Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to OpenSSL-1.0.2n #17526

Closed
wants to merge 7 commits into from
Closed

Upgrade to OpenSSL-1.0.2n #17526

wants to merge 7 commits into from

Conversation

shigeki
Copy link
Contributor

@shigeki shigeki commented Dec 7, 2017

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines
Affected core subsystem(s)

Here is upgrade to OpenSSL-1.0.2n including the fix of vulnerability of CVE-2017-3737 and CVE-2017-15896.

No headers in '/config' are changed but asm files need to be updated due to CVE-2017-3738.

CC @nodejs/crypto

shigeki and others added 7 commits December 7, 2017 22:54
@shigeki
deps: upgrade openssl sources to 1.0.2n
3b6ec9e 
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl
@shigeki
deps: copy all openssl header files to include dir
2916c7f 
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
@indutny @shigeki
deps: fix openssl assembly error on ia32 win32
273f3a3 
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
@shigeki
deps: fix asm build error of openssl in x86_win32
e19176e 
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
openssl: fix keypress requirement in apps on win32
cad6a61 
Reapply b910613 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
deps: add -no_rand_screen to openssl s_client
23bf270 
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: nodejs#1461
PR-URL: nodejs#1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
deps: update openssl asm and asm_obsolete files
66e383c 
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.
@shigeki shigeki added the openssl Issues and PRs related to the OpenSSL dependency. label Dec 7, 2017
@nodejs-github-bot nodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Dec 7, 2017
@shigeki
Copy link
Contributor Author

shigeki commented Dec 7, 2017

CI is running on https://ci.nodejs.org/job/node-test-pull-request/11945/.

tniessen
tniessen approved these changes Dec 7, 2017
View reviewed changes
Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubberstamp LGTM as this is a deps-only change.

bnoordhuis
bnoordhuis approved these changes Dec 7, 2017
View reviewed changes
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly rubber-stamp LGTM. The diff looks okay to me at a quick glance.

The CI failures are... odd:

gypprintf: write error: Resource temporarily unavailable

And:

09:22:06 make[1]: write error: stdout

@shigeki
Copy link
Contributor Author

shigeki commented Dec 7, 2017

One more try to see CI job failures in linux one.
https://ci.nodejs.org/job/node-test-pull-request/11950/

cjihrig
cjihrig approved these changes Dec 7, 2017
View reviewed changes
Copy link
Contributor

@cjihrig cjihrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber stamp LGTM. Thanks for doing this.

MylesBorins
MylesBorins approved these changes Dec 7, 2017
View reviewed changes
Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Would very much like to see some of the patches we float land upstream if possible. Will follow up on that separately

mhdawson
mhdawson approved these changes Dec 7, 2017
View reviewed changes
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber stamp LGTM

MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: upgrade openssl sources to 1.0.2n
53e3277 
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: copy all openssl header files to include dir
3ddf196 
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: update openssl asm and asm_obsolete files
6872690 
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@MylesBorins
Copy link
Contributor

landed in 0bc10b0...6872690

@MylesBorins MylesBorins closed this Dec 7, 2017
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: upgrade openssl sources to 1.0.2n
9fdd3bd 
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: copy all openssl header files to include dir
afad1f2 
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: update openssl asm and asm_obsolete files
18652b6 
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: upgrade openssl sources to 1.0.2n
03651ad 
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: copy all openssl header files to include dir
ac53d01 
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: update openssl asm and asm_obsolete files
6314a46 
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: upgrade openssl sources to 1.0.2n
b3afedf 
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
@shigeki @MylesBorins
deps: copy all openssl header files to include dir
dd6a2df 
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins added a commit that referenced this pull request Dec 7, 2017
@MylesBorins
2017-12-08, Version 6.12.2 'Boron' (LTS)
381f5ec 
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17533
MylesBorins added a commit that referenced this pull request Dec 7, 2017
@MylesBorins
2017-12-08, Version 8.9.3 'Carbon' (LTS)
9214a4e 
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
evanlucas added a commit that referenced this pull request Dec 8, 2017
@evanlucas
2017-12-08 Version 9.2.1 (Current)
b07efd7 
Notable changes:

* **buffer**:
  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
* **deps**:
  * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

PR-URL: #17531
MylesBorins added a commit that referenced this pull request Dec 8, 2017
@MylesBorins
2017-12-08, Version 8.9.3 'Carbon' (LTS)
8a44289 
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
MylesBorins pushed a commit that referenced this pull request Dec 8, 2017
@evanlucas @MylesBorins
2017-12-08 Version 9.2.1 (Current)
6e5f96e 
Notable changes:

* **buffer**:
  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
* **deps**:
  * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

PR-URL: #17531
MylesBorins added a commit that referenced this pull request Dec 8, 2017
@MylesBorins
2017-12-08, Version 4.8.7 'Argon' (LTS)
e832743 
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17534
MylesBorins added a commit that referenced this pull request Dec 8, 2017
@MylesBorins
2017-12-08, Version 6.12.2 'Boron' (LTS)
6fa9cae 
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17533
MylesBorins added a commit that referenced this pull request Dec 8, 2017
@MylesBorins
2017-12-08, Version 8.9.3 'Carbon' (LTS)
2ac4718 
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
MylesBorins pushed a commit that referenced this pull request Dec 8, 2017
@evanlucas @MylesBorins
2017-12-08 Version 9.2.1 (Current)
7f086dd 
Notable changes:

* **buffer**:
  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
* **deps**:
  * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

PR-URL: #17531
@MarshallOfSound MarshallOfSound mentioned this pull request Jun 20, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhdawson mhdawson mhdawson approved these changes

@tniessen tniessen tniessen approved these changes

@cjihrig cjihrig cjihrig approved these changes

@MylesBorins MylesBorins MylesBorins approved these changes

@danbev danbev danbev approved these changes

@bnoordhuis bnoordhuis bnoordhuis approved these changes

Assignees
No one assigned
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.