Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10.x backport] Update openssl1.1.1a #26270

Closed

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented Feb 23, 2019

Backport openssl 1.1.1a related PRs. They depend on each other, so I am including in one PR:

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

@sam-github sadly an error occured when I tried to trigger a build :(

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. doc Issues and PRs related to the documentations. openssl Issues and PRs related to the OpenSSL dependency. v10.x labels Feb 23, 2019
@sam-github
Copy link
Contributor Author

re: #24979 (comment)

@nodejs/lts @MylesBorins @BethGriggs Please make sure this makes its way into the upcoming 10.x semver-minor release.

@sam-github
Copy link
Contributor Author

sam-github and others added 12 commits February 28, 2019 13:33
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.

Backport-PR-URL: nodejs#24676
PR-URL: nodejs#24405
Reviewed-By: Refael Ackermann <[email protected]>
Reviewed-By: Rod Vagg <[email protected]>
Fill in correct pr-url: value in the YAML changelog that was missing
from f512f5e. The stanza was also sorted in the wrong order, most
recent is supposed to be in the beginning of the changes, not the end.

PR-URL: nodejs#24759
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
AIX has own assembler not GNU as that does not support --noexecstack.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
`cd deps/openssl/config; make` updates all archs dependant files.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: nodejs#25688
@sam-github
Copy link
Contributor Author

@sam-github
Copy link
Contributor Author

re-ci: https://ci.nodejs.org/job/node-test-pull-request/21099/

the few failures look like the flaky builds, so trying to resume.

@sam-github sam-github mentioned this pull request Mar 1, 2019
2 tasks
@sam-github
Copy link
Contributor Author

sam-github commented Mar 2, 2019

@mhdawson
Copy link
Member

@sam-github did the backports land cleanly or where there things up needed to adjust?

@sam-github
Copy link
Contributor Author

sam-github commented Mar 14, 2019

@BethGriggs tls: add min/max had minor textual conflicts, because 3b4159c is on master and not on 10.x, so I had to do some minor textual fixups there. Compare git show f512f5ea138 and git show be6a3a1, you don't have to be a TLS expert. The rest of the changes just cherry-picked clean, IIRC. Maybe I should have done a seperate PR for each backport, but since they are cumulative (EDIT: dependant), I would have had to do it sequentially, and they would have had to be reviewed and merged to v10.x staging before I could do the next. It didn't occur to me this would need re-review.

@nodejs/crypto PTAL

@nodejs-github-bot
Copy link
Collaborator

BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.

Backport-PR-URL: #26270
PR-URL: #24405
Reviewed-By: Refael Ackermann <[email protected]>
Reviewed-By: Rod Vagg <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
Fill in correct pr-url: value in the YAML changelog that was missing
from f512f5e. The stanza was also sorted in the wrong order, most
recent is supposed to be in the beginning of the changes, not the end.

Backport-PR-URL: #26270
PR-URL: #24759
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
AIX has own assembler not GNU as that does not support --noexecstack.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
BethGriggs pushed a commit that referenced this pull request Mar 28, 2019
`cd deps/openssl/config; make` updates all archs dependant files.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
@BethGriggs
Copy link
Member

Landed on v10.x-staging (a92286d...b0b73fa)

@BethGriggs BethGriggs closed this Mar 28, 2019
@sam-github sam-github deleted the update_openssl1.1.1a-v10.x branch March 29, 2019 18:57
BaochengSu added a commit to BaochengSu/node that referenced this pull request Oct 22, 2020
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch

Original commit message:

Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3
Upstream commits:

commit 8dd8033
Author: Shigeki Ohtsu <[email protected]>
Date:   Wed Sep 12 17:34:24 2018 +0900

    tls: workaround handshakedone in renegotiation

    `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
    sending HelloRequest in OpenSSL-1.1.1.
    We need to check whether this is in a renegotiation state or not.

    Backport-PR-URL: nodejs#26270
    PR-URL: nodejs#25381
    Reviewed-By: Daniel Bevenius <[email protected]>
    Reviewed-By: Shigeki Ohtsu <[email protected]>

commit 161dca7
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 28 14:11:18 2018 -0800

    tls: re-define max supported version as 1.2

    Several secureProtocol strings allow any supported TLS version as the
    maximum, but our maximum supported protocol version is TLSv1.2 even if
    someone configures a build against an OpenSSL that supports TLSv1.3.

    Fixes: nodejs#24658

    PR-URL: nodejs#25024
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    Reviewed-By: Daniel Bevenius <[email protected]>
    Reviewed-By: Colin Ihrig <[email protected]>

Partial port, remain compatible with 1.0.2:

commit 970ce14
Author: Shigeki Ohtsu <[email protected]>
Date:   Wed Mar 14 14:26:55 2018 +0900

    crypto: remove deperecated methods of TLS version

    All version-specific methods were deprecated in OpenSSL 1.1.0 and
    min/max versions explicitly need to be set.
    This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now.

    crypto, constants: add constant of OpenSSL-1.1.0

    Several constants for OpenSSL-1.1.0 engine were removed and renamed in
    OpenSSL-1.1.0. This added one renamed constant in order to have a
    compatible feature with that of OpenSSL-1.0.2.
    Other missed or new constants in OpenSSL-1.1.0 are not yet added.

    crypto,tls,constants: remove OpenSSL1.0.2 support

    This is semver-majar change so that we need not to have
    compatibilities with older versions.

    Fixes: nodejs#4270
    PR-URL: nodejs#19794
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Michael Dawson <[email protected]>

Signed-off-by: Su Baocheng <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Jul 14, 2022
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:openssl_1_1_1.patch

Original commit message:

Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3
Upstream commits:

commit 8dd8033
Author: Shigeki Ohtsu <[email protected]>
Date:   Wed Sep 12 17:34:24 2018 +0900

    tls: workaround handshakedone in renegotiation

    `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
    sending HelloRequest in OpenSSL-1.1.1.
    We need to check whether this is in a renegotiation state or not.

    Backport-PR-URL: nodejs#26270
    PR-URL: nodejs#25381
    Reviewed-By: Daniel Bevenius <[email protected]>
    Reviewed-By: Shigeki Ohtsu <[email protected]>

commit 161dca7
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 28 14:11:18 2018 -0800

    tls: re-define max supported version as 1.2

    Several secureProtocol strings allow any supported TLS version as the
    maximum, but our maximum supported protocol version is TLSv1.2 even if
    someone configures a build against an OpenSSL that supports TLSv1.3.

    Fixes: nodejs#24658

    PR-URL: nodejs#25024
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    Reviewed-By: Daniel Bevenius <[email protected]>
    Reviewed-By: Colin Ihrig <[email protected]>

Partial port, remain compatible with 1.0.2:

commit 970ce14
Author: Shigeki Ohtsu <[email protected]>
Date:   Wed Mar 14 14:26:55 2018 +0900

    crypto: remove deperecated methods of TLS version

    All version-specific methods were deprecated in OpenSSL 1.1.0 and
    min/max versions explicitly need to be set.
    This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now.

    crypto, constants: add constant of OpenSSL-1.1.0

    Several constants for OpenSSL-1.1.0 engine were removed and renamed in
    OpenSSL-1.1.0. This added one renamed constant in order to have a
    compatible feature with that of OpenSSL-1.0.2.
    Other missed or new constants in OpenSSL-1.1.0 are not yet added.

    crypto,tls,constants: remove OpenSSL1.0.2 support

    This is semver-majar change so that we need not to have
    compatibilities with older versions.

    Fixes: nodejs#4270
    PR-URL: nodejs#19794
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Michael Dawson <[email protected]>

Signed-off-by: Su Baocheng <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. doc Issues and PRs related to the documentations. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants