Upgrade to openssl 101t for v0.12 #6553
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl.
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows.
sha256-x86_64.pl does not exist in the origin openssl distribution. It was copied from sha512-x86_64.pl and both sha256/sha512 scripts were modified so as to generates only one asm file specified as its key hash length. PR: nodejs#9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <[email protected]> PR: nodejs#25523 PR-URL: nodejs/node-v0.x-archive#25523 Reviewed-By: Julien Gilli <[email protected]> PR: nodejs#25654 PR-URL: nodejs/node-v0.x-archive#25654 Reviewed-By: Julien Gilli <[email protected]>
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . PR: nodejs#9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <[email protected]> PR: nodejs#25523 PR-URL: nodejs/node-v0.x-archive#25523 Reviewed-By: Julien Gilli <[email protected]> PR: nodejs#25654 PR-URL: nodejs/node-v0.x-archive#25654 Reviewed-By: Julien Gilli <[email protected]>
reapply b910613 PR: nodejs#9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <[email protected]> PR: nodejs#25523 PR-URL: nodejs/node-v0.x-archive#25523 Reviewed-By: Julien Gilli <[email protected]> PR: nodejs#25654 PR-URL: nodejs/node-v0.x-archive#25654 Reviewed-By: Julien Gilli <[email protected]>
Regenerate asm files with Makefile without CC and ASM envs.
In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. (cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74) Reviewed-By: James M Snell <[email protected]> PR-URL: nodejs/node-v0.x-archive#25368
|
Can it be you forgot the |
|
@bnoordhuis Thanks, I missed it. I should have checked Windows tests more further. New CI is https://ci.nodejs.org/job/node-test-commit/3187/ . There still exists test-tls-server-verify.js failures. I've tested the current v0.12-staging and it shows the same test failures so they are not related to this PR. |
|
@nodejs/crypto can we get signoff from someone qualified on this? The test-tls-server-verify.js failures all over the slaves concern me but if they are not new for these changes then I supposed that's OK. |
|
@shigeki would you mind applying the same to v0.10-staging too please? |
|
@rvagg Sure. I've just submitted CI job in https://ci.nodejs.org/job/node-test-commit/3193/. Should I opens a new PR for v0.10? |
|
Note that test-tls-server-verify.js is fine in v0.10. The failure is a specific issue in v0.12. |
|
LGTM. test-tls-server-verify.js has been failing since at least v0.12.7, possibly longer. |
shigeki
pushed a commit
that referenced
this pull request
May 5, 2016
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl. Fixes: #6458 PR-URL: #6553 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
that referenced
this pull request
May 5, 2016
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Fixes: #6458 PR-URL: #6553 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
that referenced
this pull request
May 5, 2016
Regenerate asm files with Makefile without CC and ASM envs. Fixes: #6458 PR-URL: #6553 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
that referenced
this pull request
May 5, 2016
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl. Fixes: #6458 PR-URL: #6553 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
that referenced
this pull request
May 5, 2016
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Fixes: #6458 PR-URL: #6553 Reviewed-By: Ben Noordhuis <[email protected]>
shigeki
pushed a commit
that referenced
this pull request
May 5, 2016
Regenerate asm files with Makefile without CC and ASM envs. Fixes: #6458 PR-URL: #6553 Reviewed-By: Ben Noordhuis <[email protected]>
|
Are we expecting a new release for 0.12 to contain this OpenSSL fix? The 4, 5, and 6 lines got new releases today but I don't see a cut of this for 0.12 |
rvagg
added a commit
that referenced
this pull request
May 6, 2016
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5987 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
rvagg
added a commit
that referenced
this pull request
May 6, 2016
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5988 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
rvagg
added a commit
that referenced
this pull request
May 6, 2016
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5987 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
rvagg
added a commit
that referenced
this pull request
May 6, 2016
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5988 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this pull request
Nov 4, 2016
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <[email protected]>
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this pull request
Nov 4, 2016
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <[email protected]>
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this pull request
Nov 4, 2016
Regenerate asm files with Makefile without CC and ASM envs. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <[email protected]>
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this pull request
Nov 4, 2016
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) nodejs/node#5988 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) nodejs/node#6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
Affected core subsystem(s)
tls/crypto
Description of change
openssl sources are upgraded to 1.0.1t and applied floating patches.
One more works was made in this upgrade.
-asm regenerated
asm codes were changed in this upgrade so that asm were regenerated without CC and ASM env.
CI is https://ci.nodejs.org/job/node-test-commit/3167/ but test-tls-server-verify.js was failed on several platforms due to some connection issues between server and spawned processes.
As far as I checked, the failures are not caused by this upgrade and need further investigation.
I'd like to know the test is flaky but I could not check CI results for v0.12 in the past. They seemed to be removed in the CI results.