-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to openssl 101t for v0.12 #6553
Conversation
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl.
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows.
sha256-x86_64.pl does not exist in the origin openssl distribution. It was copied from sha512-x86_64.pl and both sha256/sha512 scripts were modified so as to generates only one asm file specified as its key hash length. PR: nodejs#9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <julien.gilli@joyent.com> PR: nodejs#25523 PR-URL: nodejs/node-v0.x-archive#25523 Reviewed-By: Julien Gilli <jgilli@fastmail.fm> PR: nodejs#25654 PR-URL: nodejs/node-v0.x-archive#25654 Reviewed-By: Julien Gilli <jgilli@fastmail.fm>
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . PR: nodejs#9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <julien.gilli@joyent.com> PR: nodejs#25523 PR-URL: nodejs/node-v0.x-archive#25523 Reviewed-By: Julien Gilli <jgilli@fastmail.fm> PR: nodejs#25654 PR-URL: nodejs/node-v0.x-archive#25654 Reviewed-By: Julien Gilli <jgilli@fastmail.fm>
reapply b910613 PR: nodejs#9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <julien.gilli@joyent.com> PR: nodejs#25523 PR-URL: nodejs/node-v0.x-archive#25523 Reviewed-By: Julien Gilli <jgilli@fastmail.fm> PR: nodejs#25654 PR-URL: nodejs/node-v0.x-archive#25654 Reviewed-By: Julien Gilli <jgilli@fastmail.fm>
Regenerate asm files with Makefile without CC and ASM envs.
In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. (cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74) Reviewed-By: James M Snell <jasnell@gmail.com> PR-URL: nodejs/node-v0.x-archive#25368
Can it be you forgot the |
@bnoordhuis Thanks, I missed it. I should have checked Windows tests more further. New CI is https://ci.nodejs.org/job/node-test-commit/3187/ . There still exists test-tls-server-verify.js failures. I've tested the current v0.12-staging and it shows the same test failures so they are not related to this PR. |
@nodejs/crypto can we get signoff from someone qualified on this? The test-tls-server-verify.js failures all over the slaves concern me but if they are not new for these changes then I supposed that's OK. |
@shigeki would you mind applying the same to v0.10-staging too please? |
@rvagg Sure. I've just submitted CI job in https://ci.nodejs.org/job/node-test-commit/3193/. Should I opens a new PR for v0.10? |
Note that test-tls-server-verify.js is fine in v0.10. The failure is a specific issue in v0.12. |
LGTM. test-tls-server-verify.js has been failing since at least v0.12.7, possibly longer. |
Are we expecting a new release for 0.12 to contain this OpenSSL fix? The 4, 5, and 6 lines got new releases today but I don't see a cut of this for 0.12 |
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5987 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5988 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5987 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) #5988 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) #6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
This just replaces all sources of openssl-1.0.1t.tar.gz into deps/openssl/openssl. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile without CC and ASM envs. Fixes: nodejs/node#6458 PR-URL: nodejs/node#6553 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Notable changes: * npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) nodejs/node#5988 * openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) nodejs/node#6553 - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check" - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow" - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
Checklist
Affected core subsystem(s)
tls/crypto
Description of change
openssl sources are upgraded to 1.0.1t and applied floating patches.
One more works was made in this upgrade.
-asm regenerated
asm codes were changed in this upgrade so that asm were regenerated without CC and ASM env.
CI is https://ci.nodejs.org/job/node-test-commit/3167/ but test-tls-server-verify.js was failed on several platforms due to some connection issues between server and spawned processes.
As far as I checked, the failures are not caused by this upgrade and need further investigation.
I'd like to know the test is flaky but I could not check CI results for v0.12 in the past. They seemed to be removed in the CI results.