deps: upgrade openssl sources to 1.0.2p

This replaces all sources of openssl-1.0.2p.tar.gz into
deps/openssl/openssl

PR-URL: #22320
Reviewed-By: Rod Vagg <rod@vagg.org>

Author: shigeki

deps/openssl/openssl/CHANGES

@@ -7,6 +7,64 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
+
+  *) Client DoS due to large DH parameter
+
+     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+     malicious server can send a very large prime value to the client. This will
+     cause the client to spend an unreasonably long period of time generating a
+     key for this prime resulting in a hang until the client has finished. This
+     could be exploited in a Denial Of Service attack.
+
+     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+     (CVE-2018-0732)
+     [Guido Vranken]
+
+  *) Cache timing vulnerability in RSA Key Generation
+
+     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+     a cache timing side channel attack. An attacker with sufficient access to
+     mount cache timing attacks during the RSA key generation process could
+     recover the private key.
+
+     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+     (CVE-2018-0737)
+     [Billy Brumley]
+
+  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
+     parameter is no longer accepted, as it leads to a corrupt table.  NULL
+     pem_str is reserved for alias entries only.
+     [Richard Levitte]
+
+  *) Revert blinding in ECDSA sign and instead make problematic addition
+     length-invariant. Switch even to fixed-length Montgomery multiplication.
+     [Andy Polyakov]
+
+  *) Change generating and checking of primes so that the error rate of not
+     being prime depends on the intended use based on the size of the input.
+     For larger primes this will result in more rounds of Miller-Rabin.
+     The maximal error rate for primes with more than 1080 bits is lowered
+     to 2^-128.
+     [Kurt Roeckx, Annie Yousar]
+
+  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+     [Kurt Roeckx]
+
+  *) Add blinding to ECDSA and DSA signatures to protect against side channel
+     attacks discovered by Keegan Ryan (NCC Group).
+     [Matt Caswell]
+
+  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+     now allow empty (zero character) pass phrases.
+     [Richard Levitte]
+
+  *) Certificate time validation (X509_cmp_time) enforces stricter
+     compliance with RFC 5280. Fractional seconds and timezone offsets
+     are no longer allowed.
+     [Emilia Käsper]
+
  Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
 
   *) Constructed ASN.1 types with a recursive definition could exceed the stack

deps/openssl/openssl/CONTRIBUTING

@@ -1,26 +1,26 @@
-HOW TO CONTRIBUTE PATCHES TO OpenSSL
-------------------------------------
+HOW TO CONTRIBUTE TO OpenSSL
+----------------------------
 
 (Please visit https://www.openssl.org/community/getting-started.html for
 other ideas about how to contribute.)
 
-Development is coordinated on the openssl-dev mailing list (see the
-above link or https://mta.openssl.org for information on subscribing).
-If you are unsure as to whether a feature will be useful for the general
-OpenSSL community you might want to discuss it on the openssl-dev mailing
-list first.  Someone may be already working on the same thing or there
-may be a good reason as to why that feature isn't implemented.
+Development is done on GitHub, https://github.com/openssl/openssl.
 
-To submit a patch, make a pull request on GitHub.  If you think the patch
-could use feedback from the community, please start a thread on openssl-dev
-to discuss it.
+To request new features or report bugs, please open an issue on GitHub
 
-Having addressed the following items before the PR will help make the
-acceptance and review process faster:
+To submit a patch, please open a pull request on GitHub.  If you are thinking
+of making a large contribution, open an issue for it before starting work,
+to get comments from the community.  Someone may be already working on
+the same thing or there may be reasons why that feature isn't implemented.
 
-    1. Anything other than trivial contributions will require a contributor
-    licensing agreement, giving us permission to use your code. See
-    https://www.openssl.org/policies/cla.html for details.
+To make it easier to review and accept your pull request, please follow these
+guidelines:
+
+    1. Anything other than a trivial contribution requires a Contributor
+    License Agreement (CLA), giving us permission to use your code. See
+    https://www.openssl.org/policies/cla.html for details.  If your
+    contribution is too small to require a CLA, put "CLA: trivial" on a
+    line by itself in your commit message body.
 
     2.  All source files should start with the following text (with
     appropriate comment characters at the start of each line and the
@@ -34,21 +34,21 @@ acceptance and review process faster:
         https://www.openssl.org/source/license.html
 
     3.  Patches should be as current as possible; expect to have to rebase
-    often. We do not accept merge commits; You will be asked to remove
-    them before a patch is considered acceptable.
+    often. We do not accept merge commits, you will have to remove them
+    (usually by rebasing) before it will be acceptable.
 
     4.  Patches should follow our coding style (see
-    https://www.openssl.org/policies/codingstyle.html) and compile without
-    warnings. Where gcc or clang is availble you should use the
+    https://www.openssl.org/policies/codingstyle.html) and compile
+    without warnings. Where gcc or clang is available you should use the
     --strict-warnings Configure option.  OpenSSL compiles on many varied
-    platforms: try to ensure you only use portable features.
-    Clean builds via Travis and AppVeyor are expected, and done whenever
-    a PR is created or updated.
+    platforms: try to ensure you only use portable features.  Clean builds
+    via Travis and AppVeyor are required, and they are started automatically
+    whenever a PR is created or updated.
 
     5.  When at all possible, patches should include tests. These can
     either be added to an existing test, or completely new.  Please see
     test/README for information on the test framework.
 
     6.  New features or changed functionality must include
-    documentation. Please look at the "pod" files in doc/apps, doc/crypto
-    and doc/ssl for examples of our style.
+    documentation. Please look at the "pod" files in doc for
+    examples of our style.