deps: upgrade openssl sources to 1.0.2l

This replaces all sources of openssl-1.0.2l.tar.gz into
deps/openssl/openssl

Fixes: https://github.com/nodejs/node/issues/13161
PR-URL: https://github.com/nodejs/node/pull/13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

12 files changed, 135 insertions, 22 deletions

diff --git a/deps/openssl/openssl/doc/apps/ciphers.pod b/deps/openssl/openssl/doc/apps/ciphers.pod
index 9224557255..35d40bbf27 100644
--- a/deps/openssl/openssl/doc/apps/ciphers.pod
+++ b/deps/openssl/openssl/doc/apps/ciphers.pod
@@ -179,7 +179,8 @@ When in doubt, include B<!aNULL> in your cipherlist.
 
 =item B<kRSA>, B<RSA>
 
-cipher suites using RSA key exchange.
+cipher suites using RSA key exchange or authentication. B<RSA> is an alias for
+B<kRSA>.
 
 =item B<kDHr>, B<kDHd>, B<kDH>
 
diff --git a/deps/openssl/openssl/doc/apps/config.pod b/deps/openssl/openssl/doc/apps/config.pod
index e12591528c..3f607d3b5f 100644
--- a/deps/openssl/openssl/doc/apps/config.pod
+++ b/deps/openssl/openssl/doc/apps/config.pod
@@ -47,7 +47,8 @@ or B<${section::name}>. By using the form B<$ENV::name> environment
 variables can be substituted. It is also possible to assign values to
 environment variables by using the name B<ENV::name>, this will work
 if the program looks up environment variables using the B<CONF> library
-instead of calling B<getenv()> directly.
+instead of calling B<getenv()> directly. The value string must not exceed 64k in
+length after variable expansion. Otherwise an error will occur.
 
 It is possible to escape certain characters by using any kind of quote
 or the B<\> character. By making the last character of a line a B<\>
diff --git a/deps/openssl/openssl/doc/apps/genrsa.pod b/deps/openssl/openssl/doc/apps/genrsa.pod
index 3dc9870f34..f4ed9593ae 100644
--- a/deps/openssl/openssl/doc/apps/genrsa.pod
+++ b/deps/openssl/openssl/doc/apps/genrsa.pod
@@ -7,11 +7,15 @@ genrsa - generate an RSA private key
 =head1 SYNOPSIS
 
 B<openssl> B<genrsa>
+[B<-help>]
 [B<-out filename>]
 [B<-passout arg>]
 [B<-aes128>]
 [B<-aes192>]
 [B<-aes256>]
+[B<-aria128>]
+[B<-aria192>]
+[B<-aria256>]
 [B<-camellia128>]
 [B<-camellia192>]
 [B<-camellia256>]
@@ -32,17 +36,21 @@ The B<genrsa> command generates an RSA private key.
 
 =over 4
 
+=item B<-help>
+
+Print out a usage message.
+
 =item B<-out filename>
 
-the output filename. If this argument is not specified then standard output is
-used.  
+Output the key to the specified file. If this argument is not specified then
+standard output is used.
 
 =item B<-passout arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
-=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
+=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
 These options encrypt the private key with specified
 cipher before outputting it. If none of these options is
@@ -56,8 +64,8 @@ the public exponent to use, either 65537 or 3. The default is 65537.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
-Multiple files can be specified separated by a OS-dependent character.
+generator, or an EGD socket (see L<RAND_egd(3)>).
+Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
 
@@ -71,7 +79,7 @@ for all available algorithms.
 =item B<numbits>
 
 the size of the private key to generate in bits. This must be the last option
-specified. The default is 512.
+specified. The default is 2048.
 
 =back
 
@@ -96,7 +104,15 @@ be much larger (typically 1024 bits).
 
 =head1 SEE ALSO
 
-L<gendsa(1)|gendsa(1)>
+L<gendsa(1)>
 
-=cut
+=head1 COPYRIGHT
 
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/deps/openssl/openssl/doc/apps/req.pod b/deps/openssl/openssl/doc/apps/req.pod
index 30653e5093..1682ba5143 100644
--- a/deps/openssl/openssl/doc/apps/req.pod
+++ b/deps/openssl/openssl/doc/apps/req.pod
@@ -237,6 +237,9 @@ a self signed root CA. The extensions added to the certificate
 using the B<set_serial> option, a large random number will be used for
 the serial number.
 
+If existing request is specified with the B<-in> option, it is converted
+to the self signed certificate otherwise new request is created.
+
 =item B<-days n>
 
 when the B<-x509> option is being used this specifies the number of
diff --git a/deps/openssl/openssl/doc/apps/s_client.pod b/deps/openssl/openssl/doc/apps/s_client.pod
index 29675dd213..b45acbc5e3 100644
--- a/deps/openssl/openssl/doc/apps/s_client.pod
+++ b/deps/openssl/openssl/doc/apps/s_client.pod
@@ -42,6 +42,8 @@ B<openssl> B<s_client>
 [B<-no_tls1_2>]
 [B<-fallback_scsv>]
 [B<-bugs>]
+[B<-sigalgs sigalglist>]
+[B<-curves curvelist>]
 [B<-cipher cipherlist>]
 [B<-serverpref>]
 [B<-starttls protocol>]
@@ -217,6 +219,19 @@ Send TLS_FALLBACK_SCSV in the ClientHello.
 there are several known bug in SSL and TLS implementations. Adding this
 option enables various workarounds.
 
+=item B<-sigalgs sigalglist>
+
+Specifies the list of signature algorithms that are sent by the client.
+The server selects one entry in the list based on its preferences.
+For example strings, see L<SSL_CTX_set1_sigalgs(3)>
+
+=item B<-curves curvelist>
+
+Specifies the list of supported curves to be sent by the client. The curve is
+is ultimately selected by the server. For a list of all curves, use:
+
+    $ openssl ecparam -list_curves
+
 =item B<-cipher cipherlist>
 
 this allows the cipher list sent by the client to be modified. Although
diff --git a/deps/openssl/openssl/doc/apps/s_server.pod b/deps/openssl/openssl/doc/apps/s_server.pod
index fa17488d91..1fe93ddfbe 100644
--- a/deps/openssl/openssl/doc/apps/s_server.pod
+++ b/deps/openssl/openssl/doc/apps/s_server.pod
@@ -35,6 +35,8 @@ B<openssl> B<s_server>
 [B<-CAfile filename>]
 [B<-no_alt_chains>]
 [B<-nocert>]
+[B<-client_sigalgs sigalglist>]
+[B<-named_curve curve>]
 [B<-cipher cipherlist>]
 [B<-serverpref>]
 [B<-quiet>]
@@ -234,6 +236,18 @@ option enables various workarounds.
 this option enables a further workaround for some some early Netscape
 SSL code (?).
 
+=item B<-client_sigalgs sigalglist>
+
+Signature algorithms to support for client certificate authentication
+(colon-separated list)
+
+=item B<-named_curve curve>
+
+Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
+For a list of all possible curves, use:
+
+    $ openssl ecparam -list_curves
+
 =item B<-cipher cipherlist>
 
 this allows the cipher list used by the server to be modified.  When
diff --git a/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod b/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod
index d9513338d8..0c0a30c1ff 100644
--- a/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod
+++ b/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod
@@ -19,14 +19,17 @@ EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
 EVP_CIPHER_CTX_set_padding,  EVP_enc_null, EVP_des_cbc, EVP_des_ecb,
 EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb,
 EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb,
-EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc,
-EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc,
+EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5,
+EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_rc2_cbc,
 EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc,
 EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc,
 EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_rc5_32_12_16_cbc,
 EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ofb, 
 EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm,
-EVP_aes_192_ccm, EVP_aes_256_ccm - EVP cipher routines
+EVP_aes_192_ccm, EVP_aes_256_ccm,
+EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1,
+EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256
+- EVP cipher routines
 
 =head1 SYNOPSIS
 
@@ -395,8 +398,6 @@ Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal
 when decrypting data and must be made B<before> any data is processed (e.g.
 before any EVP_DecryptUpdate() call). 
 
-See L<EXAMPLES> below for an example of the use of GCM mode.
-
 =head1 CCM Mode
 
 The behaviour of CCM mode ciphers is similar to CCM mode but with a few
diff --git a/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod b/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod
index 746a80c79e..3e1f895c5a 100644
--- a/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod
+++ b/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod
@@ -8,10 +8,10 @@ RSA_private_encrypt, RSA_public_decrypt - low level signature operations
 
  #include <openssl/rsa.h>
 
- int RSA_private_encrypt(int flen, unsigned char *from,
+ int RSA_private_encrypt(int flen, const unsigned char *from,
     unsigned char *to, RSA *rsa, int padding);
 
- int RSA_public_decrypt(int flen, unsigned char *from, 
+ int RSA_public_decrypt(int flen, const unsigned char *from,
     unsigned char *to, RSA *rsa, int padding);
 
 =head1 DESCRIPTION
diff --git a/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod b/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod
index ab0fe3b2cd..0541f348b3 100644
--- a/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod
+++ b/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod
@@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
 
  #include <openssl/rsa.h>
 
- int RSA_public_encrypt(int flen, unsigned char *from,
+ int RSA_public_encrypt(int flen, const unsigned char *from,
     unsigned char *to, RSA *rsa, int padding);
 
- int RSA_private_decrypt(int flen, unsigned char *from,
+ int RSA_private_decrypt(int flen, const unsigned char *from,
      unsigned char *to, RSA *rsa, int padding);
 
 =head1 DESCRIPTION
diff --git a/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod b/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
index eb38b0a109..1aee117268 100644
--- a/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
+++ b/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
@@ -41,7 +41,7 @@ is no longer valid.
 X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
 It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
 good for one call to X509_verify_cert(); if you want to verify a second
-certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
+certificate with the same B<ctx> then you must call X509_STORE_CTX_cleanup()
 and then X509_STORE_CTX_init() again before the second call to
 X509_verify_cert(). The trusted certificate store is set to B<store>, the end
 entity certificate to be verified is set to B<x509> and a set of additional
diff --git a/deps/openssl/openssl/doc/crypto/des.pod b/deps/openssl/openssl/doc/crypto/des.pod
index e1add56b5e..339617aab0 100644
--- a/deps/openssl/openssl/doc/crypto/des.pod
+++ b/deps/openssl/openssl/doc/crypto/des.pod
@@ -123,7 +123,7 @@ architecture dependent I<DES_key_schedule> via the
 DES_set_key_checked() or DES_set_key_unchecked() function.
 
 DES_set_key_checked() will check that the key passed is of odd parity
-and is not a week or semi-weak key.  If the parity is wrong, then -1
+and is not a weak or semi-weak key.  If the parity is wrong, then -1
 is returned.  If the key is a weak key, then -2 is returned.  If an
 error is returned, the key schedule is not generated.
 
diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
new file mode 100644
index 0000000000..3b0a50956d
--- /dev/null
+++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg,
+SSL_get_servername_type, SSL_get_servername - handle server name indication
+(SNI)
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx,
+                                   int (*cb)(SSL *, int *, void *));
+ long SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
+
+ const char *SSL_get_servername(const SSL *s, const int type);
+ int SSL_get_servername_type(const SSL *s);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_tlsext_servername_callback() sets the application callback B<cb>
+used by a server to perform any actions or configuration required based on
+the servername extension received in the incoming connection. When B<cb>
+is NULL, SNI is not used. The B<arg> value is a pointer which is passed to
+the application callback.
+
+SSL_CTX_set_tlsext_servername_arg() sets a context-specific argument to be
+passed into the callback for this B<SSL_CTX>.
+
+SSL_get_servername() returns a servername extension value of the specified
+type if provided in the Client Hello or NULL.
+
+SSL_get_servername_type() returns the servername type or -1 if no servername
+is present. Currently the only supported type (defined in RFC3546) is
+B<TLSEXT_NAMETYPE_host_name>.
+
+=head1 NOTES
+
+The ALPN and SNI callbacks are both executed during Client Hello processing.
+The servername callback is executed first, followed by the ALPN callback.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_tlsext_servername_callback() and
+SSL_CTX_set_tlsext_servername_arg() both always return 1 indicating success.
+
+=head1 SEE ALSO
+
+L<ssl(7)>, L<SSL_CTX_set_alpn_select_cb(3)>,
+L<SSL_get0_alpn_selected(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut