Skip to content

Commit

Permalink
tools: remove openssl v1 update script
Browse files Browse the repository at this point in the history
PR-URL: nodejs#51378
Fixes: nodejs/security-wg#1182
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
marco-ippolito authored Jan 7, 2024
1 parent b87360a commit 5d412a7
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 117 deletions.
53 changes: 2 additions & 51 deletions .github/workflows/update-openssl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ permissions:
contents: read

jobs:
openssl-v3-update:
openssl-update:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
Expand All @@ -19,7 +19,7 @@ jobs:
persist-credentials: false
- name: Check and download new OpenSSL version
run: |
./tools/dep_updaters/update-openssl.sh download_v3 > temp-output
./tools/dep_updaters/update-openssl.sh download > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
Expand Down Expand Up @@ -58,52 +58,3 @@ jobs:
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
path: deps/openssl
openssl-v1-update:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
ref: v16.x-staging
- name: Check and download new OpenSSL version
run: |
./tools/dep_updaters/update-openssl.sh download_v1 > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Create PR with first commit
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2
# Creates a PR with the new OpenSSL source code committed
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <[email protected]>
body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action.
commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
labels: dependencies
title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}'
path: deps/openssl
update-pull-request-title-and-body: true
- name: Regenerate platform specific files
if: env.NEW_VERSION
run: |
sudo apt install -y nasm libtext-template-perl
./tools/dep_updaters/update-openssl.sh regenerate
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Add second commit
# Adds a second commit to the PR with the generated platform-dependent files
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <[email protected]>
branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action.
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
path: deps/openssl
78 changes: 12 additions & 66 deletions tools/dep_updaters/update-openssl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,80 +9,26 @@ cleanup() {
exit $EXIT_CODE
}

download_v1() {
LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1');
if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
const releases = await res.json()
const latest = releases.findLast(({ ref }) => ref.includes('quic'));
if(!latest) throw new Error(`Could not find latest release for v1`);
console.log(latest.ref.replace('refs/tags/',''));
EOF
)"

NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g')

case "$NEW_VERSION_V1" in
*quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;;
*) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;;
esac

VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h"
CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1)

# This function exit with 0 if new version and current version are the same
compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION"

echo "Making temporary workspace..."
WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
cd "$WORKSPACE"

echo "Fetching OpenSSL source archive..."
OPENSSL_TARBALL="openssl.tar.gz"
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME"
log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
gzip -dc "$OPENSSL_TARBALL" | tar xf -
rm "$OPENSSL_TARBALL"

mv quictls-openssl-* openssl

echo "Replacing existing OpenSSL..."
rm -rf "$DEPS_DIR/openssl/openssl"
mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"

echo "All done!"
echo ""
echo "Please git add openssl, and commit the new version:"
echo ""
echo "$ git add -A deps/openssl/openssl"
echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\""
echo ""
# The last line of the script should always print the new version,
# as we need to add it to $GITHUB_ENV variable.
echo "NEW_VERSION=$NEW_VERSION_V1"
}

download_v3() {
LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
download() {
LATEST_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0');
if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
const releases = await res.json()
const latest = releases.findLast(({ ref }) => ref.includes('quic'));
if(!latest) throw new Error(`Could not find latest release for v3.0`);
if(!latest) throw new Error(`Could not find latest release`);
console.log(latest.ref.replace('refs/tags/',''));
EOF
)"
NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g')
NEW_VERSION=$(echo "$LATEST_TAG_NAME" | sed 's/openssl-//;s/-/+/g')

case "$NEW_VERSION_V3" in
*quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;;
*) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;;
case "$NEW_VERSION" in
*quic1) NEW_VERSION_NO_RELEASE="${NEW_VERSION%1}" ;;
*) NEW_VERSION_NO_RELEASE="$NEW_VERSION" ;;
esac
VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p")
# This function exit with 0 if new version and current version are the same
compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION"
compare_dependency_version "openssl" "$NEW_VERSION_NO_RELEASE" "$CURRENT_VERSION"

echo "Making temporary workspace..."

Expand All @@ -93,7 +39,7 @@ EOF

OPENSSL_TARBALL="openssl.tar.gz"

curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME"
curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_TAG_NAME"

log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"

Expand All @@ -110,11 +56,11 @@ EOF
echo "Please git add openssl, and commit the new version:"
echo ""
echo "$ git add -A deps/openssl/openssl"
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\""
echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION\""
echo ""
# The last line of the script should always print the new version,
# as we need to add it to $GITHUB_ENV variable.
echo "NEW_VERSION=$NEW_VERSION_V3"
echo "NEW_VERSION=$NEW_VERSION"
}

regenerate() {
Expand Down Expand Up @@ -168,7 +114,7 @@ main() {
. "$BASE_DIR/tools/dep_updaters/utils.sh"

case ${1} in
help | regenerate | download_v1 | download_v3 )
help | regenerate | download )
$1 "${2}"
;;
* )
Expand Down

0 comments on commit 5d412a7

Please sign in to comment.