-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to openssl-1.0.2b #1950
Conversation
This just replaces all sources of openssl-1.0.2b.tar.gz into deps/openssl/openssl
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reapply b910613 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: nodejs#1461 PR-URL: nodejs#1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Change all openssl/include/openssl/*.h to include resolved symbolic links and openssl/crypto/opensslconf.h to refer config/opensslconf.h
asm files are generated as - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm - In `deps/openssl/asm_obsolute/`, make with no envs for compilers
Fixes: #1921 |
@indutny Does CVE-2015-1789 (Exploitable out-of-bounds read in X509_cmp_time) affect OCSPResponse ? |
@shigeki yeah, I think so. But we don't really provide much APIs on this atm :) asn1.js is not vulnerable. |
LGTM, @shigeki ! |
@indutny Yes, I agree. Thanks. Wait for another review form Ben. |
From https://jbp.io/2015/06/11/cve-2015-1788-openssl-binpoly-hang/ , iojs is vulnerable to DoS of CVE-2015-1788. I've just confirmed that accessing to https://binpoly.jbp.io:4433 with TLS client of iojs leads 100% cpu load. |
LGTM |
The CI seems a little unhappy recently but here's a run nonetheless: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/816/ |
Most of them are from test-cluster-worker-wait-server-close.js. But there are no error outputs to console.log. |
No changes. Test failures are occurred only in test-cluster-worker-wait-server-close.js. |
@rvagg Should I also land this to v1.x branch for v1.8.3? |
running CI again https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/817/ @shigeki yes, that's a good idea, please do once this lands |
This just replaces all sources of openssl-1.0.2b.tar.gz into deps/openssl/openssl Fixes: nodejs#1921 PR-URL: nodejs#1950 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Change all openssl/include/openssl/*.h to include resolved symbolic links and openssl/crypto/opensslconf.h to refer config/opensslconf.h Fixes: nodejs#1921 PR-URL: nodejs#1950 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
asm files are generated as - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm - In `deps/openssl/asm_obsolute/`, make with no envs for compilers Fixes: nodejs#1921 PR-URL: nodejs#1950 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The errors of test-cluster-worker-wait-server-close.js in CI is to be resolved by #1953. |
This just replaces all sources of openssl-1.0.2b.tar.gz into deps/openssl/openssl Fixes: nodejs#1921 PR-URL: nodejs#1950 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Change all openssl/include/openssl/*.h to include resolved symbolic links and openssl/crypto/opensslconf.h to refer config/opensslconf.h Fixes: nodejs#1921 PR-URL: nodejs#1950 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
asm files are generated as - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm - In `deps/openssl/asm_obsolute/`, make with no envs for compilers Fixes: nodejs#1921 PR-URL: nodejs#1950 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
CI is running for upgrading in v1.x branch https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/818/ |
Tests of tls-dhe using 512bits key are failed since missing #1739 in v1.x. I will backport them too. |
I must have missed something but why is that cluster test failing so much all of a sudden? |
@rvagg This error has been initially occurred since it was landed in https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/788/ |
Notable Changes: * libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details. (Saúl Ibarra Corretgé) #1905 #1889. Highlights include: - Fix TTY becoming blocked on OS X - Fix UDP send callbacks to not to be synchronous - Add uv_os_homedir() (exposed as os.homedir(), see below) * npm: See full release notes for details. (Kat Marchán) #1899. Highlight: - Use GIT_SSH_COMMAND (available as of Git 2.3) * openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection (Logjam) and fixes malformed ECParameters causing infinite loop (CVE-2015-1788). See the security advisory for full details. (Shigeki Ohtsu) #1950 #1958 - Support FIPS mode of OpenSSL, see README for instructions. (Fedor Indutny) #1890 * os: Add os.homedir() method. (Colin Ihrig) #1791 * smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822 * Add new collaborators: - Alex Kocharin (@rlidwka) - Christopher Monsanto (@monsanto) - Ali Ijaz Sheikh (@ofrobots) - Oleg Elifantiev (@Olegas) - Domenic Denicola (@domenic) - Rich Trott (@Trott)
Maintenance release Notable Changes: * v8: Fixed an out-of-band write in utf8 decoder. This is an important security update as it can be used to cause a denial of service attack. * openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection (Logjam) and fixes malformed ECParameters causing infinite loop (CVE-2015-1788). See the security advisory for full details. (Shigeki Ohtsu) #1950 #1958 * build: - Added support for compiling with Microsoft Visual C++ 2015 - Started building and distributing headers-only tarballs along with binaries
Maintenance release Notable Changes: * v8: Fixed an out-of-band write in utf8 decoder. This is an important security update as it can be used to cause a denial of service attack. * openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection (Logjam) and fixes malformed ECParameters causing infinite loop (CVE-2015-1788). See the security advisory for full details. (Shigeki Ohtsu) nodejs#1950 nodejs#1958 * build: - Added support for compiling with Microsoft Visual C++ 2015 - Started building and distributing headers-only tarballs along with binaries
Maintenance release Notable Changes: * v8: Fixed an out-of-band write in utf8 decoder. This is an important security update as it can be used to cause a denial of service attack. * openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection (Logjam) and fixes malformed ECParameters causing infinite loop (CVE-2015-1788). See the security advisory for full details. (Shigeki Ohtsu) nodejs#1950 nodejs#1958 * build: - Added support for compiling with Microsoft Visual C++ 2015 - Started building and distributing headers-only tarballs along with binaries
Maintenance release Notable Changes: * v8: Fixed an out-of-band write in utf8 decoder. This is an important security update as it can be used to cause a denial of service attack. * openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection (Logjam) and fixes malformed ECParameters causing infinite loop (CVE-2015-1788). See the security advisory for full details. (Shigeki Ohtsu) nodejs#1950 nodejs#1958 * build: - Added support for compiling with Microsoft Visual C++ 2015 - Started building and distributing headers-only tarballs along with binaries
This is an update of openssl-1.0.2a to 1.0.2b. I made
-no_rand_screen
option for s_client was added.This is a bug fix release so that no API/ABI are changed.
CI result of https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/811/ are fine except test failures of test-cluster-worker-wait-server-close.js. They are not related to this PR.
make test-internet
is also fine to confirm that alt cert path works fine.ia32 build for Win32 was tested on my machine and I found no error except test-http-pipeline-flood.js but it is not related to this PR.
R= @bnoordhuis @indutny