->idx = keyidx;
                 nparam->next = NULL;
                 if (key_first == NULL)
                     key_first = nparam;