Upgrade to openssl-1.0.2k

deps/openssl/asm/x64-elf-gas/bn/x86_64-mont.s

@@ -995,18 +995,17 @@ bn_mulx4x_mont:
 	mulxq	16(%rsi),%r15,%r13
 	adoxq	-24(%rbx),%r11
 	adcxq	%r15,%r12
-	adoxq	%rbp,%r12
+	adoxq	-16(%rbx),%r12
 	adcxq	%rbp,%r13
+	adoxq	%rbp,%r13
 
 	movq	%rdi,8(%rsp)
-.byte	0x67
 	movq	%r8,%r15
 	imulq	24(%rsp),%r8
 	xorl	%ebp,%ebp
 
 	mulxq	24(%rsi),%rax,%r14
 	movq	%r8,%rdx
-	adoxq	-16(%rbx),%r12
 	adcxq	%rax,%r13
 	adoxq	-8(%rbx),%r13
 	adcxq	%rbp,%r14

deps/openssl/asm/x64-elf-gas/bn/x86_64-mont5.s

@@ -1889,6 +1889,7 @@ __bn_sqr8x_reduction:
 
 .align	32
 .L8x_tail_done:
+	xorq	%rax,%rax
 	addq	(%rdx),%r8
 	adcq	$0,%r9
 	adcq	$0,%r10
@@ -1897,9 +1898,7 @@ __bn_sqr8x_reduction:
 	adcq	$0,%r13
 	adcq	$0,%r14
 	adcq	$0,%r15
-
-
-	xorq	%rax,%rax
+	adcq	$0,%rax
 
 	negq	%rsi
 .L8x_no_tail:
@@ -3344,6 +3343,7 @@ __bn_sqrx8x_reduction:
 
 .align	32
 .Lsqrx8x_tail_done:
+	xorq	%rax,%rax
 	addq	24+8(%rsp),%r8
 	adcq	$0,%r9
 	adcq	$0,%r10
@@ -3352,9 +3352,7 @@ __bn_sqrx8x_reduction:
 	adcq	$0,%r13
 	adcq	$0,%r14
 	adcq	$0,%r15
-
-
-	movq	%rsi,%rax
+	adcq	$0,%rax
 
 	subq	16+8(%rsp),%rsi
 .Lsqrx8x_no_tail:
@@ -3369,7 +3367,7 @@ __bn_sqrx8x_reduction:
 	adcq	40(%rdi),%r13
 	adcq	48(%rdi),%r14
 	adcq	56(%rdi),%r15
-	adcq	%rax,%rax
+	adcq	$0,%rax
 
 	movq	32+8(%rsp),%rbx
 	movq	64(%rdi,%rcx,1),%rdx

deps/openssl/asm/x64-macosx-gas/bn/x86_64-mont.s

@@ -995,18 +995,17 @@ L$mulx4x_outer:
 	mulxq	16(%rsi),%r15,%r13
 	adoxq	-24(%rbx),%r11
 	adcxq	%r15,%r12
-	adoxq	%rbp,%r12
+	adoxq	-16(%rbx),%r12
 	adcxq	%rbp,%r13
+	adoxq	%rbp,%r13
 
 	movq	%rdi,8(%rsp)
-.byte	0x67
 	movq	%r8,%r15
 	imulq	24(%rsp),%r8
 	xorl	%ebp,%ebp
 
 	mulxq	24(%rsi),%rax,%r14
 	movq	%r8,%rdx
-	adoxq	-16(%rbx),%r12
 	adcxq	%rax,%r13
 	adoxq	-8(%rbx),%r13
 	adcxq	%rbp,%r14

deps/openssl/asm/x64-macosx-gas/bn/x86_64-mont5.s

@@ -1889,6 +1889,7 @@ L$8x_tail:
 
 .p2align	5
 L$8x_tail_done:
+	xorq	%rax,%rax
 	addq	(%rdx),%r8
 	adcq	$0,%r9
 	adcq	$0,%r10
@@ -1897,9 +1898,7 @@ L$8x_tail_done:
 	adcq	$0,%r13
 	adcq	$0,%r14
 	adcq	$0,%r15
-
-
-	xorq	%rax,%rax
+	adcq	$0,%rax
 
 	negq	%rsi
 L$8x_no_tail:
@@ -3344,6 +3343,7 @@ L$sqrx8x_tail:
 
 .p2align	5
 L$sqrx8x_tail_done:
+	xorq	%rax,%rax
 	addq	24+8(%rsp),%r8
 	adcq	$0,%r9
 	adcq	$0,%r10
@@ -3352,9 +3352,7 @@ L$sqrx8x_tail_done:
 	adcq	$0,%r13
 	adcq	$0,%r14
 	adcq	$0,%r15
-
-
-	movq	%rsi,%rax
+	adcq	$0,%rax
 
 	subq	16+8(%rsp),%rsi
 L$sqrx8x_no_tail:
@@ -3369,7 +3367,7 @@ L$sqrx8x_no_tail:
 	adcq	40(%rdi),%r13
 	adcq	48(%rdi),%r14
 	adcq	56(%rdi),%r15
-	adcq	%rax,%rax
+	adcq	$0,%rax
 
 	movq	32+8(%rsp),%rbx
 	movq	64(%rdi,%rcx,1),%rdx

deps/openssl/asm/x64-win32-masm/bn/x86_64-mont.asm

@@ -1053,18 +1053,17 @@ $L$mulx4x_outer::
 	mulx	r13,r15,QWORD PTR[16+rsi]
 	adox	r11,QWORD PTR[((-24))+rbx]
 	adcx	r12,r15
-	adox	r12,rbp
+	adox	r12,QWORD PTR[((-16))+rbx]
 	adcx	r13,rbp
+	adox	r13,rbp
 
 	mov	QWORD PTR[8+rsp],rdi
-DB	067h
 	mov	r15,r8
 	imul	r8,QWORD PTR[24+rsp]
 	xor	ebp,ebp
 
 	mulx	r14,rax,QWORD PTR[24+rsi]
 	mov	rdx,r8
-	adox	r12,QWORD PTR[((-16))+rbx]
 	adcx	r13,rax
 	adox	r13,QWORD PTR[((-8))+rbx]
 	adcx	r14,rbp

deps/openssl/asm/x64-win32-masm/bn/x86_64-mont5.asm

@@ -1935,6 +1935,7 @@ $L$8x_tail::
 
 ALIGN	32
 $L$8x_tail_done::
+	xor	rax,rax
 	add	r8,QWORD PTR[rdx]
 	adc	r9,0
 	adc	r10,0
@@ -1943,9 +1944,7 @@ $L$8x_tail_done::
 	adc	r13,0
 	adc	r14,0
 	adc	r15,0
-
-
-	xor	rax,rax
+	adc	rax,0
 
 	neg	rsi
 $L$8x_no_tail::
@@ -3435,6 +3434,7 @@ DB	0c4h,062h,0fbh,0f6h,0a5h,020h,000h,000h,000h
 
 ALIGN	32
 $L$sqrx8x_tail_done::
+	xor	rax,rax
 	add	r8,QWORD PTR[((24+8))+rsp]
 	adc	r9,0
 	adc	r10,0
@@ -3443,9 +3443,7 @@ $L$sqrx8x_tail_done::
 	adc	r13,0
 	adc	r14,0
 	adc	r15,0
-
-
-	mov	rax,rsi
+	adc	rax,0
 
 	sub	rsi,QWORD PTR[((16+8))+rsp]
 $L$sqrx8x_no_tail::
@@ -3460,7 +3458,7 @@ DB	102,72,15,126,213
 	adc	r13,QWORD PTR[40+rdi]
 	adc	r14,QWORD PTR[48+rdi]
 	adc	r15,QWORD PTR[56+rdi]
-	adc	rax,rax
+	adc	rax,0
 
 	mov	rbx,QWORD PTR[((32+8))+rsp]
 	mov	rdx,QWORD PTR[64+rcx*1+rdi]

deps/openssl/asm_obsolete/x64-elf-gas/bn/x86_64-mont5.s

@@ -1881,6 +1881,7 @@ __bn_sqr8x_reduction:
 
 .align	32
 .L8x_tail_done:
+	xorq	%rax,%rax
 	addq	(%rdx),%r8
 	adcq	$0,%r9
 	adcq	$0,%r10
@@ -1889,9 +1890,7 @@ __bn_sqr8x_reduction:
 	adcq	$0,%r13
 	adcq	$0,%r14
 	adcq	$0,%r15
-
-
-	xorq	%rax,%rax
+	adcq	$0,%rax
 
 	negq	%rsi
 .L8x_no_tail:

deps/openssl/asm_obsolete/x64-macosx-gas/bn/x86_64-mont5.s

@@ -1881,6 +1881,7 @@ L$8x_tail:
 
 .p2align	5
 L$8x_tail_done:
+	xorq	%rax,%rax
 	addq	(%rdx),%r8
 	adcq	$0,%r9
 	adcq	$0,%r10
@@ -1889,9 +1890,7 @@ L$8x_tail_done:
 	adcq	$0,%r13
 	adcq	$0,%r14
 	adcq	$0,%r15
-
-
-	xorq	%rax,%rax
+	adcq	$0,%rax
 
 	negq	%rsi
 L$8x_no_tail:

deps/openssl/asm_obsolete/x64-win32-masm/bn/x86_64-mont5.asm

@@ -1927,6 +1927,7 @@ $L$8x_tail::
 
 ALIGN	32
 $L$8x_tail_done::
+	xor	rax,rax
 	add	r8,QWORD PTR[rdx]
 	adc	r9,0
 	adc	r10,0
@@ -1935,9 +1936,7 @@ $L$8x_tail_done::
 	adc	r13,0
 	adc	r14,0
 	adc	r15,0
-
-
-	xor	rax,rax
+	adc	rax,0
 
 	neg	rsi
 $L$8x_no_tail::

deps/openssl/openssl/CHANGES

@@ -2,6 +2,67 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
+
+  *) Truncated packet could crash via OOB read
+
+     If one side of an SSL/TLS path is running on a 32-bit host and a specific
+     cipher is being used, then a truncated packet can cause that host to
+     perform an out-of-bounds read, usually resulting in a crash.
+
+     This issue was reported to OpenSSL by Robert Święcki of Google.
+     (CVE-2017-3731)
+     [Andy Polyakov]
+
+  *) BN_mod_exp may produce incorrect results on x86_64
+
+     There is a carry propagating bug in the x86_64 Montgomery squaring
+     procedure. No EC algorithms are affected. Analysis suggests that attacks
+     against RSA and DSA as a result of this defect would be very difficult to
+     perform and are not believed likely. Attacks against DH are considered just
+     feasible (although very difficult) because most of the work necessary to
+     deduce information about a private key may be performed offline. The amount
+     of resources required for such an attack would be very significant and
+     likely only accessible to a limited number of attackers. An attacker would
+     additionally need online access to an unpatched system using the target
+     private key in a scenario with persistent DH parameters and a private
+     key that is shared between multiple clients. For example this can occur by
+     default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+     similar to CVE-2015-3193 but must be treated as a separate problem.
+
+     This issue was reported to OpenSSL by the OSS-Fuzz project.
+     (CVE-2017-3732)
+     [Andy Polyakov]
+
+  *) Montgomery multiplication may produce incorrect results
+
+     There is a carry propagating bug in the Broadwell-specific Montgomery
+     multiplication procedure that handles input lengths divisible by, but
+     longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+     and DH private keys are impossible. This is because the subroutine in
+     question is not used in operations with the private key itself and an input
+     of the attacker's direct choice. Otherwise the bug can manifest itself as
+     transient authentication and key negotiation failures or reproducible
+     erroneous outcome of public-key operations with specially crafted input.
+     Among EC algorithms only Brainpool P-512 curves are affected and one
+     presumably can attack ECDH key negotiation. Impact was not analyzed in
+     detail, because pre-requisites for attack are considered unlikely. Namely
+     multiple clients have to choose the curve in question and the server has to
+     share the private key among them, neither of which is default behaviour.
+     Even then only clients that chose the curve will be affected.
+
+     This issue was publicly reported as transient failures and was not
+     initially recognized as a security issue. Thanks to Richard Morgan for
+     providing reproducible case.
+     (CVE-2016-7055)
+     [Andy Polyakov]
+
+  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+     prevent issues where no progress is being made and the peer continually
+     sends unrecognised record types, using up resources processing them.
+     [Matt Caswell]
+
  Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
 
   *) Missing CRL sanity check