File openssl_1_0_2r.patch of Package nodejs4

From 661fd61c3aa957bcdef64d8fa9f25cae6107d550 Mon Sep 17 00:00:00 2001
From: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Wed, 27 Feb 2019 01:05:20 +0900
Subject: [PATCH] deps: copy all openssl header files to include dir

All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.


From da1228423537c6a7c6cfd5f35b2642ff0a15c03c Mon Sep 17 00:00:00 2001
From: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Wed, 27 Feb 2019 01:00:10 +0900
Subject: [PATCH] deps: upgrade openssl sources to 1.0.2r

This replaces all sources of openssl-1.0.2r.tar.gz into
deps/openssl/openssl
---
 deps/openssl/openssl/CHANGES                  |   27 +
 deps/openssl/openssl/Makefile                 |    4 +-
 deps/openssl/openssl/Makefile.bak             |  692 ---
 deps/openssl/openssl/Makefile.org             |    2 +-
 deps/openssl/openssl/NEWS                     |    4 +
 deps/openssl/openssl/README                   |    2 +-
 deps/openssl/openssl/apps/CA.pl.bak           |  188 -
 deps/openssl/openssl/apps/app_rand.c          |   11 +-
 deps/openssl/openssl/apps/s_client.c          |   31 +-
 deps/openssl/openssl/crypto/asn1/ameth_lib.c  |   27 +-
 deps/openssl/openssl/crypto/bio/bss_file.c    |   11 +-
 deps/openssl/openssl/crypto/bn/bn_ctx.c       |    4 +-
 deps/openssl/openssl/crypto/bn/bn_lib.c       |    3 +
 deps/openssl/openssl/crypto/bn/bntest.c       |  101 +
 .../openssl/crypto/constant_time_locl.h       |    6 +
 deps/openssl/openssl/crypto/ec/ec_ameth.c     |    2 +-
 deps/openssl/openssl/crypto/err/Makefile      |    2 +-
 deps/openssl/openssl/crypto/err/err.c         |   38 +
 deps/openssl/openssl/crypto/evp/evp.h         |    2 +
 deps/openssl/openssl/crypto/evp/evp_enc.c     |   40 +-
 deps/openssl/openssl/crypto/evp/evp_err.c     |    4 +-
 deps/openssl/openssl/crypto/evp/evp_test.c    |    4 +-
 deps/openssl/openssl/crypto/opensslconf.h     |  271 +-
 deps/openssl/openssl/crypto/opensslconf.h.bak |  265 --
 deps/openssl/openssl/crypto/opensslv.h        |    6 +-
 .../openssl/openssl/crypto/perlasm/x86masm.pl |   14 +-
 deps/openssl/openssl/crypto/rsa/Makefile      |    6 +-
 deps/openssl/openssl/crypto/rsa/rsa_eay.c     |   15 +-
 deps/openssl/openssl/crypto/rsa/rsa_oaep.c    |   96 +-
 deps/openssl/openssl/crypto/rsa/rsa_pk1.c     |   98 +-
 deps/openssl/openssl/crypto/rsa/rsa_ssl.c     |  134 +-
 deps/openssl/openssl/doc/apps/ca.pod          |    2 +-
 .../openssl/doc/crypto/PKCS12_parse.pod       |    3 +-
 .../crypto/RSA_padding_add_PKCS1_type_1.pod   |    7 +-
 .../doc/crypto/X509_NAME_ENTRY_get_object.pod |    3 -
 .../doc/{man3 => crypto}/X509_cmp_time.pod    |    2 +-
 .../openssl/openssl/doc/ssl/SSL_get_error.pod |   13 +-
 deps/openssl/openssl/doc/ssl/SSL_shutdown.pod |    4 +
 deps/openssl/openssl/include/openssl/aes.h    |  149 -
 deps/openssl/openssl/include/openssl/asn1.h   | 1424 ------
 .../openssl/include/openssl/asn1_mac.h        |  579 ---
 deps/openssl/openssl/include/openssl/asn1t.h  |  973 ----
 deps/openssl/openssl/include/openssl/bio.h    |  883 ----
 .../openssl/include/openssl/blowfish.h        |  130 -
 deps/openssl/openssl/include/openssl/bn.h     | 1015 ----
 deps/openssl/openssl/include/openssl/buffer.h |  125 -
 .../openssl/include/openssl/camellia.h        |  132 -
 deps/openssl/openssl/include/openssl/cast.h   |  107 -
 deps/openssl/openssl/include/openssl/cmac.h   |   82 -
 deps/openssl/openssl/include/openssl/cms.h    |  555 ---
 deps/openssl/openssl/include/openssl/comp.h   |   83 -
 deps/openssl/openssl/include/openssl/conf.h   |  268 --
 .../openssl/include/openssl/conf_api.h        |   89 -
 deps/openssl/openssl/include/openssl/crypto.h |  661 ---
 deps/openssl/openssl/include/openssl/des.h    |  257 -
 .../openssl/openssl/include/openssl/des_old.h |  497 --
 deps/openssl/openssl/include/openssl/dh.h     |  412 --
 deps/openssl/openssl/include/openssl/dsa.h    |  335 --
 deps/openssl/openssl/include/openssl/dso.h    |  451 --
 deps/openssl/openssl/include/openssl/dtls1.h  |  272 --
 deps/openssl/openssl/include/openssl/e_os2.h  |  328 --
 deps/openssl/openssl/include/openssl/ebcdic.h |   26 -
 deps/openssl/openssl/include/openssl/ec.h     | 1282 -----
 deps/openssl/openssl/include/openssl/ecdh.h   |  134 -
 deps/openssl/openssl/include/openssl/ecdsa.h  |  335 --
 deps/openssl/openssl/include/openssl/engine.h |  960 ----
 deps/openssl/openssl/include/openssl/err.h    |  390 --
 deps/openssl/openssl/include/openssl/evp.h    | 1628 -------
 deps/openssl/openssl/include/openssl/hmac.h   |  109 -
 deps/openssl/openssl/include/openssl/idea.h   |  105 -
 .../openssl/include/openssl/krb5_asn.h        |  240 -
 deps/openssl/openssl/include/openssl/kssl.h   |  197 -
 deps/openssl/openssl/include/openssl/lhash.h  |  240 -
 deps/openssl/openssl/include/openssl/md4.h    |  119 -
 deps/openssl/openssl/include/openssl/md5.h    |  119 -
 deps/openssl/openssl/include/openssl/mdc2.h   |   94 -
 deps/openssl/openssl/include/openssl/modes.h  |  163 -
 .../openssl/openssl/include/openssl/obj_mac.h | 4194 -----------------
 .../openssl/openssl/include/openssl/objects.h | 1143 -----
 deps/openssl/openssl/include/openssl/ocsp.h   |  637 ---
 .../openssl/include/openssl/opensslconf.h     |    1 -
 .../openssl/include/openssl/opensslv.h        |   97 -
 .../openssl/include/openssl/ossl_typ.h        |  213 -
 deps/openssl/openssl/include/openssl/pem.h    |  618 ---
 deps/openssl/openssl/include/openssl/pem2.h   |   70 -
 deps/openssl/openssl/include/openssl/pkcs12.h |  342 --
 deps/openssl/openssl/include/openssl/pkcs7.h  |  481 --
 deps/openssl/openssl/include/openssl/pqueue.h |   99 -
 deps/openssl/openssl/include/openssl/rand.h   |  150 -
 deps/openssl/openssl/include/openssl/rc2.h    |  103 -
 deps/openssl/openssl/include/openssl/rc4.h    |   88 -
 deps/openssl/openssl/include/openssl/ripemd.h |  105 -
 deps/openssl/openssl/include/openssl/rsa.h    |  664 ---
 .../openssl/include/openssl/safestack.h       | 2672 -----------
 deps/openssl/openssl/include/openssl/seed.h   |  149 -
 deps/openssl/openssl/include/openssl/sha.h    |  214 -
 deps/openssl/openssl/include/openssl/srp.h    |  179 -
 deps/openssl/openssl/include/openssl/srtp.h   |  147 -
 deps/openssl/openssl/include/openssl/ssl.h    | 3164 -------------
 deps/openssl/openssl/include/openssl/ssl2.h   |  265 --
 deps/openssl/openssl/include/openssl/ssl23.h  |   84 -
 deps/openssl/openssl/include/openssl/ssl3.h   |  774 ---
 deps/openssl/openssl/include/openssl/stack.h  |  107 -
 .../openssl/include/openssl/symhacks.h        |  518 --
 deps/openssl/openssl/include/openssl/tls1.h   |  810 ----
 deps/openssl/openssl/include/openssl/ts.h     |  865 ----
 deps/openssl/openssl/include/openssl/txt_db.h |  112 -
 deps/openssl/openssl/include/openssl/ui.h     |  415 --
 .../openssl/include/openssl/ui_compat.h       |   88 -
 .../openssl/include/openssl/whrlpool.h        |   41 -
 deps/openssl/openssl/include/openssl/x509.h   | 1330 ------
 .../openssl/include/openssl/x509_vfy.h        |  652 ---
 deps/openssl/openssl/include/openssl/x509v3.h | 1055 -----
 deps/openssl/openssl/openssl.spec             |    2 +-
 deps/openssl/openssl/ssl/d1_pkt.c             |    1 +
 deps/openssl/openssl/ssl/s3_pkt.c             |   10 +-
 deps/openssl/openssl/ssl/t1_lib.c             |   20 +
 deps/openssl/openssl/test/maketests.com       |    1 +
 deps/openssl/openssl/tools/c_rehash.bak       |  209 -
 119 files changed, 813 insertions(+), 40168 deletions(-)
 delete mode 100644 deps/openssl/openssl/Makefile.bak
 delete mode 100644 deps/openssl/openssl/apps/CA.pl.bak
 delete mode 100644 deps/openssl/openssl/crypto/opensslconf.h.bak
 rename deps/openssl/openssl/doc/{man3 => crypto}/X509_cmp_time.pod (93%)
 delete mode 100644 deps/openssl/openssl/include/openssl/aes.h
 delete mode 100644 deps/openssl/openssl/include/openssl/asn1.h
 delete mode 100644 deps/openssl/openssl/include/openssl/asn1_mac.h
 delete mode 100644 deps/openssl/openssl/include/openssl/asn1t.h
 delete mode 100644 deps/openssl/openssl/include/openssl/bio.h
 delete mode 100644 deps/openssl/openssl/include/openssl/blowfish.h
 delete mode 100644 deps/openssl/openssl/include/openssl/bn.h
 delete mode 100644 deps/openssl/openssl/include/openssl/buffer.h
 delete mode 100644 deps/openssl/openssl/include/openssl/camellia.h
 delete mode 100644 deps/openssl/openssl/include/openssl/cast.h
 delete mode 100644 deps/openssl/openssl/include/openssl/cmac.h
 delete mode 100644 deps/openssl/openssl/include/openssl/cms.h
 delete mode 100644 deps/openssl/openssl/include/openssl/comp.h
 delete mode 100644 deps/openssl/openssl/include/openssl/conf.h
 delete mode 100644 deps/openssl/openssl/include/openssl/conf_api.h
 delete mode 100644 deps/openssl/openssl/include/openssl/crypto.h
 delete mode 100644 deps/openssl/openssl/include/openssl/des.h
 delete mode 100644 deps/openssl/openssl/include/openssl/des_old.h
 delete mode 100644 deps/openssl/openssl/include/openssl/dh.h
 delete mode 100644 deps/openssl/openssl/include/openssl/dsa.h
 delete mode 100644 deps/openssl/openssl/include/openssl/dso.h
 delete mode 100644 deps/openssl/openssl/include/openssl/dtls1.h
 delete mode 100644 deps/openssl/openssl/include/openssl/e_os2.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ebcdic.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ec.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ecdh.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ecdsa.h
 delete mode 100644 deps/openssl/openssl/include/openssl/engine.h
 delete mode 100644 deps/openssl/openssl/include/openssl/err.h
 delete mode 100644 deps/openssl/openssl/include/openssl/evp.h
 delete mode 100644 deps/openssl/openssl/include/openssl/hmac.h
 delete mode 100644 deps/openssl/openssl/include/openssl/idea.h
 delete mode 100644 deps/openssl/openssl/include/openssl/krb5_asn.h
 delete mode 100644 deps/openssl/openssl/include/openssl/kssl.h
 delete mode 100644 deps/openssl/openssl/include/openssl/lhash.h
 delete mode 100644 deps/openssl/openssl/include/openssl/md4.h
 delete mode 100644 deps/openssl/openssl/include/openssl/md5.h
 delete mode 100644 deps/openssl/openssl/include/openssl/mdc2.h
 delete mode 100644 deps/openssl/openssl/include/openssl/modes.h
 delete mode 100644 deps/openssl/openssl/include/openssl/obj_mac.h
 delete mode 100644 deps/openssl/openssl/include/openssl/objects.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ocsp.h
 delete mode 100644 deps/openssl/openssl/include/openssl/opensslconf.h
 delete mode 100644 deps/openssl/openssl/include/openssl/opensslv.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ossl_typ.h
 delete mode 100644 deps/openssl/openssl/include/openssl/pem.h
 delete mode 100644 deps/openssl/openssl/include/openssl/pem2.h
 delete mode 100644 deps/openssl/openssl/include/openssl/pkcs12.h
 delete mode 100644 deps/openssl/openssl/include/openssl/pkcs7.h
 delete mode 100644 deps/openssl/openssl/include/openssl/pqueue.h
 delete mode 100644 deps/openssl/openssl/include/openssl/rand.h
 delete mode 100644 deps/openssl/openssl/include/openssl/rc2.h
 delete mode 100644 deps/openssl/openssl/include/openssl/rc4.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ripemd.h
 delete mode 100644 deps/openssl/openssl/include/openssl/rsa.h
 delete mode 100644 deps/openssl/openssl/include/openssl/safestack.h
 delete mode 100644 deps/openssl/openssl/include/openssl/seed.h
 delete mode 100644 deps/openssl/openssl/include/openssl/sha.h
 delete mode 100644 deps/openssl/openssl/include/openssl/srp.h
 delete mode 100644 deps/openssl/openssl/include/openssl/srtp.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ssl.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ssl2.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ssl23.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ssl3.h
 delete mode 100644 deps/openssl/openssl/include/openssl/stack.h
 delete mode 100644 deps/openssl/openssl/include/openssl/symhacks.h
 delete mode 100644 deps/openssl/openssl/include/openssl/tls1.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ts.h
 delete mode 100644 deps/openssl/openssl/include/openssl/txt_db.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ui.h
 delete mode 100644 deps/openssl/openssl/include/openssl/ui_compat.h
 delete mode 100644 deps/openssl/openssl/include/openssl/whrlpool.h
 delete mode 100644 deps/openssl/openssl/include/openssl/x509.h
 delete mode 100644 deps/openssl/openssl/include/openssl/x509_vfy.h
 delete mode 100644 deps/openssl/openssl/include/openssl/x509v3.h
 delete mode 100644 deps/openssl/openssl/tools/c_rehash.bak

Index: node-v4.9.1/deps/openssl/openssl/CHANGES
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/CHANGES
+++ node-v4.9.1/deps/openssl/openssl/CHANGES
@@ -7,6 +7,33 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
+
+  *) 0-byte record padding oracle
+
+     If an application encounters a fatal protocol error and then calls
+     SSL_shutdown() twice (once to send a close_notify, and once to receive one)
+     then OpenSSL can respond differently to the calling application if a 0 byte
+     record is received with invalid padding compared to if a 0 byte record is
+     received with an invalid MAC. If the application then behaves differently
+     based on that in a way that is detectable to the remote peer, then this
+     amounts to a padding oracle that could be used to decrypt data.
+
+     In order for this to be exploitable "non-stitched" ciphersuites must be in
+     use. Stitched ciphersuites are optimised implementations of certain
+     commonly used ciphersuites. Also the application must call SSL_shutdown()
+     twice even if a protocol error has occurred (applications should not do
+     this but some do anyway).
+
+     This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
+     Aviram, with additional investigation by Steven Collison and Andrew
+     Hourselt. It was reported to OpenSSL on 10th December 2018.
+     (CVE-2019-1559)
+     [Matt Caswell]
+
+  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
+     [Richard Levitte]
+
  Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
 
   *) Microarchitecture timing vulnerability in ECC scalar multiplication
Index: node-v4.9.1/deps/openssl/openssl/Makefile
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/Makefile
+++ node-v4.9.1/deps/openssl/openssl/Makefile
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2q
+VERSION=1.0.2r
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0
@@ -521,7 +521,7 @@ $(TARFILE).list:
 	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
 	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
 	       \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
-	       \! -name '.#*' \! -name '*~' \! -type l \
+	       \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
 	    | sort > $(TARFILE).list
 
 tar: $(TARFILE).list
Index: node-v4.9.1/deps/openssl/openssl/Makefile.bak
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/Makefile.bak
+++ /dev/null
@@ -1,692 +0,0 @@
-### Generated automatically from Makefile.org by Configure.
-
-##
-## Makefile for OpenSSL
-##
-
-VERSION=1.0.2q-dev
-MAJOR=1
-MINOR=0.2
-SHLIB_VERSION_NUMBER=1.0.0
-SHLIB_VERSION_HISTORY=
-SHLIB_MAJOR=1
-SHLIB_MINOR=0.0
-SHLIB_EXT=
-PLATFORM=gcc
-OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
-CONFIGURE_ARGS=gcc
-SHLIB_TARGET=
-
-# HERE indicates where this Makefile lives.  This can be used to indicate
-# where sub-Makefiles are expected to be.  Currently has very limited usage,
-# and should probably not be bothered with at all.
-HERE=.
-
-# INSTALL_PREFIX is for package builders so that they can configure
-# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
-# Normally it is left empty.
-INSTALL_PREFIX=
-INSTALLTOP=/usr/local/ssl
-
-# Do not edit this manually. Use Configure --openssldir=DIR do change this!
-OPENSSLDIR=/usr/local/ssl
-
-# NO_IDEA - Define to build without the IDEA algorithm
-# NO_RC4  - Define to build without the RC4 algorithm
-# NO_RC2  - Define to build without the RC2 algorithm
-# THREADS - Define when building with threads, you will probably also need any
-#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
-# TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
-# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
-# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
-# DEVRANDOM - Give this the value of the 'random device' if your OS supports
-#           one.  32 bytes will be read from this when the random
-#           number generator is initalised.
-# SSL_FORBID_ENULL - define if you want the server to be not able to use the
-#           NULL encryption ciphers.
-#
-# LOCK_DEBUG - turns on lots of lock debug output :-)
-# REF_CHECK - turn on some xyz_free() assertions.
-# REF_PRINT - prints some stuff on structure free.
-# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
-# MFUNC - Make all Malloc/Free/Realloc calls call
-#       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
-#       call application defined callbacks via CRYPTO_set_mem_functions()
-# MD5_ASM needs to be defined to use the x86 assembler for MD5
-# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
-# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
-# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
-# equal 4.
-# PKCS1_CHECK - pkcs1 tests.
-
-CC= gcc
-CFLAG= -O3
-DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS
-PEX_LIBS= 
-EX_LIBS=
-EXE_EXT= 
-ARFLAGS= 
-AR= ar $(ARFLAGS) r
-RANLIB= /usr/bin/ranlib
-RC= windres
-NM= nm
-PERL= /usr/bin/perl
-TAR= tar
-TARFLAGS= --no-recursion
-MAKEDEPPROG= gcc
-LIBDIR=lib
-
-# We let the C compiler driver to take care of .s files. This is done in
-# order to be excused from maintaining a separate set of architecture
-# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
-# gcc, then the driver will automatically translate it to -xarch=v8plus
-# and pass it down to assembler.
-AS=$(CC) -c
-ASFLAG=$(CFLAG)
-
-# For x86 assembler: Set PROCESSOR to 386 if you want to support
-# the 80386.
-PROCESSOR= 
-
-# CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= mem_clr.o
-BN_ASM= bn_asm.o
-EC_ASM=
-DES_ENC= des_enc.o fcrypt_b.o
-AES_ENC= aes_core.o aes_cbc.o
-BF_ENC= bf_enc.o
-CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o rc4_skey.o
-RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ=
-SHA1_ASM_OBJ=
-RMD160_ASM_OBJ= 
-WP_ASM_OBJ= wp_block.o
-CMLL_ENC= camellia.o cmll_misc.o cmll_cbc.o
-MODES_ASM_OBJ=
-ENGINES_ASM_OBJ= 
-PERLASM_SCHEME=
-
-# KRB5 stuff
-KRB5_INCLUDES=
-LIBKRB5=
-
-# Zlib stuff
-ZLIB_INCLUDE=
-LIBZLIB=
-
-# TOP level FIPS install directory.
-FIPSDIR=/usr/local/ssl/fips-2.0
-
-# This is the location of fipscanister.o and friends.
-# The FIPS module build will place it $(INSTALLTOP)/lib
-# but since $(INSTALLTOP) can only take the default value
-# when the module is built it will be in /usr/local/ssl/lib
-# $(INSTALLTOP) for this build may be different so hard
-# code the path.
-
-FIPSLIBDIR=
-
-# The location of the library which contains fipscanister.o
-# normally it will be libcrypto unless fipsdso is set in which
-# case it will be libfips. If not compiling in FIPS mode at all
-# this is empty making it a useful test for a FIPS compile.
-
-FIPSCANLIB=
-
-# Shared library base address. Currently only used on Windows.
-#
-
-BASEADDR=0xFB00000
-
-DIRS=   crypto ssl engines apps test tools
-ENGDIRS= ccgost
-SHLIBDIRS= crypto ssl
-
-# dirs in crypto to build
-SDIRS=  \
-	objects \
-	md4 md5 sha mdc2 hmac ripemd whrlpool \
-	des aes rc2 rc4 idea bf cast camellia seed modes \
-	bn ec rsa dsa ecdsa dh ecdh dso engine \
-	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	cms pqueue ts srp cmac
-# keep in mind that the above list is adjusted by ./Configure
-# according to no-xxx arguments...
-
-# tests to perform.  "alltests" is a special word indicating that all tests
-# should be performed.
-TESTS = alltests
-
-MAKEFILE= Makefile
-
-MANDIR=$(OPENSSLDIR)/man
-MAN1=1
-MAN3=3
-MANSUFFIX=
-HTMLSUFFIX=html
-HTMLDIR=$(OPENSSLDIR)/html
-SHELL=/bin/sh
-
-TOP=    .
-ONEDIRS=out tmp
-EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
-WDIRS=  windows
-LIBS=   libcrypto.a libssl.a
-SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
-SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
-
-GENERAL=        Makefile
-BASENAME=       openssl
-NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        ../$(NAME).tar
-EXHEADER=       e_os2.h
-HEADER=         e_os.h
-
-all: Makefile build_all
-
-# as we stick to -e, CLEARENV ensures that local variables in lower
-# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-# shell, which [annoyingly enough] terminates unset with error if VAR
-# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
-# which terminates unset with error if no variable was present:-(
-CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
-		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
-		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
-		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
-		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
-		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
-		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
-		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS}	\
-		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
-		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}	\
-		$${APPS+APPS}
-
-# LC_ALL=C ensures that error [and other] messages are delivered in
-# same language for uniform treatment.
-BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
-		CC='$(CC)' CFLAG='$(CFLAG)' 			\
-		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
-		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
-		RC='$(RC)'              			\
-		CROSS_COMPILE='$(CROSS_COMPILE)'	\
-		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
-		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
-		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
-		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
-		LIBDIR='$(LIBDIR)'				\
-		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
-		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
-		MAKEDEPPROG='$(MAKEDEPPROG)'			\
-		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
-		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
-		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
-		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
-		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
-		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
-		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
-		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' 	\
-		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
-		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
-		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
-		SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)'			\
-		MD5_ASM_OBJ='$(MD5_ASM_OBJ)'			\
-		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
-		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
-		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
-		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
-		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
-		FIPSLIBDIR='${FIPSLIBDIR}'			\
-		FIPSDIR='${FIPSDIR}'				\
-		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
-		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
-# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
-# which in turn eliminates ambiguities in variable treatment with -e.
-
-# BUILD_CMD is a generic macro to build a given target in a given
-# subdirectory.  The target must be given through the shell variable
-# `target' and the subdirectory to build in must be given through `dir'.
-# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
-# BUILD_ONE_CMD instead.
-#
-# BUILD_ONE_CMD is a macro to build a given target in a given
-# subdirectory if that subdirectory is part of $(DIRS).  It requires
-# exactly the same shell variables as BUILD_CMD.
-#
-# RECURSIVE_BUILD_CMD is a macro to build a given target in all
-# subdirectories defined in $(DIRS).  It requires that the target
-# is given through the shell variable `target'.
-BUILD_CMD=  if [ -d "$$dir" ]; then \
-	    (	cd $$dir && echo "making $$target in $$dir..." && \
-		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
-	    ) || exit 1; \
-	    fi
-RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
-BUILD_ONE_CMD=\
-	if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \
-		$(BUILD_CMD); \
-	fi
-
-reflect:
-	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
-
-sub_all: build_all
-
-build_all: build_libs build_apps build_tests build_tools
-
-build_libs: build_libcrypto build_libssl openssl.pc
-
-build_libcrypto: build_crypto build_engines libcrypto.pc
-build_libssl: build_ssl libssl.pc
-
-build_crypto:
-	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl: build_crypto
-	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines: build_crypto
-	@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps: build_libs
-	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests: build_libs
-	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools: build_libs
-	@dir=tools; target=all; $(BUILD_ONE_CMD)
-
-all_testapps: build_libs build_testapps
-build_testapps:
-	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
-
-fips_premain_dso$(EXE_EXT): libcrypto.a
-	[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \
-		-DFINGERPRINT_PREMAIN_DSO_LOAD -o $@  \
-		$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
-		libcrypto.a $(EX_LIBS)
-
-libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
-	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-			FIPSLD_LIBCRYPTO=libcrypto.a ; \
-			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
-			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
-		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
-		(touch -c fips_premain_dso$(EXE_EXT) || :); \
-	else \
-		echo "There's no support for shared libraries on this platform" >&2; \
-		exit 1; \
-	fi
-
-libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
-	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
-	else \
-		echo "There's no support for shared libraries on this platform" >&2; \
-		exit 1; \
-	fi
-
-clean-shared:
-	@set -e; for i in $(SHLIBDIRS); do \
-		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
-			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
-			for j in $${tmp:-x}; do \
-				( set -x; rm -f lib$$i$$j ); \
-			done; \
-		fi; \
-		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
-		fi; \
-	done
-
-link-shared:
-	@ set -e; for i in $(SHLIBDIRS); do \
-		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
-			symlink.$(SHLIB_TARGET); \
-		libs="$$libs -l$$i"; \
-	done
-
-build-shared: do_$(SHLIB_TARGET) link-shared
-
-do_$(SHLIB_TARGET):
-	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
-		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
-			LIBDEPS="$$libs $(EX_LIBS)" \
-			link_a.$(SHLIB_TARGET); \
-		libs="-l$$i $$libs"; \
-	done
-
-libcrypto.pc: Makefile
-	@ ( echo 'prefix=$(INSTALLTOP)'; \
-	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
-	    echo 'includedir=$${prefix}/include'; \
-	    echo 'enginesdir=$${libdir}/engines'; \
-	    echo ''; \
-	    echo 'Name: OpenSSL-libcrypto'; \
-	    echo 'Description: OpenSSL cryptography library'; \
-	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lcrypto'; \
-	    echo 'Libs.private: $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
-
-libssl.pc: Makefile
-	@ ( echo 'prefix=$(INSTALLTOP)'; \
-	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
-	    echo 'includedir=$${prefix}/include'; \
-	    echo ''; \
-	    echo 'Name: OpenSSL-libssl'; \
-	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
-	    echo 'Version: '$(VERSION); \
-	    echo 'Requires.private: libcrypto'; \
-	    echo 'Libs: -L$${libdir} -lssl'; \
-	    echo 'Libs.private: $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
-
-openssl.pc: Makefile
-	@ ( echo 'prefix=$(INSTALLTOP)'; \
-	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
-	    echo 'includedir=$${prefix}/include'; \
-	    echo ''; \
-	    echo 'Name: OpenSSL'; \
-	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
-	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: libssl libcrypto' ) > openssl.pc
-
-Makefile: Makefile.org Configure config
-	@echo "Makefile is older than Makefile.org, Configure or config."
-	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
-	@false
-
-libclean:
-	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
-
-clean:	libclean
-	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
-	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
-	rm -f $(LIBS)
-	rm -f openssl.pc libssl.pc libcrypto.pc
-	rm -f speed.* .pure
-	rm -f $(TARFILE)
-	@set -e; for i in $(ONEDIRS) ;\
-	do \
-	rm -fr $$i/*; \
-	done
-
-distclean: clean
-	-$(RM) `find . -name .git -prune -o -type l -print`
-	$(RM) apps/CA.pl
-	$(RM) test/evptests.txt test/newkey.pem test/testkey.pem test/testreq.pem
-	$(RM) tools/c_rehash
-	$(RM) crypto/opensslconf.h
-	$(RM) Makefile Makefile.bak
-
-makefile.one: files
-	$(PERL) util/mk1mf.pl >makefile.one; \
-	sh util/do_ms.sh
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
-
-links:
-	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
-	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
-	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
-
-gentests:
-	@(cd test && echo "generating dummy tests (if needed)..." && \
-	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
-
-dclean:
-	rm -rf *.bak include/openssl certs/.0
-	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
-
-rehash: rehash.time
-rehash.time: certs apps
-	@if [ -z "$(CROSS_COMPILE)" ]; then \
-		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
-		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		$(PERL) tools/c_rehash certs/demo) && \
-		touch rehash.time; \
-	else :; fi
-
-test:   tests
-
-tests: rehash
-	@(cd test && echo "testing..." && \
-	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
-	OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
-
-report:
-	@$(PERL) util/selftest.pl
-
-update: errors stacks util/libeay.num util/ssleay.num TABLE
-	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
-
-depend:
-	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
-
-lint:
-	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-
-tags:
-	rm -f TAGS
-	find . -name '[^.]*.[ch]' | xargs etags -a
-
-errors:
-	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
-	$(PERL) util/mkerr.pl -recurse -write
-	(cd engines; $(MAKE) PERL=$(PERL) errors)
-
-stacks:
-	$(PERL) util/mkstack.pl -write
-
-util/libeay.num::
-	$(PERL) util/mkdef.pl crypto update
-
-util/ssleay.num::
-	$(PERL) util/mkdef.pl ssl update
-
-TABLE: Configure
-	(echo 'Output of `Configure TABLE'"':"; \
-	$(PERL) Configure TABLE) > TABLE
-
-# Build distribution tar-file. As the list of files returned by "find" is
-# pretty long, on several platforms a "too many arguments" error or similar
-# would occur. Therefore the list of files is temporarily stored into a file
-# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
-# tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
-	                       --owner 0 --group 0 \
-			       --transform 's|^|$(NAME)/|' \
-			       -cvf -
-
-$(TARFILE).list:
-	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
-	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
-	       \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
-	       \! -name '.#*' \! -name '*~' \! -type l \
-	    | sort > $(TARFILE).list
-
-tar: $(TARFILE).list
-	find . -type d -print | xargs chmod 755
-	find . -type f -print | xargs chmod a+r
-	find . -type f -perm -0100 -print | xargs chmod a+x
-	$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
-	rm -f $(TARFILE).list
-	ls -l $(TARFILE).gz
-
-tar-snap: $(TARFILE).list
-	$(TAR_COMMAND) > $(TARFILE)
-	rm -f $(TARFILE).list
-	ls -l $(TARFILE)
-
-dist:   
-	$(PERL) Configure dist
-	@$(MAKE) SDIRS='$(SDIRS)' clean
-	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-
-install: all install_docs install_sw
-
-install_sw:
-	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
-	do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-	done;
-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
-	do \
-		if [ -f "$$i" ]; then \
-		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
-		fi; \
-	done;
-	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
-		tmp="$(SHARED_LIBS)"; \
-		for i in $${tmp:-x}; \
-		do \
-			if [ -f "$$i" -o -f "$$i.a" ]; then \
-			(       echo installing $$i; \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				fi ); \
-				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-				(	case $$i in \
-						*crypto*) i=libeay32.dll;; \
-						*ssl*)    i=ssleay32.dll;; \
-					esac; \
-					echo installing $$i; \
-	 				cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 				chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 				mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
-				fi; \
-			fi; \
-		done; \
-		(	here="`pwd`"; \
-			cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
-			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
-		if [ "$(INSTALLTOP)" != "/usr" ]; then \
-			echo 'OpenSSL shared libraries have been installed in:'; \
-			echo '  $(INSTALLTOP)'; \
-			echo ''; \
-			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
-		fi; \
-	fi
-	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
-
-install_html_docs:
-	here="`pwd`"; \
-	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
-		filecase=-i; \
-	esac; \
-	for subdir in apps crypto ssl; do \
-		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
-		for i in doc/$$subdir/*.pod; do \
-			fn=`basename $$i .pod`; \
-			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
-			cat $$i \
-			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
-			| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
-			| sed -r 's/<!DOCTYPE.*//g' \
-			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
-			$(PERL) util/extract-names.pl < $$i | \
-				grep -v $$filecase "^$$fn\$$" | \
-				(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
-				 while read n; do \
-					PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
-				 done); \
-		done; \
-	done
-
-install_docs:
-	@$(PERL) $(TOP)/util/mkdir-p.pl \
-		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
-	here="`pwd`"; \
-	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
-		filecase=-i; \
-	esac; \
-	set -e; for i in doc/apps/*.pod; do \
-		fn=`basename $$i .pod`; \
-		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
-		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
-		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$$pod2man \
-			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(PERL) util/extract-names.pl < $$i | \
-			(grep -v $$filecase "^$$fn\$$"; true) | \
-			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
-			 while read n; do \
-				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
-			 done); \
-	done; \
-	set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
-		fn=`basename $$i .pod`; \
-		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
-		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
-		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$$pod2man \
-			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(PERL) util/extract-names.pl < $$i | \
-			(grep -v $$filecase "^$$fn\$$"; true) | \
-			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
-			 while read n; do \
-				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
-			 done); \
-	done
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
Index: node-v4.9.1/deps/openssl/openssl/Makefile.org
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/Makefile.org
+++ node-v4.9.1/deps/openssl/openssl/Makefile.org
@@ -519,7 +519,7 @@ $(TARFILE).list:
 	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
 	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
 	       \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
-	       \! -name '.#*' \! -name '*~' \! -type l \
+	       \! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
 	    | sort > $(TARFILE).list
 
 tar: $(TARFILE).list
Index: node-v4.9.1/deps/openssl/openssl/NEWS
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/NEWS
+++ node-v4.9.1/deps/openssl/openssl/NEWS
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
+
+      o 0-byte record padding oracle (CVE-2019-1559)
+
   Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
 
       o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Index: node-v4.9.1/deps/openssl/openssl/README
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/README
+++ node-v4.9.1/deps/openssl/openssl/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2q 20 Nov 2018
+ OpenSSL 1.0.2r 26 Feb 2019
 
  Copyright (c) 1998-2018 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Index: node-v4.9.1/deps/openssl/openssl/apps/CA.pl.bak
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/apps/CA.pl.bak
+++ /dev/null
@@ -1,188 +0,0 @@
-#!/usr/bin/perl
-#
-# CA - wrapper around ca to make it easier to use ... basically ca requires
-#      some setup stuff to be done before you can use it and this makes
-#      things easier between now and when Eric is convinced to fix it :-)
-#
-# CA -newca ... will setup the right stuff
-# CA -newreq[-nodes] ... will generate a certificate request
-# CA -sign ... will sign the generated request and output
-#
-# At the end of that grab newreq.pem and newcert.pem (one has the key
-# and the other the certificate) and cat them together and that is what
-# you want/need ... I'll make even this a little cleaner later.
-#
-#
-# 12-Jan-96 tjh    Added more things ... including CA -signcert which
-#                  converts a certificate to a request and then signs it.
-# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
-#		   environment variable so this can be driven from
-#		   a script.
-# 25-Jul-96 eay    Cleaned up filenames some more.
-# 11-Jun-96 eay    Fixed a few filename missmatches.
-# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
-# 18-Apr-96 tjh    Original hacking
-#
-# Tim Hudson
-# tjh@cryptsoft.com
-#
-
-# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
-#
-#
-# Steve Henson
-# shenson@bigfoot.com
-
-# default openssl.cnf file has setup as per the following
-# demoCA ... where everything is stored
-
-my $openssl;
-if(defined $ENV{OPENSSL}) {
-	$openssl = $ENV{OPENSSL};
-} else {
-	$openssl = "openssl";
-	$ENV{OPENSSL} = $openssl;
-}
-
-$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365";	# 1 year
-$CADAYS="-days 1095";	# 3 years
-$REQ="$openssl req $SSLEAY_CONFIG";
-$CA="$openssl ca $SSLEAY_CONFIG";
-$VERIFY="$openssl verify";
-$X509="$openssl x509";
-$PKCS12="$openssl pkcs12";
-
-$CATOP="./demoCA";
-$CAKEY="cakey.pem";
-$CAREQ="careq.pem";
-$CACERT="cacert.pem";
-
-$DIRMODE = 0777;
-
-$RET = 0;
-
-foreach (@ARGV) {
-	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
-	    exit 0;
-	} elsif (/^-newcert$/) {
-	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
-	    $RET=$?;
-	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
-	} elsif (/^-newreq$/) {
-	    # create a certificate request
-	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
-	    $RET=$?;
-	    print "Request is in newreq.pem, private key is in newkey.pem\n";
-	} elsif (/^-newreq-nodes$/) {
-	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
-	    $RET=$?;
-	    print "Request is in newreq.pem, private key is in newkey.pem\n";
-	} elsif (/^-newca$/) {
-		# if explicitly asked for or it doesn't exist then setup the
-		# directory structure that Eric likes to manage things
-	    $NEW="1";
-	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
-		# create the directory hierarchy
-		mkdir $CATOP, $DIRMODE;
-		mkdir "${CATOP}/certs", $DIRMODE;
-		mkdir "${CATOP}/crl", $DIRMODE ;
-		mkdir "${CATOP}/newcerts", $DIRMODE;
-		mkdir "${CATOP}/private", $DIRMODE;
-		open OUT, ">${CATOP}/index.txt";
-		close OUT;
-		open OUT, ">${CATOP}/crlnumber";
-		print OUT "01\n";
-		close OUT;
-	    }
-	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
-		print "CA certificate filename (or enter to create)\n";
-		$FILE = <STDIN>;
-
-		chop $FILE;
-
-		# ask user for existing CA certificate
-		if ($FILE) {
-		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
-		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
-		    $RET=$?;
-		} else {
-		    print "Making CA certificate ...\n";
-		    system ("$REQ -new -keyout " .
-			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
-		    system ("$CA -create_serial " .
-			"-out ${CATOP}/$CACERT $CADAYS -batch " .
-			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
-			"-extensions v3_ca " .
-			"-infiles ${CATOP}/$CAREQ ");
-		    $RET=$?;
-		}
-	    }
-	} elsif (/^-pkcs12$/) {
-	    my $cname = $ARGV[1];
-	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
-			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
-			"-export -name \"$cname\"");
-	    $RET=$?;
-	    print "PKCS #12 file is in newcert.p12\n";
-	    exit $RET;
-	} elsif (/^-xsign$/) {
-	    system ("$CA -policy policy_anything -infiles newreq.pem");
-	    $RET=$?;
-	} elsif (/^(-sign|-signreq)$/) {
-	    system ("$CA -policy policy_anything -out newcert.pem " .
-							"-infiles newreq.pem");
-	    $RET=$?;
-	    print "Signed certificate is in newcert.pem\n";
-	} elsif (/^(-signCA)$/) {
-	    system ("$CA -policy policy_anything -out newcert.pem " .
-					"-extensions v3_ca -infiles newreq.pem");
-	    $RET=$?;
-	    print "Signed CA certificate is in newcert.pem\n";
-	} elsif (/^-signcert$/) {
-	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
-								"-out tmp.pem");
-	    system ("$CA -policy policy_anything -out newcert.pem " .
-							"-infiles tmp.pem");
-	    $RET = $?;
-	    print "Signed certificate is in newcert.pem\n";
-	} elsif (/^-verify$/) {
-	    if (shift) {
-		foreach $j (@ARGV) {
-		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
-		    $RET=$? if ($? != 0);
-		}
-		exit $RET;
-	    } else {
-		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
-		    $RET=$?;
-		    exit 0;
-	    }
-	} else {
-	    print STDERR "Unknown arg $_\n";
-	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-	    exit 1;
-	}
-}
-
-exit $RET;
-
-sub cp_pem {
-my ($infile, $outfile, $bound) = @_;
-open IN, $infile;
-open OUT, ">$outfile";
-my $flag = 0;
-while (<IN>) {
-	$flag = 1 if (/^-----BEGIN.*$bound/) ;
-	print OUT $_ if ($flag);
-	if (/^-----END.*$bound/) {
-		close IN;
-		close OUT;
-		return;
-	}
-}
-}
Index: node-v4.9.1/deps/openssl/openssl/apps/s_client.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/apps/s_client.c
+++ node-v4.9.1/deps/openssl/openssl/apps/s_client.c
@@ -229,7 +229,6 @@ static BIO *bio_c_msg = NULL;
 static int c_quiet = 0;
 static int c_ign_eof = 0;
 static int c_brief = 0;
-static int c_no_rand_screen = 0;
 
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -445,10 +444,6 @@ static void sc_usage(void)
                " -keymatexport label   - Export keying material using label\n");
     BIO_printf(bio_err,
                " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
-#ifdef OPENSSL_SYS_WINDOWS
-    BIO_printf(bio_err,
-               " -no_rand_screen  - Do not use RAND_screen() to initialize random state\n");
-#endif
 }
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -1142,10 +1137,6 @@ int MAIN(int argc, char **argv)
             keymatexportlen = atoi(*(++argv));
             if (keymatexportlen == 0)
                 goto bad;
-#ifdef OPENSSL_SYS_WINDOWS
-        } else if (strcmp(*argv, "-no_rand_screen") == 0) {
-          c_no_rand_screen = 1;
-#endif
         } else {
             BIO_printf(bio_err, "unknown option %s\n", *argv);
             badop = 1;
@@ -1262,7 +1253,7 @@ int MAIN(int argc, char **argv)
     if (!load_excert(&exc, bio_err))
         goto end;
 
-    if (!app_RAND_load_file(NULL, bio_err, ++c_no_rand_screen) && inrand == NULL
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
         && !RAND_status()) {
         BIO_printf(bio_err,
                    "warning, not much extra random data, consider using the -rand option\n");
Index: node-v4.9.1/deps/openssl/openssl/crypto/asn1/ameth_lib.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/asn1/ameth_lib.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/asn1/ameth_lib.c
@@ -234,6 +234,21 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn
 
 int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
 {
+    /*
+     * One of the following must be true:
+     *
+     * pem_str == NULL AND ASN1_PKEY_ALIAS is set
+     * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
+     *
+     * Anything else is an error and may lead to a corrupt ASN1 method table
+     */
+    if (!((ameth->pem_str == NULL
+           && (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0)
+          || (ameth->pem_str != NULL
+              && (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) {
+        return 0;
+    }
+
     if (app_methods == NULL) {
         app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
         if (!app_methods)
@@ -305,18 +320,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(
     } else
         ameth->info = NULL;
 
-    /*
-     * One of the following must be true:
-     *
-     * pem_str == NULL AND ASN1_PKEY_ALIAS is set
-     * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
-     *
-     * Anything else is an error and may lead to a corrupt ASN1 method table
-     */
-    if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
-          || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
-        goto err;
-
     if (pem_str) {
         ameth->pem_str = BUF_strdup(pem_str);
         if (!ameth->pem_str)
Index: node-v4.9.1/deps/openssl/openssl/crypto/bio/bss_file.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/bio/bss_file.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/bio/bss_file.c
@@ -361,12 +361,16 @@ static long MS_CALLBACK file_ctrl(BIO *b
                 } else
                     _setmode(fd, _O_BINARY);
             }
-#  elif defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+#  elif defined(OPENSSL_SYS_OS2)
             int fd = fileno((FILE *)ptr);
             if (num & BIO_FP_TEXT)
                 setmode(fd, O_TEXT);
             else
                 setmode(fd, O_BINARY);
+#  elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+            int fd = fileno((FILE *)ptr);
+            if (!(num & BIO_FP_TEXT))
+                setmode(fd, O_BINARY);
 #  endif
         }
         break;
@@ -389,11 +393,14 @@ static long MS_CALLBACK file_ctrl(BIO *b
             ret = 0;
             break;
         }
-#  if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+#  if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
         if (!(num & BIO_FP_TEXT))
             strcat(p, "b");
         else
             strcat(p, "t");
+#  elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+        if (!(num & BIO_FP_TEXT))
+            strcat(p, "b");
 #  endif
 #  if defined(OPENSSL_SYS_NETWARE)
         if (!(num & BIO_FP_TEXT))
Index: node-v4.9.1/deps/openssl/openssl/crypto/bn/bn_ctx.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/bn/bn_ctx.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/bn/bn_ctx.c
@@ -1,7 +1,7 @@
 /* crypto/bn/bn_ctx.c */
 /* Written by Ulf Moeller for the OpenSSL project. */
 /* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
     }
     /* OK, make sure the returned bignum is "zero" */
     BN_zero(ret);
+    /* clear BN_FLG_CONSTTIME if leaked from previous frames */
+    ret->flags &= (~BN_FLG_CONSTTIME);
     ctx->used++;
     CTXDBG_RET(ctx, ret);
     return ret;
Index: node-v4.9.1/deps/openssl/openssl/crypto/bn/bn_lib.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/bn/bn_lib.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/bn/bn_lib.c
@@ -836,6 +836,9 @@ int bn_cmp_words(const BN_ULONG *a, cons
     int i;
     BN_ULONG aa, bb;
 
+    if (n == 0)
+        return 0;
+
     aa = a[n - 1];
     bb = b[n - 1];
     if (aa != bb)
Index: node-v4.9.1/deps/openssl/openssl/crypto/bn/bntest.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/bn/bntest.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/bn/bntest.c
@@ -89,6 +89,10 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
+#ifndef OSSL_NELEM
+# define OSSL_NELEM(x)    (sizeof(x)/sizeof(x[0]))
+#endif
+
 const int num0 = 100;           /* number of tests */
 const int num1 = 50;            /* additional tests for some functions */
 const int num2 = 5;             /* number of tests for slow functions */
@@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN
 int test_kron(BIO *bp, BN_CTX *ctx);
 int test_sqrt(BIO *bp, BN_CTX *ctx);
 int rand_neg(void);
+static int test_ctx_consttime_flag(void);
 static int results = 0;
 
 static unsigned char lst[] =
@@ -330,6 +335,15 @@ int main(int argc, char *argv[])
         goto err;
     (void)BIO_flush(out);
 #endif
+
+    /* silently flush any pre-existing error on the stack */
+    ERR_clear_error();
+
+    message(out, "BN_CTX_get BN_FLG_CONSTTIME");
+    if (!test_ctx_consttime_flag())
+        goto err;
+    (void)BIO_flush(out);
+
     BN_CTX_free(ctx);
     BIO_free(out);
 
@@ -2158,3 +2172,90 @@ int rand_neg(void)
 
     return (sign[(neg++) % 8]);
 }
+
+static int test_ctx_set_ct_flag(BN_CTX *c)
+{
+    int st = 0;
+    size_t i;
+    BIGNUM *b[15];
+
+    BN_CTX_start(c);
+    for (i = 0; i < OSSL_NELEM(b); i++) {
+        if (NULL == (b[i] = BN_CTX_get(c))) {
+            fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+            goto err;
+        }
+        if (i % 2 == 1)
+            BN_set_flags(b[i], BN_FLG_CONSTTIME);
+    }
+
+    st = 1;
+ err:
+    BN_CTX_end(c);
+    return st;
+}
+
+static int test_ctx_check_ct_flag(BN_CTX *c)
+{
+    int st = 0;
+    size_t i;
+    BIGNUM *b[30];
+
+    BN_CTX_start(c);
+    for (i = 0; i < OSSL_NELEM(b); i++) {
+        if (NULL == (b[i] = BN_CTX_get(c))) {
+            fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+            goto err;
+        }
+        if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) {
+            fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n");
+            goto err;
+        }
+    }
+
+    st = 1;
+ err:
+    BN_CTX_end(c);
+    return st;
+}
+
+static int test_ctx_consttime_flag(void)
+{
+    /*-
+     * The constant-time flag should not "leak" among BN_CTX frames:
+     *
+     * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and
+     *   sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained
+     *   from the frame before ending it.
+     * - test_ctx_check_ct_flag() then starts a new frame and gets a
+     *   number of BIGNUMs from it. In absence of leaks, none of the
+     *   BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.
+     *
+     * In actual BN_CTX usage inside libcrypto the leak could happen at
+     * any depth level in the BN_CTX stack, with varying results
+     * depending on the patterns of sibling trees of nested function
+     * calls sharing the same BN_CTX object, and the effect of
+     * unintended BN_FLG_CONSTTIME on the called BN_* functions.
+     *
+     * This simple unit test abstracts away this complexity and verifies
+     * that the leak does not happen between two sibling functions
+     * sharing the same BN_CTX object at the same level of nesting.
+     *
+     */
+    BN_CTX *c = NULL;
+    int st = 0;
+
+    if (NULL == (c = BN_CTX_new())) {
+        fprintf(stderr, "ERROR: BN_CTX_new() failed.\n");
+        goto err;
+    }
+
+    if (!test_ctx_set_ct_flag(c)
+            || !test_ctx_check_ct_flag(c))
+        goto err;
+
+    st = 1;
+ err:
+    BN_CTX_free(c);
+    return st;
+}
Index: node-v4.9.1/deps/openssl/openssl/crypto/constant_time_locl.h
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/constant_time_locl.h
+++ node-v4.9.1/deps/openssl/openssl/crypto/constant_time_locl.h
@@ -204,6 +204,12 @@ static inline int constant_time_select_i
     return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
 }
 
+/*
+ * Expected usage pattern is to unconditionally set error and then
+ * wipe it if there was no actual error. |clear| is 1 or 0.
+ */
+void err_clear_last_constant_time(int clear);
+
 #ifdef __cplusplus
 }
 #endif
Index: node-v4.9.1/deps/openssl/openssl/crypto/ec/ec_ameth.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/ec/ec_ameth.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/ec/ec_ameth.c
@@ -601,7 +601,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
 
     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
         *(int *)arg2 = NID_sha256;
-        return 2;
+        return 1;
 
     default:
         return -2;
Index: node-v4.9.1/deps/openssl/openssl/crypto/err/Makefile
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/err/Makefile
+++ node-v4.9.1/deps/openssl/openssl/crypto/err/Makefile
@@ -82,7 +82,7 @@ err.o: ../../include/openssl/err.h ../..
 err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err.o: ../cryptlib.h err.c
+err.o: ../constant_time_locl.h ../cryptlib.h err.c
 err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 err_all.o: ../../include/openssl/cms.h ../../include/openssl/comp.h
Index: node-v4.9.1/deps/openssl/openssl/crypto/err/err.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/err/err.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/err/err.c
@@ -118,6 +118,7 @@
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
+#include "constant_time_locl.h"
 
 DECLARE_LHASH_OF(ERR_STRING_DATA);
 DECLARE_LHASH_OF(ERR_STATE);
@@ -1156,3 +1157,40 @@ int ERR_pop_to_mark(void)
     es->err_flags[es->top] &= ~ERR_FLAG_MARK;
     return 1;
 }
+
+#ifdef UINTPTR_T
+# undef UINTPTR_T
+#endif
+/*
+ * uintptr_t is the answer, but unformtunately we can't assume that all
+ * compilers supported by 1.0.2 have it :-(
+ */
+#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
+/*
+ * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
+ * even in 64-bit builds, which means that it won't work as mask.
+ */
+# define UINTPTR_T unsigned long long
+#else
+# define UINTPTR_T size_t
+#endif
+
+void err_clear_last_constant_time(int clear)
+{
+    ERR_STATE *es;
+    int top;
+
+    es = ERR_get_state();
+    if (es == NULL)
+        return;
+
+    top = es->top;
+
+    es->err_flags[top] &= ~(0 - clear);
+    es->err_buffer[top] &= ~(0UL - clear);
+    es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
+                                       ~((UINTPTR_T)0 - clear));
+    es->err_line[top] |= 0 - clear;
+
+    es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+}
Index: node-v4.9.1/deps/openssl/openssl/crypto/evp/evp.h
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/evp/evp.h
+++ node-v4.9.1/deps/openssl/openssl/crypto/evp/evp.h
@@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void);
 # define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
 # define EVP_F_EVP_DECRYPTFINAL_EX                        101
+# define EVP_F_EVP_DECRYPTUPDATE                          181
 # define EVP_F_EVP_DIGESTINIT_EX                          128
 # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
+# define EVP_F_EVP_ENCRYPTUPDATE                          180
 # define EVP_F_EVP_MD_CTX_COPY_EX                         110
 # define EVP_F_EVP_MD_SIZE                                162
 # define EVP_F_EVP_OPENINIT                               102
Index: node-v4.9.1/deps/openssl/openssl/crypto/evp/evp_enc.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/evp/evp_enc.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/evp/evp_enc.c
@@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *c
     return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
 }
 
-int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
-                      const unsigned char *in, int inl)
+static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
+                                    unsigned char *out, int *outl,
+                                    const unsigned char *in, int inl)
 {
     int i, j, bl;
 
@@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
     return 1;
 }
 
+int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+                      const unsigned char *in, int inl)
+{
+    /* Prevent accidental use of decryption context when encrypting */
+    if (!ctx->encrypt) {
+        EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
+        return 0;
+    }
+
+    return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
+}
+
 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 {
     int ret;
@@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *
     int n, ret;
     unsigned int i, b, bl;
 
+    /* Prevent accidental use of decryption context when encrypting */
+    if (!ctx->encrypt) {
+        EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+        return 0;
+    }
+
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
         ret = M_do_cipher(ctx, out, NULL, 0);
         if (ret < 0)
@@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
     int fix_len;
     unsigned int b;
 
+    /* Prevent accidental use of encryption context when decrypting */
+    if (ctx->encrypt) {
+        EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
+        return 0;
+    }
+
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
         fix_len = M_do_cipher(ctx, out, in, inl);
         if (fix_len < 0) {
@@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
     }
 
     if (ctx->flags & EVP_CIPH_NO_PADDING)
-        return EVP_EncryptUpdate(ctx, out, outl, in, inl);
+        return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
 
     b = ctx->cipher->block_size;
     OPENSSL_assert(b <= sizeof(ctx->final));
@@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
     } else
         fix_len = 0;
 
-    if (!EVP_EncryptUpdate(ctx, out, outl, in, inl))
+    if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
         return 0;
 
     /*
@@ -494,6 +519,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *
 {
     int i, n;
     unsigned int b;
+
+    /* Prevent accidental use of encryption context when decrypting */
+    if (ctx->encrypt) {
+        EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+        return 0;
+    }
+
     *outl = 0;
 
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
Index: node-v4.9.1/deps/openssl/openssl/crypto/evp/evp_err.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/evp/evp_err.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /* crypto/evp/evp_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[]
     {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH),
      "EVP_CIPHER_CTX_set_key_length"},
     {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"},
+    {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
     {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
     {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
+    {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
     {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
     {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
     {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
Index: node-v4.9.1/deps/openssl/openssl/crypto/evp/evp_test.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/evp/evp_test.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/evp/evp_test.c
@@ -1,6 +1,6 @@
 /* Written by Ben Laurie, 2001 */
 /*
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2001-2019 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -327,7 +327,7 @@ static void test1(const EVP_CIPHER *c, c
                 ERR_print_errors_fp(stderr);
                 test1_exit(12);
             }
-            if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) {
+            if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) {
                 fprintf(stderr, "AAD set failed\n");
                 ERR_print_errors_fp(stderr);
                 test1_exit(13);
Index: node-v4.9.1/deps/openssl/openssl/crypto/opensslconf.h.bak
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/opensslconf.h.bak
+++ /dev/null
@@ -1,265 +0,0 @@
-/* opensslconf.h */
-/* WARNING: Generated automatically from opensslconf.h.in by Configure. */
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* OpenSSL was configured with the following options: */
-#ifndef OPENSSL_DOING_MAKEDEPEND
-
-
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-# define OPENSSL_NO_EC_NISTP_64_GCC_128
-#endif
-#ifndef OPENSSL_NO_GMP
-# define OPENSSL_NO_GMP
-#endif
-#ifndef OPENSSL_NO_JPAKE
-# define OPENSSL_NO_JPAKE
-#endif
-#ifndef OPENSSL_NO_KRB5
-# define OPENSSL_NO_KRB5
-#endif
-#ifndef OPENSSL_NO_LIBUNBOUND
-# define OPENSSL_NO_LIBUNBOUND
-#endif
-#ifndef OPENSSL_NO_MD2
-# define OPENSSL_NO_MD2
-#endif
-#ifndef OPENSSL_NO_RC5
-# define OPENSSL_NO_RC5
-#endif
-#ifndef OPENSSL_NO_RFC3779
-# define OPENSSL_NO_RFC3779
-#endif
-#ifndef OPENSSL_NO_SCTP
-# define OPENSSL_NO_SCTP
-#endif
-#ifndef OPENSSL_NO_SSL_TRACE
-# define OPENSSL_NO_SSL_TRACE
-#endif
-#ifndef OPENSSL_NO_SSL2
-# define OPENSSL_NO_SSL2
-#endif
-#ifndef OPENSSL_NO_STORE
-# define OPENSSL_NO_STORE
-#endif
-#ifndef OPENSSL_NO_UNIT_TEST
-# define OPENSSL_NO_UNIT_TEST
-#endif
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-# define OPENSSL_NO_WEAK_SSL_CIPHERS
-#endif
-
-#endif /* OPENSSL_DOING_MAKEDEPEND */
-
-#ifndef OPENSSL_NO_DYNAMIC_ENGINE
-# define OPENSSL_NO_DYNAMIC_ENGINE
-#endif
-
-/* The OPENSSL_NO_* macros are also defined as NO_* if the application
-   asks for it.  This is a transient feature that is provided for those
-   who haven't had the time to do the appropriate changes in their
-   applications.  */
-#ifdef OPENSSL_ALGORITHM_DEFINES
-# if defined(OPENSSL_NO_EC_NISTP_64_GCC_128) && !defined(NO_EC_NISTP_64_GCC_128)
-#  define NO_EC_NISTP_64_GCC_128
-# endif
-# if defined(OPENSSL_NO_GMP) && !defined(NO_GMP)
-#  define NO_GMP
-# endif
-# if defined(OPENSSL_NO_JPAKE) && !defined(NO_JPAKE)
-#  define NO_JPAKE
-# endif
-# if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5)
-#  define NO_KRB5
-# endif
-# if defined(OPENSSL_NO_LIBUNBOUND) && !defined(NO_LIBUNBOUND)
-#  define NO_LIBUNBOUND
-# endif
-# if defined(OPENSSL_NO_MD2) && !defined(NO_MD2)
-#  define NO_MD2
-# endif
-# if defined(OPENSSL_NO_RC5) && !defined(NO_RC5)
-#  define NO_RC5
-# endif
-# if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779)
-#  define NO_RFC3779
-# endif
-# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP)
-#  define NO_SCTP
-# endif
-# if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE)
-#  define NO_SSL_TRACE
-# endif
-# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
-#  define NO_SSL2
-# endif
-# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
-#  define NO_STORE
-# endif
-# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
-#  define NO_UNIT_TEST
-# endif
-# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
-#  define NO_WEAK_SSL_CIPHERS
-# endif
-#endif
-
-/* crypto/opensslconf.h.in */
-
-/* Generate 80386 code? */
-#undef I386_ONLY
-
-#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
-#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
-#define ENGINESDIR "/usr/local/ssl/lib/engines"
-#define OPENSSLDIR "/usr/local/ssl"
-#endif
-#endif
-
-#undef OPENSSL_UNISTD
-#define OPENSSL_UNISTD <unistd.h>
-
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned long
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#endif
-
-#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
-#define CONFIG_HEADER_RC4_LOCL_H
-/* if this is defined data[i] is used instead of *data, this is a %20
- * speedup on x86 */
-#undef RC4_INDEX
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependancies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very mucy CPU dependant */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
-
-#if defined( __sun ) || defined ( sun )		/* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )	/* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )	/* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )		/* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )		/* HP-PA */
-  /* Unknown */
-#elif defined( __aux )		/* 68K */
-  /* Unknown */
-#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )		/* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)	/* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
-#ifdef  __cplusplus
-}
-#endif
Index: node-v4.9.1/deps/openssl/openssl/crypto/opensslv.h
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/opensslv.h
+++ node-v4.9.1/deps/openssl/openssl/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1000211fL
+# define OPENSSL_VERSION_NUMBER  0x1000212fL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2q-fips  20 Nov 2018"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2r-fips  26 Feb 2019"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2q  20 Nov 2018"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2r  26 Feb 2019"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
Index: node-v4.9.1/deps/openssl/openssl/crypto/rsa/Makefile
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/rsa/Makefile
+++ node-v4.9.1/deps/openssl/openssl/crypto/rsa/Makefile
@@ -153,7 +153,8 @@ rsa_eay.o: ../../include/openssl/lhash.h
 rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c
+rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h
+rsa_eay.o: ../cryptlib.h rsa_eay.c
 rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@@ -299,7 +300,8 @@ rsa_ssl.o: ../../include/openssl/lhash.h
 rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c
+rsa_ssl.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+rsa_ssl.o: ../cryptlib.h rsa_ssl.c
 rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
Index: node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_eay.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/rsa/rsa_eay.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_eay.c
@@ -115,6 +115,7 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 #include "bn_int.h"
+#include "constant_time_locl.h"
 
 #ifndef RSA_NULL
 
@@ -397,6 +398,11 @@ static int RSA_eay_private_encrypt(int f
         goto err;
     }
 
+    if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
+                                    rsa->n, ctx))
+            goto err;
+
     if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
         blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
         if (blinding == NULL) {
@@ -431,11 +437,6 @@ static int RSA_eay_private_encrypt(int f
         } else
             d = rsa->d;
 
-        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
-            if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
-                                        rsa->n, ctx))
-                goto err;
-
         if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
                                    rsa->_method_mod_n))
             goto err;
@@ -587,8 +588,8 @@ static int RSA_eay_private_decrypt(int f
         RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto err;
     }
-    if (r < 0)
-        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+    RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+    err_clear_last_constant_time(r >= 0);
 
  err:
     if (ctx != NULL) {
Index: node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_oaep.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/rsa/rsa_oaep.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_oaep.c
@@ -121,7 +121,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
                                       const EVP_MD *mgf1md)
 {
     int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
-    unsigned int good, found_one_byte;
+    unsigned int good = 0, found_one_byte, mask;
     const unsigned char *maskedseed, *maskeddb;
     /*
      * |em| is the encoded message, zero-padded to exactly |num| bytes: em =
@@ -148,8 +148,11 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
      * the ciphertext, see PKCS #1 v2.2, section 7.1.2.
      * This does not leak any side-channel information.
      */
-    if (num < flen || num < 2 * mdlen + 2)
-        goto decoding_err;
+    if (num < flen || num < 2 * mdlen + 2) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+               RSA_R_OAEP_DECODING_ERROR);
+        return -1;
+    }
 
     dblen = num - mdlen - 1;
     db = OPENSSL_malloc(dblen);
@@ -158,26 +161,26 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
         goto cleanup;
     }
 
-    if (flen != num) {
-        em = OPENSSL_malloc(num);
-        if (em == NULL) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
-                   ERR_R_MALLOC_FAILURE);
-            goto cleanup;
-        }
+    em = OPENSSL_malloc(num);
+    if (em == NULL) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+               ERR_R_MALLOC_FAILURE);
+        goto cleanup;
+    }
 
-        /*
-         * Caller is encouraged to pass zero-padded message created with
-         * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
-         * to avoid leaking that information. The copy still leaks some
-         * side-channel information, but it's impossible to have a fixed
-         * memory access pattern since we can't read out of the bounds of
-         * |from|.
-         */
-        memset(em, 0, num);
-        memcpy(em + num - flen, from, flen);
-        from = em;
+    /*
+     * Caller is encouraged to pass zero-padded message created with
+     * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+     * bounds, it's impossible to have an invariant memory access pattern
+     * in case |from| was not zero-padded in advance.
+     */
+    for (from += flen, em += num, i = 0; i < num; i++) {
+        mask = ~constant_time_is_zero(flen);
+        flen -= 1 & mask;
+        from -= 1 & mask;
+        *--em = *from & mask;
     }
+    from = em;
 
     /*
      * The first byte must be zero, however we must not leak if this is
@@ -224,37 +227,50 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
      * so plaintext-awareness ensures timing side-channels are no longer a
      * concern.
      */
-    if (!good)
-        goto decoding_err;
-
     msg_index = one_index + 1;
     mlen = dblen - msg_index;
 
-    if (tlen < mlen) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
-        mlen = -1;
-    } else {
-        memcpy(to, db + msg_index, mlen);
-        goto cleanup;
+    /*
+     * For good measure, do this check in constant tine as well.
+     */
+    good &= constant_time_ge(tlen, mlen);
+
+    /*
+     * Even though we can't fake result's length, we can pretend copying
+     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
+     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+     * where |mlen'| is "saturated" |mlen| value. Deducing information
+     * about failure or |mlen| would take attacker's ability to observe
+     * memory access pattern with byte granularity *as it occurs*. It
+     * should be noted that failure is indistinguishable from normal
+     * operation if |tlen| is fixed by protocol.
+     */
+    tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
+    msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
+    mlen = dblen - msg_index;
+    for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
+        unsigned int equals = constant_time_eq(i, mlen);
+
+        from -= dblen & equals; /* if (i == dblen) rewind   */
+        mask &= mask ^ equals;  /* if (i == dblen) mask = 0 */
+        to[i] = constant_time_select_8(mask, from[i], to[i]);
     }
 
- decoding_err:
     /*
      * To avoid chosen ciphertext attacks, the error message should not
      * reveal which kind of decoding error happened.
      */
     RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
            RSA_R_OAEP_DECODING_ERROR);
+    err_clear_last_constant_time(1 & good);
  cleanup:
-    if (db != NULL) {
-        OPENSSL_cleanse(db, dblen);
-        OPENSSL_free(db);
-    }
-    if (em != NULL) {
-        OPENSSL_cleanse(em, num);
-        OPENSSL_free(em);
-    }
-    return mlen;
+    OPENSSL_cleanse(seed, sizeof(seed));
+    OPENSSL_cleanse(db, dblen);
+    OPENSSL_free(db);
+    OPENSSL_cleanse(em, num);
+    OPENSSL_free(em);
+
+    return constant_time_select_int(good, mlen, -1);
 }
 
 int PKCS1_MGF1(unsigned char *mask, long len,
Index: node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_pk1.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/rsa/rsa_pk1.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_pk1.c
@@ -207,7 +207,7 @@ int RSA_padding_check_PKCS1_type_2(unsig
     int i;
     /* |em| is the encoded message, zero-padded to exactly |num| bytes */
     unsigned char *em = NULL;
-    unsigned int good, found_zero_byte;
+    unsigned int good, found_zero_byte, mask;
     int zero_index = 0, msg_index, mlen = -1;
 
     if (tlen < 0 || flen < 0)
@@ -218,40 +218,41 @@ int RSA_padding_check_PKCS1_type_2(unsig
      * section 7.2.2.
      */
 
-    if (flen > num)
-        goto err;
-
-    if (num < 11)
-        goto err;
+    if (flen > num || num < 11) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
+               RSA_R_PKCS_DECODING_ERROR);
+        return -1;
+    }
 
-    if (flen != num) {
-        em = OPENSSL_malloc(num);
-        if (em == NULL) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
-            return -1;
-        }
-        /*
-         * Caller is encouraged to pass zero-padded message created with
-         * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
-         * to avoid leaking that information. The copy still leaks some
-         * side-channel information, but it's impossible to have a fixed
-         * memory access pattern since we can't read out of the bounds of
-         * |from|.
-         */
-        memset(em, 0, num);
-        memcpy(em + num - flen, from, flen);
-        from = em;
+    em = OPENSSL_malloc(num);
+    if (em == NULL) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
+        return -1;
     }
+    /*
+     * Caller is encouraged to pass zero-padded message created with
+     * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+     * bounds, it's impossible to have an invariant memory access pattern
+     * in case |from| was not zero-padded in advance.
+     */
+    for (from += flen, em += num, i = 0; i < num; i++) {
+        mask = ~constant_time_is_zero(flen);
+        flen -= 1 & mask;
+        from -= 1 & mask;
+        *--em = *from & mask;
+    }
+    from = em;
 
     good = constant_time_is_zero(from[0]);
     good &= constant_time_eq(from[1], 2);
 
+    /* scan over padding data */
     found_zero_byte = 0;
     for (i = 2; i < num; i++) {
         unsigned int equals0 = constant_time_is_zero(from[i]);
-        zero_index =
-            constant_time_select_int(~found_zero_byte & equals0, i,
-                                     zero_index);
+
+        zero_index = constant_time_select_int(~found_zero_byte & equals0,
+                                              i, zero_index);
         found_zero_byte |= equals0;
     }
 
@@ -260,7 +261,7 @@ int RSA_padding_check_PKCS1_type_2(unsig
      * If we never found a 0-byte, then |zero_index| is 0 and the check
      * also fails.
      */
-    good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
+    good &= constant_time_ge(zero_index, 2 + 8);
 
     /*
      * Skip the zero byte. This is incorrect if we never found a zero-byte
@@ -270,30 +271,35 @@ int RSA_padding_check_PKCS1_type_2(unsig
     mlen = num - msg_index;
 
     /*
-     * For good measure, do this check in constant time as well; it could
-     * leak something if |tlen| was assuming valid padding.
+     * For good measure, do this check in constant time as well.
      */
-    good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
+    good &= constant_time_ge(tlen, mlen);
 
     /*
-     * We can't continue in constant-time because we need to copy the result
-     * and we cannot fake its length. This unavoidably leaks timing
-     * information at the API boundary.
+     * Even though we can't fake result's length, we can pretend copying
+     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+     * where |mlen'| is "saturated" |mlen| value. Deducing information
+     * about failure or |mlen| would take attacker's ability to observe
+     * memory access pattern with byte granularity *as it occurs*. It
+     * should be noted that failure is indistinguishable from normal
+     * operation if |tlen| is fixed by protocol.
      */
-    if (!good) {
-        mlen = -1;
-        goto err;
+    tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+    msg_index = constant_time_select_int(good, msg_index, num - tlen);
+    mlen = num - msg_index;
+    for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+        unsigned int equals = constant_time_eq(i, mlen);
+
+        from -= tlen & equals;  /* if (i == mlen) rewind   */
+        mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
+        to[i] = constant_time_select_8(mask, from[i], to[i]);
     }
 
-    memcpy(to, from + msg_index, mlen);
+    OPENSSL_cleanse(em, num);
+    OPENSSL_free(em);
+    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
+    err_clear_last_constant_time(1 & good);
 
- err:
-    if (em != NULL) {
-        OPENSSL_cleanse(em, num);
-        OPENSSL_free(em);
-    }
-    if (mlen == -1)
-        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
-               RSA_R_PKCS_DECODING_ERROR);
-    return mlen;
+    return constant_time_select_int(good, mlen, -1);
 }
Index: node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_ssl.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/crypto/rsa/rsa_ssl.c
+++ node-v4.9.1/deps/openssl/openssl/crypto/rsa/rsa_ssl.c
@@ -61,6 +61,7 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
+#include "constant_time_locl.h"
 
 int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
                            const unsigned char *from, int flen)
@@ -101,57 +102,116 @@ int RSA_padding_add_SSLv23(unsigned char
     return (1);
 }
 
+/*
+ * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * preserves error code reporting for backward compatibility.
+ */
 int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                              const unsigned char *from, int flen, int num)
 {
-    int i, j, k;
-    const unsigned char *p;
+    int i;
+    /* |em| is the encoded message, zero-padded to exactly |num| bytes */
+    unsigned char *em = NULL;
+    unsigned int good, found_zero_byte, mask, threes_in_row;
+    int zero_index = 0, msg_index, mlen = -1, err;
 
-    p = from;
     if (flen < 10) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
         return (-1);
     }
-    /* Accept even zero-padded input */
-    if (flen == num) {
-        if (*(p++) != 0) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
-            return -1;
-        }
-        flen--;
-    }
-    if ((num != (flen + 1)) || (*(p++) != 02)) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
-        return (-1);
-    }
 
-    /* scan over padding data */
-    j = flen - 1;               /* one for type */
-    for (i = 0; i < j; i++)
-        if (*(p++) == 0)
-            break;
-
-    if ((i == j) || (i < 8)) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
-               RSA_R_NULL_BEFORE_BLOCK_MISSING);
-        return (-1);
-    }
-    for (k = -9; k < -1; k++) {
-        if (p[k] != 0x03)
-            break;
-    }
-    if (k == -1) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK);
-        return (-1);
-    }
+    em = OPENSSL_malloc(num);
+    if (em == NULL) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE);
+        return -1;
+    }
+    /*
+     * Caller is encouraged to pass zero-padded message created with
+     * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+     * bounds, it's impossible to have an invariant memory access pattern
+     * in case |from| was not zero-padded in advance.
+     */
+    for (from += flen, em += num, i = 0; i < num; i++) {
+        mask = ~constant_time_is_zero(flen);
+        flen -= 1 & mask;
+        from -= 1 & mask;
+        *--em = *from & mask;
+    }
+    from = em;
+
+    good = constant_time_is_zero(from[0]);
+    good &= constant_time_eq(from[1], 2);
+    err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
+    mask = ~good;
 
-    i++;                        /* Skip over the '\0' */
-    j -= i;
-    if (j > tlen) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
-        return (-1);
-    }
-    memcpy(to, p, (unsigned int)j);
+    /* scan over padding data */
+    found_zero_byte = 0;
+    threes_in_row = 0;
+    for (i = 2; i < num; i++) {
+        unsigned int equals0 = constant_time_is_zero(from[i]);
+
+        zero_index = constant_time_select_int(~found_zero_byte & equals0,
+                                              i, zero_index);
+        found_zero_byte |= equals0;
+
+        threes_in_row += 1 & ~found_zero_byte;
+        threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
+    }
+
+    /*
+     * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+     * If we never found a 0-byte, then |zero_index| is 0 and the check
+     * also fails.
+     */
+    good &= constant_time_ge(zero_index, 2 + 8);
+    err = constant_time_select_int(mask | good, err,
+                                   RSA_R_NULL_BEFORE_BLOCK_MISSING);
+    mask = ~good;
+
+    good &= constant_time_lt(threes_in_row, 8);
+    err = constant_time_select_int(mask | good, err,
+                                   RSA_R_SSLV3_ROLLBACK_ATTACK);
+    mask = ~good;
+
+    /*
+     * Skip the zero byte. This is incorrect if we never found a zero-byte
+     * but in this case we also do not copy the message out.
+     */
+    msg_index = zero_index + 1;
+    mlen = num - msg_index;
+
+    /*
+     * For good measure, do this check in constant time as well.
+     */
+    good &= constant_time_ge(tlen, mlen);
+    err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
+
+    /*
+     * Even though we can't fake result's length, we can pretend copying
+     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+     * where |mlen'| is "saturated" |mlen| value. Deducing information
+     * about failure or |mlen| would take attacker's ability to observe
+     * memory access pattern with byte granularity *as it occurs*. It
+     * should be noted that failure is indistinguishable from normal
+     * operation if |tlen| is fixed by protocol.
+     */
+    tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+    msg_index = constant_time_select_int(good, msg_index, num - tlen);
+    mlen = num - msg_index;
+    for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+        unsigned int equals = constant_time_eq(i, mlen);
+
+        from -= tlen & equals;  /* if (i == mlen) rewind   */
+        mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
+        to[i] = constant_time_select_8(mask, from[i], to[i]);
+    }
+
+    OPENSSL_cleanse(em, num);
+    OPENSSL_free(em);
+    RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err);
+    err_clear_last_constant_time(1 & good);
 
-    return (j);
+    return constant_time_select_int(good, mlen, -1);
 }
Index: node-v4.9.1/deps/openssl/openssl/doc/apps/ca.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/apps/ca.pod
+++ node-v4.9.1/deps/openssl/openssl/doc/apps/ca.pod
@@ -214,7 +214,7 @@ the section of the configuration file co
 to be added when a certificate is issued (defaults to B<x509_extensions>
 unless the B<-extfile> option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created. See the:w
+is present (even if it is empty), then a V3 certificate is created. See the
 L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
 extension section format.
 
Index: node-v4.9.1/deps/openssl/openssl/doc/crypto/PKCS12_parse.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/crypto/PKCS12_parse.pod
+++ node-v4.9.1/deps/openssl/openssl/doc/crypto/PKCS12_parse.pod
@@ -8,7 +8,8 @@ PKCS12_parse - parse a PKCS#12 structure
 
  #include <openssl/pkcs12.h>
 
-int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
+ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+                  STACK_OF(X509) **ca);
 
 =head1 DESCRIPTION
 
Index: node-v4.9.1/deps/openssl/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ node-v4.9.1/deps/openssl/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -109,7 +109,12 @@ L<ERR_get_error(3)|ERR_get_error(3)>.
 The RSA_padding_check_PKCS1_type_2() padding check leaks timing
 information which can potentially be used to mount a Bleichenbacher
 padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding.
+v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
+be recommended to pass zero-padded B<f>, so that B<fl> equals to
+B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
+expected length. In such case leakage would be minimal, it would
+take attacker's ability to observe memory access pattern with byte
+granilarity as it occurs, post-factum timing analysis won't do.
 
 =head1 SEE ALSO
 
Index: node-v4.9.1/deps/openssl/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ node-v4.9.1/deps/openssl/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -44,9 +44,6 @@ X509_NAME_ENTRY_get_object() and X509_NA
 used to examine an B<X509_NAME_ENTRY> function as returned by 
 X509_NAME_get_entry() for example.
 
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(),
-and X509_NAME_ENTRY_create_by_OBJ() create and return an 
-
 X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(),
 X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data()
 are seldom used in practice because B<X509_NAME_ENTRY> structures
Index: node-v4.9.1/deps/openssl/openssl/doc/man3/X509_cmp_time.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/man3/X509_cmp_time.pod
+++ /dev/null
@@ -1,39 +0,0 @@
-=pod
-
-=head1 NAME
-
-X509_cmp_time - X509 time functions
-
-=head1 SYNOPSIS
-
- X509_cmp_time(const ASN1_TIME *asn1_time, time_t *cmp_time);
-
-=head1 DESCRIPTION
-
-X509_cmp_time() compares the ASN1_TIME in B<asn1_time> with the time in
-<cmp_time>.
-
-B<asn1_time> must satisfy the ASN1_TIME format mandated by RFC 5280, i.e.,
-its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ.
-
-If B<cmp_time> is NULL the current time is used.
-
-=head1 BUGS
-
-Unlike many standard comparison functions, X509_cmp_time returns 0 on error.
-
-=head1 RETURN VALUES
-
-X509_cmp_time() returns -1 if B<asn1_time> is earlier than, or equal to,
-B<cmp_time>, and 1 otherwise. It returns 0 on error.
-
-=head1 COPYRIGHT
-
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the OpenSSL license (the "License").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
Index: node-v4.9.1/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod
===================================================================
--- /dev/null
+++ node-v4.9.1/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+X509_cmp_time - X509 time functions
+
+=head1 SYNOPSIS
+
+ X509_cmp_time(const ASN1_TIME *asn1_time, time_t *cmp_time);
+
+=head1 DESCRIPTION
+
+X509_cmp_time() compares the ASN1_TIME in B<asn1_time> with the time in
+<cmp_time>.
+
+B<asn1_time> must satisfy the ASN1_TIME format mandated by RFC 5280, i.e.,
+its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ.
+
+If B<cmp_time> is NULL the current time is used.
+
+=head1 BUGS
+
+Unlike many standard comparison functions, X509_cmp_time returns 0 on error.
+
+=head1 RETURN VALUES
+
+X509_cmp_time() returns -1 if B<asn1_time> is earlier than, or equal to,
+B<cmp_time>, and 1 otherwise. It returns 0 on error.
+
+=head1 COPYRIGHT
+
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
Index: node-v4.9.1/deps/openssl/openssl/doc/ssl/SSL_get_error.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/ssl/SSL_get_error.pod
+++ node-v4.9.1/deps/openssl/openssl/doc/ssl/SSL_get_error.pod
@@ -90,14 +90,17 @@ Details depend on the application.
 
 =item SSL_ERROR_SYSCALL
 
-Some non-recoverable I/O error occurred.
-The OpenSSL error queue may contain more information on the error.
-For socket I/O on Unix systems, consult B<errno> for details.
+Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
+contain more information on the error. For socket I/O on Unix systems, consult
+B<errno> for details. If this error occurs then no further I/O operations should
+be performed on the connection and SSL_shutdown() must not be called.
 
 =item SSL_ERROR_SSL
 
-A failure in the SSL library occurred, usually a protocol error.  The
-OpenSSL error queue contains more information on the error.
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
+error.  The OpenSSL error queue contains more information on the error. If this
+error occurs then no further I/O operations should be performed on the
+connection and SSL_shutdown() must not be called.
 
 =back
 
Index: node-v4.9.1/deps/openssl/openssl/doc/ssl/SSL_shutdown.pod
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/doc/ssl/SSL_shutdown.pod
+++ node-v4.9.1/deps/openssl/openssl/doc/ssl/SSL_shutdown.pod
@@ -22,6 +22,10 @@ Whether the operation succeeds or not, t
 a currently open session is considered closed and good and will be kept in the
 session cache for further reuse.
 
+Note that SSL_shutdown() must not be called if a previous fatal error has
+occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
+or SSL_ERROR_SSL.
+
 The shutdown procedure consists of 2 steps: the sending of the "close notify"
 shutdown alert and the reception of the peer's "close notify" shutdown
 alert. According to the TLS standard, it is acceptable for an application
Index: node-v4.9.1/deps/openssl/openssl/include/openssl/evp.h
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/include/openssl/evp.h
+++ node-v4.9.1/deps/openssl/openssl/include/openssl/evp.h
@@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void);
 # define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
 # define EVP_F_EVP_DECRYPTFINAL_EX                        101
+# define EVP_F_EVP_DECRYPTUPDATE                          181
 # define EVP_F_EVP_DIGESTINIT_EX                          128
 # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
+# define EVP_F_EVP_ENCRYPTUPDATE                          180
 # define EVP_F_EVP_MD_CTX_COPY_EX                         110
 # define EVP_F_EVP_MD_SIZE                                162
 # define EVP_F_EVP_OPENINIT                               102
Index: node-v4.9.1/deps/openssl/openssl/include/openssl/opensslv.h
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/include/openssl/opensslv.h
+++ node-v4.9.1/deps/openssl/openssl/include/openssl/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1000211fL
+# define OPENSSL_VERSION_NUMBER  0x1000212fL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2q-fips  20 Nov 2018"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2r-fips  26 Feb 2019"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2q  20 Nov 2018"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2r  26 Feb 2019"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
Index: node-v4.9.1/deps/openssl/openssl/openssl.spec
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/openssl.spec
+++ node-v4.9.1/deps/openssl/openssl/openssl.spec
@@ -7,7 +7,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 1.0.2q
+Version: 1.0.2r
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries
Index: node-v4.9.1/deps/openssl/openssl/ssl/d1_pkt.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/ssl/d1_pkt.c
+++ node-v4.9.1/deps/openssl/openssl/ssl/d1_pkt.c
@@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, u
             ERR_add_error_data(2, "SSL alert number ", tmp);
             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
             SSL_CTX_remove_session(s->session_ctx, s->session);
+            s->state = SSL_ST_ERR;
             return (0);
         } else {
             al = SSL_AD_ILLEGAL_PARAMETER;
Index: node-v4.9.1/deps/openssl/openssl/ssl/s3_pkt.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/ssl/s3_pkt.c
+++ node-v4.9.1/deps/openssl/openssl/ssl/s3_pkt.c
@@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, un
             ERR_add_error_data(2, "SSL alert number ", tmp);
             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
             SSL_CTX_remove_session(s->session_ctx, s->session);
+            s->state = SSL_ST_ERR;
             return (0);
         } else {
             al = SSL_AD_ILLEGAL_PARAMETER;
@@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, i
                                           * protocol_version alerts */
     if (desc < 0)
         return -1;
-    /* If a fatal one, remove from cache */
-    if ((level == 2) && (s->session != NULL))
-        SSL_CTX_remove_session(s->session_ctx, s->session);
+    /* If a fatal one, remove from cache and go into the error state */
+    if (level == SSL3_AL_FATAL) {
+        if (s->session != NULL)
+            SSL_CTX_remove_session(s->session_ctx, s->session);
+        s->state = SSL_ST_ERR;
+    }
 
     s->s3->alert_dispatch = 1;
     s->s3->send_alert[0] = level;
Index: node-v4.9.1/deps/openssl/openssl/ssl/t1_lib.c
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/ssl/t1_lib.c
+++ node-v4.9.1/deps/openssl/openssl/ssl/t1_lib.c
@@ -3697,6 +3697,12 @@ int tls12_get_sigid(const EVP_PKEY *pk)
                          sizeof(tls12_sig) / sizeof(tls12_lookup));
 }
 
+static int tls12_get_hash_nid(unsigned char hash_alg)
+{
+    return tls12_find_nid(hash_alg, tls12_md,
+                          sizeof(tls12_md) / sizeof(tls12_lookup));
+}
+
 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
 {
     switch (hash_alg) {
@@ -3887,6 +3893,8 @@ int tls1_process_sigalgs(SSL *s)
     const EVP_MD *md;
     CERT *c = s->cert;
     TLS_SIGALGS *sigptr;
+    int mandatory_mdnid;
+
     if (!tls1_set_shared_sigalgs(s))
         return 0;
 
@@ -3918,6 +3926,18 @@ int tls1_process_sigalgs(SSL *s)
     for (i = 0, sigptr = c->shared_sigalgs;
          i < c->shared_sigalgslen; i++, sigptr++) {
         idx = tls12_get_pkey_idx(sigptr->rsign);
+        if (s->cert->pkeys[idx].privatekey) {
+            ERR_set_mark();
+            if (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey,
+                                                &mandatory_mdnid) == 2 &&
+                mandatory_mdnid != tls12_get_hash_nid(sigptr->rhash))
+                continue;
+            /*
+             * If EVP_PKEY_get_default_digest_nid() failed, don't pollute
+             * the error stack.
+             */
+            ERR_pop_to_mark();
+        }
         if (idx > 0 && c->pkeys[idx].digest == NULL) {
             md = tls12_get_hash(sigptr->rhash);
             c->pkeys[idx].digest = md;
Index: node-v4.9.1/deps/openssl/openssl/test/maketests.com
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/test/maketests.com
+++ node-v4.9.1/deps/openssl/openssl/test/maketests.com
@@ -198,6 +198,7 @@ $ T_D_BAD_DTLS_TEST   := [-.ssl]
 $ T_D_SSLV2CONFTEST := [-.ssl]
 $ T_D_DTLSTEST   := [-.ssl]
 $ T_D_FATALERRTEST := [-.ssl]
+$ T_D_X509_TIME_TEST := []
 $
 $ EXOBJ_DTLSTEST := SSLTESTLIB
 $ EXOBJ_FATALERRTEST := SSLTESTLIB
Index: node-v4.9.1/deps/openssl/openssl/tools/c_rehash.bak
===================================================================
--- node-v4.9.1.orig/deps/openssl/openssl/tools/c_rehash.bak
+++ /dev/null
@@ -1,209 +0,0 @@
-#!/usr/bin/perl
-
-# Perl c_rehash script, scan all files in a directory
-# and add symbolic links to their hash values.
-
-my $dir = "/usr/local/ssl";
-my $prefix = "/usr/local/ssl";
-
-my $openssl = $ENV{OPENSSL} || "openssl";
-my $pwd;
-my $x509hash = "-subject_hash";
-my $crlhash = "-hash";
-my $verbose = 0;
-my $symlink_exists=eval {symlink("",""); 1};
-my $removelinks = 1;
-
-##  Parse flags.
-while ( $ARGV[0] =~ /^-/ ) {
-    my $flag = shift @ARGV;
-    last if ( $flag eq '--');
-    if ( $flag eq '-old') {
-	    $x509hash = "-subject_hash_old";
-	    $crlhash = "-hash_old";
-    } elsif ( $flag eq '-h') {
-	    help();
-    } elsif ( $flag eq '-n' ) {
-	    $removelinks = 0;
-    } elsif ( $flag eq '-v' ) {
-	    $verbose++;
-    }
-    else {
-	    print STDERR "Usage error; try -help.\n";
-	    exit 1;
-    }
-}
-
-sub help {
-	print "Usage: c_rehash [-old] [-h] [-v] [dirs...]\n";
-	print "   -old use old-style digest\n";
-	print "   -h print this help text\n";
-	print "   -v print files removed and linked\n";
-	exit 0;
-}
-
-eval "require Cwd";
-if (defined(&Cwd::getcwd)) {
-	$pwd=Cwd::getcwd();
-} else {
-	$pwd=`pwd`;
-	chomp($pwd);
-}
-
-# DOS/Win32 or Unix delimiter?  Prefix our installdir, then search.
-my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
-$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
-
-if(! -x $openssl) {
-	my $found = 0;
-	foreach (split /$path_delim/, $ENV{PATH}) {
-		if(-x "$_/$openssl") {
-			$found = 1;
-			$openssl = "$_/$openssl";
-			last;
-		}
-	}
-	if($found == 0) {
-		print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
-		exit 0;
-	}
-}
-
-if(@ARGV) {
-	@dirlist = @ARGV;
-} elsif($ENV{SSL_CERT_DIR}) {
-	@dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
-} else {
-	$dirlist[0] = "$dir/certs";
-}
-
-if (-d $dirlist[0]) {
-	chdir $dirlist[0];
-	$openssl="$pwd/$openssl" if (!-x $openssl);
-	chdir $pwd;
-}
-
-foreach (@dirlist) {
-	if(-d $_ and -w $_) {
-		hash_dir($_);
-	}
-}
-
-sub hash_dir {
-	my %hashlist;
-	print "Doing $_[0]\n";
-	chdir $_[0];
-	opendir(DIR, ".");
-	my @flist = readdir(DIR);
-	closedir DIR;
-	if ( $removelinks ) {
-		# Delete any existing symbolic links
-		foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
-			if(-l $_) {
-				unlink $_;
-				print "unlink $_" if $verbose;
-			}
-		}
-	}
-	FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
-		# Check to see if certificates and/or CRLs present.
-		my ($cert, $crl) = check_file($fname);
-		if(!$cert && !$crl) {
-			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-			next;
-		}
-		link_hash_cert($fname) if($cert);
-		link_hash_crl($fname) if($crl);
-	}
-}
-
-sub check_file {
-	my ($is_cert, $is_crl) = (0,0);
-	my $fname = $_[0];
-	open IN, $fname;
-	while(<IN>) {
-		if(/^-----BEGIN (.*)-----/) {
-			my $hdr = $1;
-			if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
-				$is_cert = 1;
-				last if($is_crl);
-			} elsif($hdr eq "X509 CRL") {
-				$is_crl = 1;
-				last if($is_cert);
-			}
-		}
-	}
-	close IN;
-	return ($is_cert, $is_crl);
-}
-
-
-# Link a certificate to its subject name hash value, each hash is of
-# the form <hash>.<n> where n is an integer. If the hash value already exists
-# then we need to up the value of n, unless its a duplicate in which
-# case we skip the link. We check for duplicates by comparing the
-# certificate fingerprints
-
-sub link_hash_cert {
-		my $fname = $_[0];
-		$fname =~ s/'/'\\''/g;
-		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
-		chomp $hash;
-		chomp $fprint;
-		$fprint =~ s/^.*=//;
-		$fprint =~ tr/://d;
-		my $suffix = 0;
-		# Search for an unused hash filename
-		while(exists $hashlist{"$hash.$suffix"}) {
-			# Hash matches: if fingerprint matches its a duplicate cert
-			if($hashlist{"$hash.$suffix"} eq $fprint) {
-				print STDERR "WARNING: Skipping duplicate certificate $fname\n";
-				return;
-			}
-			$suffix++;
-		}
-		$hash .= ".$suffix";
-		if ($symlink_exists) {
-			symlink $fname, $hash;
-			print "link $fname -> $hash\n" if $verbose;
-		} else {
-			open IN,"<$fname" or die "can't open $fname for read";
-			open OUT,">$hash" or die "can't open $hash for write";
-			print OUT <IN>;	# does the job for small text files
-			close OUT;
-			close IN;
-			print "copy $fname -> $hash\n" if $verbose;
-		}
-		$hashlist{$hash} = $fprint;
-}
-
-# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
-
-sub link_hash_crl {
-		my $fname = $_[0];
-		$fname =~ s/'/'\\''/g;
-		my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
-		chomp $hash;
-		chomp $fprint;
-		$fprint =~ s/^.*=//;
-		$fprint =~ tr/://d;
-		my $suffix = 0;
-		# Search for an unused hash filename
-		while(exists $hashlist{"$hash.r$suffix"}) {
-			# Hash matches: if fingerprint matches its a duplicate cert
-			if($hashlist{"$hash.r$suffix"} eq $fprint) {
-				print STDERR "WARNING: Skipping duplicate CRL $fname\n";
-				return;
-			}
-			$suffix++;
-		}
-		$hash .= ".r$suffix";
-		if ($symlink_exists) {
-			symlink $fname, $hash;
-			print "link $fname -> $hash\n" if $verbose;
-		} else {
-			system ("cp", $fname, $hash);
-			print "cp $fname -> $hash\n" if $verbose;
-		}
-		$hashlist{$hash} = $fprint;
-}
openSUSE Build Service is sponsored by