-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade openssl102d #2141
Upgrade openssl102d #2141
Conversation
This needs additional tests of |
Internet test is fine.
|
@shigeki But we don't do internet tests in CI, right? How can we check this then? |
@thefourtheye |
@thefourtheye Please do not review the original openssl sources in |
@shigeki Oops, really sorry. My bad. I was just glancing through the source code and started leaving comments. |
@thefourtheye The original sources are in the commit of 254f85590bc8747534431d97b43a1e5d119deca0. Please review my commits out of it. |
I think it would have been better if there is one separate commit with your changes alone. |
67f1bc14d4baef58c6f367993dac071fa4380bbd, 2778cbbdf3d75dd3d8803aacd104f73b3ffae413, 4bebd596848e5873d9907e2633454857c18d605a and 4d83dd9d816a3a450a8c2762f1b0134ec921df3a are floating patches to openssl. You can see they were already reviewed in the previous update. They should be maintained separately because they have different purpose to fix. 9e122dbf2af07d8b47ffbe390e6029f8a86044a9 and 76b61c89476ec06b3d9a0e18f8e97fab6ce7342a are the new ones for upgrading this version. |
@shigeki Would it be possible to do it as one commit that applies the delta between 1.0.2c and 1.0.2d and one commit that updates the configurations? There is a lot of churn when looking at individual commits, while the real delta is only about 1 kLoC. |
@bnoordhuis Let me confirm that you mean that the following 3 are into one commit?
And this is left as a separated commit.
|
CI of https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/131/ was finished except pi1. The results are
I'm not sure they are existed before but I think they are not related to this upgrade. |
@shigeki Correct. If you want to go to bed, I can take care of it. |
This just replaces all sources of openssl-1.0.2d.tar.gz into deps/openssl/openssl deps: copy all openssl header files to include dir All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. deps: fix openssl assembly error on ia32 win32 `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> deps: fix asm build error of openssl in x86_win32 See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> openssl: fix keypress requirement in apps on win32 Reapply b910613 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> deps: add -no_rand_screen to openssl s_client In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: nodejs#1461 PR-URL: nodejs#1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
They should be updated accroding to the fix of openssl/openssl@b4f0d1a
67f1bc1
to
5891f12
Compare
@bnoordhuis Okay, I just squashed them. Thanks for taking care of me. I'm still okay. I will write you if I can't stay up no more. |
Thanks Shigeki, LGTM. There's a minor typo in the second commit log: s/accroding/according/ CI: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/132/ I'll land it for you if you want. |
@bnoordhuis Thanks for reviewing. I'd like to ask you to land this because I'm going to work this for node-v0.10.x from now. I appreciate your help very much. |
Note that I could not reproduce CVE-2015-1793 on iojs with the same test of openssl/openssl@593e9c6 by using same certs. The purpose of CA:false can be checked even in old iojs. Probably another conditions are needed in my test.
|
This just replaces all sources of openssl-1.0.2d.tar.gz into deps/openssl/openssl deps: copy all openssl header files to include dir All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. deps: fix openssl assembly error on ia32 win32 `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> deps: fix asm build error of openssl in x86_win32 See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> openssl: fix keypress requirement in apps on win32 Reapply b910613 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> deps: add -no_rand_screen to openssl s_client In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: nodejs#1461 PR-URL: nodejs#1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PR-URL: nodejs#2141 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
I'm doing one more test run because Jenkins crapped out on the last one: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/133/ |
They should be updated according to the fix at openssl/openssl@b4f0d1a PR-URL: #2141 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Jenkins is having a bad day but on the bots that work, it's solid enough that I have no qualms landing it. Merged in ca93f7f and c70e68f. Thanks again, Shigeki! |
I'm really not confident about this given the results for win2008r2: https://jenkins-iojs.nodesource.com/job/iojs+pr+win/119/nodes=win2008r2/tapTestReport/ Are we sure those are Jenkins failures? ..because I'm not. |
This just replaces all sources of openssl-1.0.2d.tar.gz into deps/openssl/openssl deps: copy all openssl header files to include dir All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. deps: fix openssl assembly error on ia32 win32 `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> deps: fix asm build error of openssl in x86_win32 See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> openssl: fix keypress requirement in apps on win32 Reapply b910613 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> deps: add -no_rand_screen to openssl s_client In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: nodejs#1461 PR-URL: nodejs#1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PR-URL: nodejs#2141 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
They should be updated according to the fix at openssl/openssl@b4f0d1a PR-URL: nodejs#2141 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Hmm a CI aganist master seems to not have those failures so maybe it's fine. https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/134/ |
Good job everyone! |
Thanks for everyone. I can confirm that iojs was really vulnerable to CVE-2015-1793 with the following test. // Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
//
// RootCA(missing)
// |
// interCA
// |
// subinterCA subinterCA (self-signed)
// | |
// leaf(CA:false)----------------
// |
// bad(CA:false)
var tls = require('tls');
var fs = require('fs');
var bad = fs.readFileSync('./bad.pem');
var bad_key = fs.readFileSync('./bad.key');
var interCA = fs.readFileSync('./interCA.pem');
var subinterCA = fs.readFileSync('./subinterCA.pem');
var subinterCA_ss = fs.readFileSync('./subinterCA-ss.pem');
var leaf = fs.readFileSync('./leaf.pem');
var opts = {
cert: bad,
key: bad_key,
ca: [leaf, subinterCA]
};
var server = tls.createServer(opts);
server.listen(8443, function() {
var opts = {
host: 'localhost',
port: 8443,
ca: [interCA, subinterCA_ss]
};
tls.connect(opts);
}); Old iojs-v.2.3.1 passes the openssl cert verification even if leaf cert is CA:false but it is checked by iojs with verifying the common name in tls.js. ohtsu@ubuntu:~/tmp/CVE-2015-1793$ iojs alt-cert-test.js
events.js:141
throw er; // Unhandled 'error' event
^
Error: Hostname/IP doesn't match certificate's altnames: "Host: localhost. is not cert's CN: bad"
at Object.checkServerIdentity (tls.js:210:15)
at TLSSocket.<anonymous> (_tls_wrap.js:970:29)
at emitNone (events.js:67:13)
at TLSSocket.emit (events.js:166:7)
at TLSSocket._finishInit (_tls_wrap.js:546:8) On iojs with openssl-1.0.2d, it checks the leaf cert purpose. The vulnerability is surely fixed. ohtsu@ubuntu:~/tmp/CVE-2015-1793$ ~/github/io.js/iojs alt-cert-test.js
events.js:141
throw er; // Unhandled 'error' event
^
Error: unsupported certificate purpose
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:989:38)
at emitNone (events.js:67:13)
at TLSSocket.emit (events.js:166:7)
at TLSSocket._finishInit (_tls_wrap.js:566:8) |
This just replaces all sources of openssl-1.0.2d.tar.gz into deps/openssl/openssl deps: copy all openssl header files to include dir All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. deps: fix openssl assembly error on ia32 win32 `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> deps: fix asm build error of openssl in x86_win32 See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> openssl: fix keypress requirement in apps on win32 Reapply b910613 . Fixes: nodejs#589 PR-URL: nodejs#1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> deps: add -no_rand_screen to openssl s_client In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: nodejs#1461 PR-URL: nodejs#1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PR-URL: nodejs#2141 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PORT-PR-URL: nodejs#2146 PORT-FROM: ca93f7f
They should be updated according to the fix at openssl/openssl@b4f0d1a PR-URL: nodejs#2141 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> PORT-PR-URL: nodejs#2146 PORT-FROM: c70e68f
Notable changes * openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery) nodejs#2141.
Notable changes * openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery) nodejs#2141.
Notable changes * openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery) nodejs#2141.
Notable changes * openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery) nodejs#2141.
TLS client of iojs prior this release has a vulnerability of Alternative chains certificate forgery (CVE-2015-1793) . See https://www.openssl.org/news/secadv_20150709.txt .
CI is running in https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/131/