Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to openssl-1.0.2k #11021

Closed
wants to merge 7 commits into from
Closed

Conversation

shigeki
Copy link
Contributor

@shigeki shigeki commented Jan 26, 2017

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines
Affected core subsystem(s)

deps, openssl

This is a upgrading to the latest openssl-1.0.2k. I've just made upgrading source and header files and cherry-picked floating patches.

asm and asm_obsolete files needs to be updated due to fixes of CVE-2017-3732.

CC: @nodejs/crypto

shigeki and others added 7 commits January 27, 2017 00:38
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reapply b910613 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: nodejs#1461
PR-URL: nodejs#1836
Reviewed-By: Ben Noordhuis <[email protected]>
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs
@shigeki shigeki added the openssl Issues and PRs related to the OpenSSL dependency. label Jan 26, 2017
@shigeki
Copy link
Contributor Author

shigeki commented Jan 26, 2017

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber-stamp LGTM.

@nodejs-github-bot nodejs-github-bot added openssl Issues and PRs related to the OpenSSL dependency. lts-watch-v6.x labels Jan 26, 2017
Copy link
Member

@indutny indutny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, verified the source files. Thank you!

shigeki added a commit that referenced this pull request Jan 26, 2017
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki added a commit that referenced this pull request Jan 26, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
shigeki added a commit that referenced this pull request Jan 26, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
@shigeki
Copy link
Contributor Author

shigeki commented Jan 26, 2017

CI is all green. Landed in 31e3b81, c0eefcb, 0af423c, 809fa3b, 0ea2711, 2a74481 and a67a04d.

@sam-github Please take care of above commits to v4 and v6. Notify me if you have any troubles.

@indutny Very sorry, I've just landed now missing your name in reviewers.

@indutny
Copy link
Member

indutny commented Jan 26, 2017

That's a pity. Please give me several hours next time,ください.

@shigeki
Copy link
Contributor Author

shigeki commented Jan 26, 2017

@indutny Sorry, I will do next. I just wanted to go to bed early. By the way, Good Japanese.

@indutny
Copy link
Member

indutny commented Jan 26, 2017

No worries at all.

@targos
Copy link
Member

targos commented Jan 28, 2017

While updating v7.x-staging, I saw that branch-diff only reports the commits that are new:

  • [31e3b81290] - deps: upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
  • [c0eefcb461] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #11021
  • [a67a04d765] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #11021

I took care of cherry-picking the 7 commits together but it could be easy to miss if one is not overcautious.

targos pushed a commit that referenced this pull request Jan 28, 2017
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
targos pushed a commit that referenced this pull request Jan 28, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
targos pushed a commit that referenced this pull request Jan 28, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
@italoacasas italoacasas mentioned this pull request Jan 29, 2017
italoacasas pushed a commit to italoacasas/node that referenced this pull request Jan 30, 2017
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: nodejs#11021
Reviewed-By: Ben Noordhuis <[email protected]>
italoacasas pushed a commit to italoacasas/node that referenced this pull request Jan 30, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: nodejs#11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 30, 2017
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 30, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 30, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 31, 2017
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 31, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 31, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs

PR-URL: #11021
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 31, 2017
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		#11021
MylesBorins pushed a commit that referenced this pull request Jan 31, 2017
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		#11021
MylesBorins added a commit that referenced this pull request Jan 31, 2017
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		#11021

PR-URL: #11083
MylesBorins added a commit that referenced this pull request Jan 31, 2017
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		#11021

PR-URL: #11081
evanlucas added a commit that referenced this pull request Jan 31, 2017
Notable changes:

* crypto:
  * ability to select cert store at runtime (Adam Majer) #8334
  * Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
  * upgrade npm to 4.1.2 (Kat Marchán) #11020
  * upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638

PR-URL: #11062
MylesBorins added a commit that referenced this pull request Jan 31, 2017
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		#11021

PR-URL: #11081
MylesBorins added a commit that referenced this pull request Feb 1, 2017
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		#11021

PR-URL: #11083
evanlucas added a commit that referenced this pull request Feb 1, 2017
Notable changes:

* crypto:
  * ability to select cert store at runtime (Adam Majer) #8334
  * Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
  * upgrade npm to 4.1.2 (Kat Marchán) #11020
  * upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638

PR-URL: #11062
@Fishrock123
Copy link
Contributor

@targos arguably a bug but yeah those probably look like dupes to it, in a sense.

There is a limited number of things it can reliable check, but those probably matches same author, same commit message, same PR-URL.

@shigeki
Copy link
Contributor Author

shigeki commented Feb 2, 2017

I applied each floating patches in every updates in order to confirm they are really needed and can be applied without any conflicts. I agree that most of them need not to be re-applied but we tend to forget them after several updates.

imyller added a commit to imyller/meta-nodejs that referenced this pull request Mar 2, 2017
    This is a security release of the 'Boron' release line to upgrade
    OpenSSL to version 1.0.2k

    Although the OpenSSL team have determined a maximum severity rating
    of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
    and Fedor Indutny) have determined the impact to Node users is "low".
    Details on this determination can be found on the Nodejs.org website

    https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

    Notable Changes:

    * deps:
      - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
                    nodejs/node#11021

    PR-URL: nodejs/node#11083

Signed-off-by: Ilkka Myller <[email protected]>
imyller added a commit to imyller/meta-nodejs that referenced this pull request Mar 2, 2017
    This is a security release of the 'Boron' release line to upgrade
    OpenSSL to version 1.0.2k

    Although the OpenSSL team have determined a maximum severity rating
    of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
    and Fedor Indutny) have determined the impact to Node users is "low".
    Details on this determination can be found on the Nodejs.org website

    https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

    Notable Changes:

    * deps:
      - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
                    nodejs/node#11021

    PR-URL: nodejs/node#11081

Signed-off-by: Ilkka Myller <[email protected]>
imyller added a commit to imyller/meta-nodejs that referenced this pull request Mar 2, 2017
    This is a security release of the 'Boron' release line to upgrade
    OpenSSL to version 1.0.2k

    Although the OpenSSL team have determined a maximum severity rating
    of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
    and Fedor Indutny) have determined the impact to Node users is "low".
    Details on this determination can be found on the Nodejs.org website

    https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

    Notable Changes:

    * deps:
      - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
                    nodejs/node#11021

    PR-URL: nodejs/node#11083

Signed-off-by: Ilkka Myller <[email protected]>
imyller added a commit to imyller/meta-nodejs that referenced this pull request Mar 2, 2017
    This is a security release of the 'Boron' release line to upgrade
    OpenSSL to version 1.0.2k

    Although the OpenSSL team have determined a maximum severity rating
    of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
    and Fedor Indutny) have determined the impact to Node users is "low".
    Details on this determination can be found on the Nodejs.org website

    https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

    Notable Changes:

    * deps:
      - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
                    nodejs/node#11021

    PR-URL: nodejs/node#11081

Signed-off-by: Ilkka Myller <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants