Skip to content

[v11.x backport] Update openssl to 1.1.1a#25688

Closed
sam-github wants to merge 13 commits intonodejs:v11.x-stagingfrom
sam-github:backport-openssl1.1.1a-to-11.x
Closed

[v11.x backport] Update openssl to 1.1.1a#25688
sam-github wants to merge 13 commits intonodejs:v11.x-stagingfrom
sam-github:backport-openssl1.1.1a-to-11.x

Conversation

@sam-github
Copy link
Contributor

@sam-github sam-github commented Jan 24, 2019
edited
Loading

Backport of #25381 to 11.x

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

sam-github and others added 11 commits January 24, 2019 13:26
@sam-github
deps: upgrade openssl sources to 1.1.1a
2d0fc10 
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
deps: fix gyp/gypi for openssl-1.1.1
e78e4c0 
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
deps: fix MacOS and Win build for OpenSSL-1.1.1
bc7caaf 
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
deps: add s390 asm rules for OpenSSL-1.1.1
6c0417e 
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
deps: add only avx2 configs for OpenSSL-1.1.1
706deb5 
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
deps: fix for non GNU assembler in AIX
580dc0f 
AIX has own assembler not GNU as that does not support --noexecstack.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
doc: fix assembler requirement for OpenSSL-1.1.1
1a00628 
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@sam-github
deps: update archs files for OpenSSL-1.1.1a
9cd76e6 
`cd deps/openssl/config; make` updates all archs dependant files.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@sam-github
tls: make ossl 1.1.1 cipher list throw error
45e0616 
Make OpenSSL 1.1.1 error during cipher list setting if it would have
errored with OpenSSL 1.1.0.

Can be dropped after our OpenSSL fixes this upstream.

See: openssl/openssl#7759

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@shigeki @sam-github
tls: workaround handshakedone in renegotiation
839f177 
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@sam-github
test: assert on client and server side seperately
8ecdc03 
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 24, 2019

@sam-github build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/2376/pipeline

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. doc Issues and PRs related to the documentations. meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory. labels Jan 24, 2019
@sam-github sam-github changed the base branch from master to v11.x-staging January 24, 2019 21:49
@targos
Copy link
Member

targos commented Jan 24, 2019

Thanks for doing it Sam. There seems to be an issue with the min-max test.

@sam-github
Copy link
Contributor Author

sam-github commented Jan 24, 2019

I'll fix that as soon as I can. 11.x is apparently not in my ccache, it will be a while before I have a local build.

@sam-github
Copy link
Contributor Author

sam-github commented Jan 24, 2019

@nodejs/lts this won't land on node 10.x. I've backported before, https://github.com/sam-github/node/tree/update_openssl1.1.1a-v10.x, but I'll need to redo it now with the commits that actually landed.

I'll do 10.x after this lands since I don't think its need for a month or two, when the next 10.x semver-minor release comes out.

@sam-github
Copy link
Contributor Author

sam-github commented Jan 25, 2019

arm re-ci: https://ci.nodejs.org/job/node-test-commit/25304/

@sam-github sam-github mentioned this pull request Jan 25, 2019
Closed
@sam-github
Copy link
Contributor Author

sam-github commented Jan 25, 2019
edited
Loading

ARM failures are a known (EDIT: and unrelated to this PR) issue, see #23291

@targos targos added the v11.x label Jan 28, 2019
targos pushed a commit that referenced this pull request Jan 28, 2019
@sam-github @targos
deps: upgrade openssl sources to 1.1.1a
c581b9a 
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
targos pushed a commit that referenced this pull request Jan 28, 2019
@shigeki @targos
deps: fix gyp/gypi for openssl-1.1.1
e204399 
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
targos pushed a commit that referenced this pull request Jan 28, 2019
@shigeki @targos
deps: fix MacOS and Win build for OpenSSL-1.1.1
0a0f15f 
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
@targos
Copy link
Member

targos commented Jan 28, 2019

Landed in e6ad7f4...29002ce

@targos targos closed this Jan 28, 2019
@sam-github sam-github deleted the backport-openssl1.1.1a-to-11.x branch January 28, 2019 19:49
sam-github added a commit to sam-github/node that referenced this pull request Feb 28, 2019
@sam-github
deps: upgrade openssl sources to 1.1.1a
39d09ce 
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
deps: fix gyp/gypi for openssl-1.1.1
e8b39cf 
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
deps: fix MacOS and Win build for OpenSSL-1.1.1
af05709 
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux.  fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.

For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
deps: add s390 asm rules for OpenSSL-1.1.1
08cf226 
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
deps: add only avx2 configs for OpenSSL-1.1.1
0cf96fb 
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
deps: fix for non GNU assembler in AIX
87ff9f7 
AIX has own assembler not GNU as that does not support --noexecstack.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
doc: fix assembler requirement for OpenSSL-1.1.1
eb3470a 
Add new requirements of assembler version for AVX-512 support
in OpenSSL-1.1.1.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github added a commit to sam-github/node that referenced this pull request Feb 28, 2019
@sam-github
deps: update archs files for OpenSSL-1.1.1a
312dcc3 
`cd deps/openssl/config; make` updates all archs dependant files.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Feb 28, 2019
@shigeki @sam-github
tls: workaround handshakedone in renegotiation
6be596d 
`SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
sending HelloRequest in OpenSSL-1.1.1.
We need to check whether this is in a renegotiation state or not.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github added a commit to sam-github/node that referenced this pull request Feb 28, 2019
@sam-github
test: assert on client and server side seperately
d502073 
This gets better coverage of the codes, and is more explicit. It also
works around ordering differences in the errors produced by openssl.
The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs
TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared
openssl.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request Apr 29, 2019
@shigeki @sam-github
deps: add s390 asm rules for OpenSSL-1.1.1
c2310c7 
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
sam-github pushed a commit to sam-github/node that referenced this pull request May 10, 2019
@shigeki @sam-github
deps: add s390 asm rules for OpenSSL-1.1.1
7c0429b 
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

PR-URL: nodejs#25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: nodejs#25688
MylesBorins pushed a commit that referenced this pull request May 16, 2019
@shigeki @MylesBorins
deps: add s390 asm rules for OpenSSL-1.1.1
e9684b1 
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

Backport-PR-URL: #27419
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
MylesBorins pushed a commit that referenced this pull request May 16, 2019
@shigeki @MylesBorins
deps: add s390 asm rules for OpenSSL-1.1.1
6a6aa6f 
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

Backport-PR-URL: #27419
PR-URL: #25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Backport-PR-URL: #25688
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

build Issues and PRs related to build files or the CI. doc Issues and PRs related to the documentations. meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sam-github @nodejs-github-bot @targos @shigeki