PR-URL:#23974

This updates all sources in deps/openssl/openssl with openssl-1.0.2q.PR-URL:#24530Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>Reviewed-By: Rod Vagg <rod@vagg.org>

All symlink files in `deps/openssl/openssl/include/openssl/` are removedand replaced with real header files to avoid issues on Windows. Twofiles of opensslconf.h in crypto and include dir are replaced to referconfig/opensslconf.h.Header files were generated by:  $ cd deps/openssl  $ mkdir -p openssl/include/openssl  $ tar xf .../openssl-1.02q.tar.gz  $ cd openssl-1.02q  $ ./config  $ cd include/openssl  $ sed -i '' *.h  $ cp *.h ../../../openssl/include/openssl/PR-URL:#24530Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>Reviewed-By: Rod Vagg <rod@vagg.org>

`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (andperhaps others) are requiring .686 .Fixes:#589PR-URL:#1389Reviewed-By: Fedor Indutny <fedor@indutny.com>Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

Seehttps://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.htmliojs needs to stop using masm and move to nasm or yasm on Win32.Fixes:#589PR-URL:#1389Reviewed-By: Fedor Indutny <fedor@indutny.com>Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

Reapplyb910613 .Fixes:#589PR-URL:#1389Reviewed-By: Fedor Indutny <fedor@indutny.com>Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

In openssl s_client on Windows, RAND_screen() is invoked to initializerandom state but it takes several seconds in each connection.This added -no_rand_screen to openssl s_client on Windows to skipRAND_screen() and gets a better performance in the unit test oftest-tls-server-verify.Do not enable this except to use in the unit test.Fixes:#1461PR-URL:#1836Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

CVE-2018-12121PR-URL:nodejs-private/node-private#143Ref:nodejs-private/security#139Ref:nodejs-private/http-parser-private#2Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>Reviewed-By: James M Snell <jasnell@gmail.com>Reviewed-By: Rod Vagg <rod@vagg.org>Reviewed-By: Anna Henningsen <anna@addaleax.net>

CVE-2018-12122An attacker can send a char/s within headers and exahust the resources(file descriptors) of a system even with a tight max header lengthprotection. This PR destroys a socket if it has not received the headersin 40s.PR-URL:nodejs-private/node-private#151Ref:nodejs-private/node-private#144Reviewed-By: Sam Roberts <vieuxtech@gmail.com>Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>Reviewed-By: James M Snell <jasnell@gmail.com>

CVE-2018-12123Fixes:nodejs-private/security#205PR-URL:nodejs-private/node-private#145Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>Reviewed-By: Anna Henningsen <anna@addaleax.net>

CVE-2018-12116Backport ofb961d9f to 8.xOriginal commit:  This commit changes node's handling of two-byte characters in  the path component of an http URL. Previously, node would just  strip the higher byte when generating the request. So this code:  ```  http.request({host: "example.com", port: "80", "/Ｎ"})  ```  would request `http://example.com/.`  (`.` is the character for the byte `0x2e`).  This is not useful and can in some cases lead to filter evasion.  With this change, the code generates `ERR_UNESCAPED_CHARACTERS`,  just like space and control characters already did.  PR-URL:#16237  Reviewed-By: James M Snell <jasnell@gmail.com>  Reviewed-By: Anna Henningsen <anna@addaleax.net>  Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>  Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>  Reviewed-By: Timothy Gu <timothygu99@gmail.com>PR-URL:nodejs-private/node-private#146Fixes:nodejs-private/security#207Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>Reviewed-By: James M Snell <jasnell@gmail.com>Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>Reviewed-By: Anna Henningsen <anna@addaleax.net>Reviewed-By: Timothy Gu <timothygu99@gmail.com>Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

PR-URL:nodejs-private/node-private#146Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>Reviewed-By: James M Snell <jasnell@gmail.com>Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>Reviewed-By: Anna Henningsen <anna@addaleax.net>Reviewed-By: Timothy Gu <timothygu99@gmail.com>Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

This is a security release. All Node.js users should consult the securityrelease summary at:https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/for details on patched vulnerabilities.Fixes for the following CVEs are included in this release:  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)  * Node.js: Hostname spoofing in URL parser for javascript protocol    (CVE-2018-12123)  * Node.js: HTTP request splitting (CVE-2018-12116)  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication    (CVE-2018-5407)Notable Changes:* deps: Upgrade to OpenSSL 1.0.2q, fixingCVE-2018-0734 andCVE-2018-5407* http:  * Headers received by HTTP servers must not exceed 8192 bytes in total to    prevent possible Denial of Service attacks. Reported by Trevor Norris.    (CVE-2018-12121 / Matteo Collina)  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This    value can be adjusted with `server.headersTimeout`. Where headers are not    completely received within this period, the socket is destroyed on the next    received chunk. In conjunction with `server.setTimeout()`, this aids in    protecting against excessive resource retention and possible Denial of    Service. Reported by Jan Maybach (liebdich.com).  * Two-byte characters are now strictly disallowed for the `path` option in    HTTP client requests. Paths containing characters outside of the range    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior    can be reverted if necessary by supplying the    `--security-revert=CVE-2018-12116` command line argument (this is not    recommended). Reported as security concern for Node.js 6 and 8 by    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno    Fünfstück applied to Node.js 10 and later.    (CVE-2018-12116 / Matteo Collina)* url: Fix a bug that would allow a hostname being spoofed when parsing URLs  with `url.parse()` with the `'#"CVE-2018-12123" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-f6m9-hpfw-xjw4/hovercard" href="https://github.com/advisories/GHSA-f6m9-hpfw-xjw4">CVE-2018-12123 / Matteo Collina)PR-URL:nodejs-private/node-private#154