Upgrade openssl-1.1.0e for Node-v8 (DO NOT LAND THIS)

configure

@@ -153,6 +153,12 @@ parser.add_option('--openssl-fips',
     dest='openssl_fips',
     help='Build OpenSSL using FIPS canister .o file in supplied folder')
 
+parser.add_option('--use-openssl110',
+    action='store_true',
+    dest='use_openssl110',
+    default=True,
+    help='Build with OpenSSL-1.1.0 (Experimental)')
+
 parser.add_option('--openssl-use-def-ca-store',
     action='store_true',
     dest='use_openssl_ca_store',
@@ -582,6 +588,28 @@ def get_xcode_version(cc):
   return get_version_helper(
     cc, r"(^Apple LLVM version) ([5-9]\.[0-9]+)")
 
+def get_nasm_version(asm):
+  try:
+    proc = subprocess.Popen(shlex.split(asm) + ['-v'],
+                            stdin=subprocess.PIPE, stderr=subprocess.PIPE,
+                            stdout=subprocess.PIPE)
+  except OSError:
+    print('''Node.js configure error: No acceptable ASM compiler found!
+            Please make sure you have installed nasm from http://www.nasm.us
+            or add an option of openssl_no_asm.
+        ''')
+#    sys.exit()
+# fallback to openssl_no_asm when nasm is not installed
+    return 0
+
+  match = re.match(r"NASM version ([2-9]\.[0-9][0-9]+)",
+                   proc.communicate()[0])
+
+  if match:
+    return match.group(1)
+  else:
+    return 0
+
 def get_gas_version(cc):
   try:
     proc = subprocess.Popen(shlex.split(cc) + ['-Wa,-v', '-c', '-o',
@@ -612,6 +640,11 @@ def get_gas_version(cc):
 # quite prepared to go that far yet.
 def check_compiler(o):
   if sys.platform == 'win32':
+    if options.use_openssl110 and not options.openssl_no_asm:
+      nasm_version = get_nasm_version('nasm')
+      o['variables']['nasm_version'] = nasm_version
+      if nasm_version == 0:
+        o['variables']['openssl_no_asm'] = 1
     return
 
   ok, is_clang, clang_version, gcc_version = try_check_compiler(CXX, 'c++')
@@ -960,21 +993,47 @@ def configure_v8(o):
 
 
 def configure_openssl(o):
-  o['variables']['node_use_openssl'] = b(not options.without_ssl)
-  o['variables']['node_shared_openssl'] = b(options.shared_openssl)
-  o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
+  variables = o['variables'];
+  variables['node_use_openssl'] = b(not options.without_ssl)
+  variables['node_shared_openssl'] = b(options.shared_openssl)
+  variables['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
   if options.use_openssl_ca_store:
     o['defines'] += ['NODE_OPENSSL_CERT_STORE']
   if options.openssl_fips:
-    o['variables']['openssl_fips'] = options.openssl_fips
+    variables['openssl_fips'] = options.openssl_fips
     fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
     fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
     o['make_fips_settings'] = [
       ['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
     ]
   else:
-    o['variables']['openssl_fips'] = ''
-
+    variables['openssl_fips'] = ''
+
+  if options.use_openssl110:
+    variables['use_openssl110'] = 'true'
+
+    # supported asm compiler for AVX2. See https://github.com/openssl/openssl/
+    # blob/OpenSSL_1_1_0-stable/crypto/modes/asm/aesni-gcm-x86_64.pl#L52-L69
+    openssl110_asm_supported = \
+    ('gas_version' in variables and variables['gas_version'] >= '2.23') or \
+    ('xcode_version' in variables and variables['xcode_version'] >= '5.0') or \
+    ('llvm_version' in variables and variables['llvm_version'] >= '3.3') or \
+    ('nasm_version' in variables and variables['nasm_version'] >= '2.10')
+
+    if not openssl110_asm_supported and variables['openssl_no_asm'] == 0:
+      warn('asm compiler is old. openssl_no_asm is added.')
+      variables['openssl_no_asm'] = 1
+
+    # s390x is not asm supprted
+    if variables['target_arch'] == 's390x' and variables['openssl_no_asm'] == 0:
+      warn('s390x does not support openssl asm.')
+      variables['openssl_no_asm'] = 1
+
+    if options.openssl_fips:
+      warn('openssl-1.1.0 does not support FIPS. Use 1.0.2 instead.')
+      variables['use_openssl110'] = 'false'
+  else:
+    variables['use_openssl110'] = 'false'
 
   if options.without_ssl:
     return

deps/openssl110/README.md

@@ -0,0 +1,44 @@
+This has a new binding scheme in builing OpenSSL-1.1.0 library with
+Node. OpenSSL-1.1.0 uses a new build system with perl for various
+supported platforms. See `Configurations/README` and
+`Configurations/README.design` in the OpenSSL source for details.
+
+In order to build OpenSSL library without perl in the build of Node
+for various supported platforms, platform dependent files (e.g. asm
+and header files ) are pre-generated and stored into the
+`config/archs` directory.
+
+- `config/Makefile` and `config/generate.pl`
+
+  Makefile has supported platform list and generates and copies
+  platform dependent files (e.g. asm files) into arch directory with
+  generate.pl.  Platform dependent gypi files also created obtaining
+  build information from `configdata.pm` that is generated with
+  `Configure` in the OpenSSL build system.
+
+  For Windows, `Configure` generates makefile that is only available to
+  nmake command.  `config/Makefile_VC-WIN32` and
+  `config/Makefile_VC-WIN64A` are made created by hand for the use of
+  GNU make. If make rules or targets are changed in the version up of
+  OpenSSL, they should be also updated.
+
+  Theses are usually used in upgrading openssl-1.1.0.
+
+- gyp and gypi files (`openssl*.{gyp,gypi}`)
+
+  `openssl.gyp` has two targets of openssl and openssl-cli referred
+  from `node.gyp`. They includes asm and no_asm gypi files with arch
+  dependent gypi according to its build options and platforms . The
+  gyp data which is common with asm and no_asm are stored in
+  openssl_common.gypi.
+
+- header files (`config/*.{h,h.tmpl}`)
+
+  `bn_conf.h`, `dso_conf.h` and `opensslconf.h` are platform dependent
+  in the OpenSSL sources. They are replaced with `config/*.h.tmpl`
+  files to include the file in the `../../../config/` and referred to
+  each arch files that depends on asm and no-asm option.
+
+### Upgrading OpenSSL
+
+Please refer [config/README.md](config/README.md) .

deps/openssl110/config/Makefile

@@ -0,0 +1,54 @@
+# This Makefile is confirmed to be run only on Linux (CentOS and Ubuntu).
+# perl, makedepend and nasm(>=2.10) are needed to configure openssl.
+
+PERL    = perl
+
+# Supported architecture list
+ARCHS = aix-gcc aix64-gcc BSD-x86_64 \
+darwin64-x86_64-cc darwin-i386-cc linux-aarch64 \
+linux-armv4 linux-elf linux-x32 linux-x86_64 linux-ppc \
+linux-ppc64 linux-ppc64le linux32-s390x linux64-s390x \
+solaris-x86-gcc solaris64-x86_64-gcc VC-WIN64A VC-WIN32
+
+CONFIGURE = ./Configure
+# no-comp, no-ssl3: default openssl config options
+# no-shared: openssl-cli needs static link
+# no-afalgeng: old Linux kernel(e.g. Ubuntu 12) does not suport it
+COPTS = no-shared no-comp no-ssl3 no-afalgeng
+
+GITIGNORE = $(OPSSL_SRC)/.gitignore
+GENERATE = ./generate.pl
+
+OPSSL_SRC = ../openssl
+
+# Header files generated with Configure
+CFG = opensslconf.h
+SRC_CFG = $(OPSSL_SRC)/include/openssl/$(CFG)
+INT_CFGS = bn_conf.h dso_conf.h
+INT_CFG_DIR = $(OPSSL_SRC)/crypto/include/internal
+
+PHONY = all clean replace
+.PHONY: $(PHONY)
+
+all: $(ARCHS) replace
+
+# Configure and generate openssl asm files for each archs
+$(ARCHS):
+# Remove openssl .gitignore to follow nodejs .gitignore
+	if [ -e $(GITIGNORE) ]; then rm $(GITIGNORE); fi
+# Confgure asm and generate asm sources
+	cd $(OPSSL_SRC); $(PERL) $(CONFIGURE) $(COPTS) $@;
+	$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) asm $@
+# Confgure no-asm and generate no-asm sources
+	cd $(OPSSL_SRC); $(PERL) $(CONFIGURE) $(COPTS) no-asm $@;
+	$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) no-asm $@
+
+# Replace and copy arch dependent headers
+replace:
+	cp ./$(CFG).tmpl $(SRC_CFG)
+	@for c in $(INT_CFGS); do \
+	    cp ./$$c.tmpl $(INT_CFG_DIR)/$$c; \
+	done
+
+clean:
+	find archs \( -name \*.S -o -name \*.s -o -name \*.gypi -o -name \*.h -o -name \*.pm \) -exec rm "{}" \;