Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10.x backport] Update openssl1.1.1a #26270

Closed

Conversation

@sam-github
Copy link
Member

commented Feb 23, 2019

Backport openssl 1.1.1a related PRs. They depend on each other, so I am including in one PR:

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
@nodejs-github-bot

This comment has been minimized.

Copy link

commented Feb 23, 2019

@sam-github sadly an error occured when I tried to trigger a build :(

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Feb 23, 2019

re: #24979 (comment)

@nodejs/lts @MylesBorins @BethGriggs Please make sure this makes its way into the upcoming 10.x semver-minor release.

@sam-github sam-github force-pushed the sam-github:update_openssl1.1.1a-v10.x branch from 6d2c6f5 to a17cd51 Feb 23, 2019
@mscdex mscdex referenced this pull request Feb 26, 2019
3 of 3 tasks complete
@rvagg rvagg force-pushed the nodejs:v10.x-staging branch from 5711238 to 156e4c8 Feb 28, 2019
@sam-github

This comment has been minimized.

Copy link
Member Author

commented Feb 28, 2019

sam-github and others added 12 commits May 6, 2018
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.

Backport-PR-URL: #24676
PR-URL: #24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Fill in correct pr-url: value in the YAML changelog that was missing
from f512f5e. The stanza was also sorted in the wrong order, most
recent is supposed to be in the beginning of the changes, not the end.

PR-URL: #24759
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
AIX has own assembler not GNU as that does not support --noexecstack.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
`cd deps/openssl/config; make` updates all archs dependant files.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
@sam-github sam-github force-pushed the sam-github:update_openssl1.1.1a-v10.x branch from a17cd51 to d502073 Feb 28, 2019
@sam-github

This comment has been minimized.

Copy link
Member Author

commented Feb 28, 2019

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 1, 2019

re-ci: https://ci.nodejs.org/job/node-test-pull-request/21099/

the few failures look like the flaky builds, so trying to resume.

@sam-github sam-github referenced this pull request Mar 1, 2019
2 of 2 tasks complete
@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 2, 2019

@rvagg

This comment has been minimized.

Copy link
Member

commented Mar 13, 2019

cool 👍

excited for this!

Copy link
Member

left a comment

RSLGTM

@mhdawson

This comment has been minimized.

Copy link
Member

commented Mar 14, 2019

@sam-github did the backports land cleanly or where there things up needed to adjust?

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 14, 2019

@BethGriggs tls: add min/max had minor textual conflicts, because 3b4159c is on master and not on 10.x, so I had to do some minor textual fixups there. Compare git show f512f5ea138 and git show be6a3a1, you don't have to be a TLS expert. The rest of the changes just cherry-picked clean, IIRC. Maybe I should have done a seperate PR for each backport, but since they are cumulative (EDIT: dependant), I would have had to do it sequentially, and they would have had to be reviewed and merged to v10.x staging before I could do the next. It didn't occur to me this would need re-review.

@nodejs/crypto PTAL

@nodejs-github-bot

This comment has been minimized.

BethGriggs added a commit that referenced this pull request Mar 28, 2019
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.

Backport-PR-URL: #26270
PR-URL: #24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Fill in correct pr-url: value in the YAML changelog that was missing
from f512f5e. The stanza was also sorted in the wrong order, most
recent is supposed to be in the beginning of the changes, not the end.

Backport-PR-URL: #26270
PR-URL: #24759
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
AIX has own assembler not GNU as that does not support --noexecstack.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
`cd deps/openssl/config; make` updates all archs dependant files.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
AIX has own assembler not GNU as that does not support --noexecstack.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
BethGriggs added a commit that referenced this pull request Mar 28, 2019
`cd deps/openssl/config; make` updates all archs dependant files.

Backport-PR-URL: #26270
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@BethGriggs

This comment has been minimized.

Copy link
Member

commented Mar 28, 2019

Landed on v10.x-staging (a92286d...b0b73fa)

@BethGriggs BethGriggs closed this Mar 28, 2019
@sam-github sam-github deleted the sam-github:update_openssl1.1.1a-v10.x branch Mar 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.