Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update openssl 1.1.1c #28211

Closed
wants to merge 3 commits into from
Closed

Conversation

sam-github
Copy link
Contributor

See:

Note openssl 1.1.1c fixes CVE https://www.openssl.org/news/vulnerabilities.html#2019-1543, but I believe this does not affect node since #26537 protects it. Arguably, we could back out #26537, except that it can creep back in if an external OpenSSL 1.1.1a or b is used. Best to leave, I think.

/to @nodejs/crypto

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

Patching the s390 asm rules is no longer required.

See: openssl/openssl#8351
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz
    $ mv openssl-1.1.1c openssl
    $ git add --all openssl
    $ git commit openssl
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 13, 2019

Sadly, an error occurred when I tried to trigger a build. :(
CI: https://ci.nodejs.org/job/node-test-pull-request/23868/
CI: https://ci.nodejs.org/job/node-test-pull-request/23873/

@nodejs-github-bot nodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Jun 13, 2019
After an OpenSSL source update, all the config files need to be regenerated and
comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit
@sam-github
Copy link
Contributor Author

backport: #28212

@sam-github
Copy link
Contributor Author

@nodejs/releasers @nodejs/lts This cherry-picks clean onto 12.x-staging, but it does not onto v10.x-staging, so I backported. Possibly it needs to "bake" by being in a 12.x release before getting released on 10.x.

@sam-github sam-github added the baking-for-lts PRs that need to wait before landing in a LTS release. label Jun 13, 2019
@richardlau
Copy link
Member

richardlau commented Jun 13, 2019

@nodejs/releasers @nodejs/lts This cherry-picks clean onto 12.x-staging, but it does not onto v10.x-staging, so I backported. Possibly it needs to "bake" by being in a 12.x release before getting released on 10.x.

We did reserve a date (June 25th) for a security release across all currently supported versions of Node.js. This OpenSSL update seems like the sort of thing the reserved date was intended for (non-critical security updates).

Copy link
Contributor

@ryzokuken ryzokuken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSLGTM. I think you'd need to run license-builder.sh?

Copy link
Contributor

@shigeki shigeki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that #26537 fixed CVE-2019-1543 and leave it for the older version is used in the shared library.

@sam-github
Copy link
Contributor Author

@ryzokuken I've never run license-builder.sh, and its not part of the OpenSSL update instructions (see deps/openssl/config/README.md). Should it be?

OpenSSL doesn't change its license in patches, but when I tried running it, I noticed the valgrind license seems out of date.

Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSLGTM, thanks Sam.

@danbev danbev added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jun 17, 2019
BridgeAR pushed a commit to BridgeAR/node that referenced this pull request Jun 17, 2019
Patching the s390 asm rules is no longer required.

See: openssl/openssl#8351

PR-URL: nodejs#28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
BridgeAR pushed a commit to BridgeAR/node that referenced this pull request Jun 17, 2019
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz
    $ mv openssl-1.1.1c openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: nodejs#28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
BridgeAR pushed a commit to BridgeAR/node that referenced this pull request Jun 17, 2019
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: nodejs#28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
@BridgeAR
Copy link
Member

Landed in b6326ce...7cb8981 🎉

@BridgeAR BridgeAR closed this Jun 17, 2019
BridgeAR pushed a commit that referenced this pull request Jun 17, 2019
Patching the s390 asm rules is no longer required.

See: openssl/openssl#8351

PR-URL: #28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
BridgeAR pushed a commit that referenced this pull request Jun 17, 2019
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz
    $ mv openssl-1.1.1c openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
BridgeAR pushed a commit that referenced this pull request Jun 17, 2019
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
@BridgeAR BridgeAR mentioned this pull request Jun 17, 2019
targos pushed a commit that referenced this pull request Jun 18, 2019
Patching the s390 asm rules is no longer required.

See: openssl/openssl#8351

PR-URL: #28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
targos pushed a commit that referenced this pull request Jun 18, 2019
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz
    $ mv openssl-1.1.1c openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
targos pushed a commit that referenced this pull request Jun 18, 2019
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #28211
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
@Trott
Copy link
Member

Trott commented Jun 22, 2019

Looks like this update causes test/pummel/test-crypto-dh.js to never finish. (Previously, it took about 12 seconds to run on CI.) Investigating, but if anyone has any immediate ideas, that would be helpful.

@Trott
Copy link
Member

Trott commented Jun 22, 2019

The test still passes given enough time but performance of getDiffieHellman() is much much worse than before. Might be not-a-bug if it’s due to a security fix or something?

@Trott
Copy link
Member

Trott commented Jun 23, 2019

Pummel test issues workarounds/fixes in #28390

@sam-github sam-github deleted the update-openssl-1.1.1c branch June 24, 2019 02:15
@sam-github
Copy link
Contributor Author

@Trott re:

Unfortunately, 4c8fe4a doesn't build, which is currently messing up my bisect to find where a crypto dh problem was introduced. Fortunately, it's probably this PR, so...I think I can work around it. But 66b4930 probably should have been squashed into that commit.

I wouldn't expect bisect to work across any openssl updates, because upstream sources are updated in a seperate commit from the config files generated by node's build system, according to our openssl update process, see https://github.com/nodejs/node/blob/master/deps/openssl/config/README.md#4-commit-and-make-test.

There are some pros and cons to changing the process we use to vendor in openssl updates. In general, every commit would pass make test, I think we can agree thats a big "pro". But if you look at the branches where we have floating patches on openssl (and possibly v8, or any dep, but I'm not familiar with them) that would require squashing the upstream vanilla sourc, with our floating patches and with the autogenerated config, so it would no longer be clear what in the commit came from upstream, and what came from us, which is something of a "con". I've no strong opinion either way, other than that we should be probably be consistent with how we manage all our deps, and I confess to not paying much attention to anything but the openssl updates and the mozilla certificate updates (https://github.com/nodejs/node/blob/master/doc/guides/updating-root-certs.md). The latter creates two commits in a row, too, but the first commit is just data, and doesn't break make all or make test.

@Trott
Copy link
Member

Trott commented Jun 24, 2019

@sam-github Ah, thanks for the explanation. That makes a lot of sense.

BridgeAR added a commit that referenced this pull request Jun 26, 2019
Notable changes:

This release contains `semver-major` commits. These are in fact not
`semver-major` due to follow-up commits that remove all breaking changes.

* build:
  * The startup time is reduced by enabling V8 snapshots by default
    #28181
* deps:
  * Updated `V8` to 7.5.288.22 #27375
    * The numeric separator (v8.dev/features/numeric-separators) feature is now
      enabled by default
  * Updated `OpenSSL` to 1.1.1c #28211
* inspector:
  * The `--inspect-publish-uid` flag was added to specify ways of the inspector
    web socket url exposure #27741
* n-api:
  * Accessors on napi_define_* are now ECMAScript-compliant
    #27851
* report:
  * The cpu info got added to the report output
    #28188
* src:
  * Restore the original state of the stdio file descriptors on exit to prevent
    leaving stdio in raw or non-blocking mode
    #24260
* tools,gyp:
  * Introduce MSVS 2019 #27375
* util:
  * inspect:
    * Array grouping became more compact and uses more columns than before
      #28059
      #28070
    * Long strings will not be split at 80 characters anymore. Instead they will
      be split on new lines #28055
* worker:
  * `worker.terminate()` now returns a promise and using the callback is
    deprecated #28021

PR-URL: #28268
BridgeAR added a commit that referenced this pull request Jun 26, 2019
Notable changes:

* build:
  * The startup time is reduced by enabling V8 snapshots by default
    #28181
* deps:
  * Updated `V8` to 7.5.288.22 #27375
    * The numeric separator (v8.dev/features/numeric-separators) feature is now
      enabled by default
  * Updated `OpenSSL` to 1.1.1c #28211
* inspector:
  * The `--inspect-publish-uid` flag was added to specify ways of the inspector
    web socket url exposure #27741
* n-api:
  * Accessors on napi_define_* are now ECMAScript-compliant
    #27851
* report:
  * The cpu info got added to the report output
    #28188
* src:
  * Restore the original state of the stdio file descriptors on exit to prevent
    leaving stdio in raw or non-blocking mode
    #24260
* tools,gyp:
  * Introduce MSVS 2019 #27375
* util:
  * inspect:
    * Array grouping became more compact and uses more columns than before
      #28059
      #28070
    * Long strings will not be split at 80 characters anymore. Instead they will
      be split on new lines #28055
* worker:
  * `worker.terminate()` now returns a promise and using the callback is
    deprecated #28021

PR-URL: #28268
BridgeAR added a commit that referenced this pull request Jun 26, 2019
Notable changes:

* build:
  * The startup time is reduced by enabling V8 snapshots by default
    #28181
* deps:
  * Updated `V8` to 7.5.288.22 #27375
    * The numeric separator (v8.dev/features/numeric-separators) feature is now
      enabled by default
  * Updated `OpenSSL` to 1.1.1c #28211
* inspector:
  * The `--inspect-publish-uid` flag was added to specify ways of the inspector
    web socket url exposure #27741
* n-api:
  * Accessors on napi_define_* are now ECMAScript-compliant
    #27851
* report:
  * The cpu info got added to the report output
    #28188
* src:
  * Restore the original state of the stdio file descriptors on exit to prevent
    leaving stdio in raw or non-blocking mode
    #24260
* tools,gyp:
  * Introduce MSVS 2019 #27375
* util:
  * inspect:
    * Array grouping became more compact and uses more columns than before
      #28059
      #28070
    * Long strings will not be split at 80 characters anymore. Instead they will
      be split on new lines #28055
* worker:
  * `worker.terminate()` now returns a promise and using the callback is
    deprecated #28021

PR-URL: #28268
BridgeAR added a commit that referenced this pull request Jun 27, 2019
Notable changes:

* build:
  * The startup time is reduced by enabling V8 snapshots by default
    #28181
* deps:
  * Updated `V8` to 7.5.288.22 #27375
    * The numeric separator (v8.dev/features/numeric-separators) feature is now
      enabled by default
  * Updated `OpenSSL` to 1.1.1c #28211
* inspector:
  * The `--inspect-publish-uid` flag was added to specify ways of the inspector
    web socket url exposure #27741
* n-api:
  * Accessors on napi_define_* are now ECMAScript-compliant
    #27851
* report:
  * The cpu info got added to the report output
    #28188
* src:
  * Restore the original state of the stdio file descriptors on exit to prevent
    leaving stdio in raw or non-blocking mode
    #24260
* tools,gyp:
  * Introduce MSVS 2019 #27375
* util:
  * inspect:
    * Array grouping became more compact and uses more columns than before
      #28059
      #28070
    * Long strings will not be split at 80 characters anymore. Instead they will
      be split on new lines #28055
* worker:
  * `worker.terminate()` now returns a promise and using the callback is
    deprecated #28021

PR-URL: #28268
BridgeAR added a commit to BridgeAR/node that referenced this pull request Jun 27, 2019
Notable changes:

* build:
  * The startup time is reduced by enabling V8 snapshots by default
    nodejs#28181
* deps:
  * Updated `V8` to 7.5.288.22 nodejs#27375
    * The numeric separator (v8.dev/features/numeric-separators) feature is now
      enabled by default
  * Updated `OpenSSL` to 1.1.1c nodejs#28211
* inspector:
  * The `--inspect-publish-uid` flag was added to specify ways of the inspector
    web socket url exposure nodejs#27741
* n-api:
  * Accessors on napi_define_* are now ECMAScript-compliant
    nodejs#27851
* report:
  * The cpu info got added to the report output
    nodejs#28188
* src:
  * Restore the original state of the stdio file descriptors on exit to prevent
    leaving stdio in raw or non-blocking mode
    nodejs#24260
* tools,gyp:
  * Introduce MSVS 2019 nodejs#27375
* util:
  * inspect:
    * Array grouping became more compact and uses more columns than before
      nodejs#28059
      nodejs#28070
    * Long strings will not be split at 80 characters anymore. Instead they will
      be split on new lines nodejs#28055
* worker:
  * `worker.terminate()` now returns a promise and using the callback is
    deprecated nodejs#28021

PR-URL: nodejs#28268
@richardlau richardlau removed the baking-for-lts PRs that need to wait before landing in a LTS release. label Nov 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants