Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to OpenSSL-1.0.2n #17526

Closed
wants to merge 7 commits into from
Closed

Conversation

shigeki
Copy link
Contributor

@shigeki shigeki commented Dec 7, 2017

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines
Affected core subsystem(s)

Here is upgrade to OpenSSL-1.0.2n including the fix of vulnerability of CVE-2017-3737 and CVE-2017-15896.

No headers in '/config' are changed but asm files need to be updated due to CVE-2017-3738.

CC @nodejs/crypto

shigeki and others added 7 commits December 7, 2017 22:54
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reapply b910613 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: nodejs#1461
PR-URL: nodejs#1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.
@shigeki shigeki added the openssl Issues and PRs related to the OpenSSL dependency. label Dec 7, 2017
@nodejs-github-bot nodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Dec 7, 2017
@shigeki
Copy link
Contributor Author

shigeki commented Dec 7, 2017

Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubberstamp LGTM as this is a deps-only change.

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly rubber-stamp LGTM. The diff looks okay to me at a quick glance.

The CI failures are... odd:

gypprintf: write error: Resource temporarily unavailable

And:

09:22:06 make[1]: write error: stdout

@shigeki
Copy link
Contributor Author

shigeki commented Dec 7, 2017

One more try to see CI job failures in linux one.
https://ci.nodejs.org/job/node-test-pull-request/11950/

Copy link
Contributor

@cjihrig cjihrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber stamp LGTM. Thanks for doing this.

Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Would very much like to see some of the patches we float land upstream if possible. Will follow up on that separately

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber stamp LGTM

MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@MylesBorins
Copy link
Contributor

landed in 0bc10b0...6872690

@MylesBorins MylesBorins closed this Dec 7, 2017
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 7, 2017
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
MylesBorins added a commit that referenced this pull request Dec 7, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17533
MylesBorins added a commit that referenced this pull request Dec 7, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
evanlucas added a commit that referenced this pull request Dec 8, 2017
Notable changes:

* **buffer**:
  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
* **deps**:
  * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

PR-URL: #17531
MylesBorins added a commit that referenced this pull request Dec 8, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
MylesBorins pushed a commit that referenced this pull request Dec 8, 2017
Notable changes:

* **buffer**:
  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
* **deps**:
  * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

PR-URL: #17531
MylesBorins added a commit that referenced this pull request Dec 8, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17534
MylesBorins added a commit that referenced this pull request Dec 8, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17533
MylesBorins added a commit that referenced this pull request Dec 8, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
MylesBorins pushed a commit that referenced this pull request Dec 8, 2017
Notable changes:

* **buffer**:
  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
* **deps**:
  * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

PR-URL: #17531
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.