Update openssl 1.1.1c

[sam-github]

See:

• openssl non-critical updates have been announced as coming May 28th Release#448
• https://www.openssl.org/news/openssl-1.1.1-notes.html

Note openssl 1.1.1c fixes CVE https://www.openssl.org/news/vulnerabilities.html#2019-1543, but I believe this does not affect node since #26537 protects it. Arguably, we could back out #26537, except that it can creep back in if an external OpenSSL 1.1.1a or b is used. Best to leave, I think.

/to @nodejs/crypto

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

[nodejs-github-bot]

Sadly, an error occurred when I tried to trigger a build. :(
CI: https://ci.nodejs.org/job/node-test-pull-request/23868/
CI: https://ci.nodejs.org/job/node-test-pull-request/23873/

[sam-github]

backport: #28212

[sam-github]

@nodejs/releasers @nodejs/lts This cherry-picks clean onto 12.x-staging, but it does not onto v10.x-staging, so I backported. Possibly it needs to "bake" by being in a 12.x release before getting released on 10.x.

[richardlau]

@nodejs/releasers @nodejs/lts This cherry-picks clean onto 12.x-staging, but it does not onto v10.x-staging, so I backported. Possibly it needs to "bake" by being in a 12.x release before getting released on 10.x.

We did reserve a date (June 25th) for a security release across all currently supported versions of Node.js. This OpenSSL update seems like the sort of thing the reserved date was intended for (non-critical security updates).

[ryzokuken]

RSLGTM. I think you'd need to run license-builder.sh?

[shigeki]

I agree that #26537 fixed CVE-2019-1543 and leave it for the older version is used in the shared library.

[sam-github]

@ryzokuken I've never run license-builder.sh, and its not part of the OpenSSL update instructions (see deps/openssl/config/README.md). Should it be?

OpenSSL doesn't change its license in patches, but when I tried running it, I noticed the valgrind license seems out of date.

[tniessen]

RSLGTM, thanks Sam.

[BridgeAR]

Landed in b6326ce...7cb8981 🎉

[Trott]

Looks like this update causes test/pummel/test-crypto-dh.js to never finish. (Previously, it took about 12 seconds to run on CI.) Investigating, but if anyone has any immediate ideas, that would be helpful.

[Trott]

The test still passes given enough time but performance of getDiffieHellman() is much much worse than before. Might be not-a-bug if it’s due to a security fix or something?

[Trott]

Pummel test issues workarounds/fixes in #28390

[sam-github]

@Trott re:

Unfortunately, 4c8fe4a doesn't build, which is currently messing up my bisect to find where a crypto dh problem was introduced. Fortunately, it's probably this PR, so...I think I can work around it. But 66b4930 probably should have been squashed into that commit.

I wouldn't expect bisect to work across any openssl updates, because upstream sources are updated in a seperate commit from the config files generated by node's build system, according to our openssl update process, see https://github.com/nodejs/node/blob/master/deps/openssl/config/README.md#4-commit-and-make-test.

There are some pros and cons to changing the process we use to vendor in openssl updates. In general, every commit would pass make test, I think we can agree thats a big "pro". But if you look at the branches where we have floating patches on openssl (and possibly v8, or any dep, but I'm not familiar with them) that would require squashing the upstream vanilla sourc, with our floating patches and with the autogenerated config, so it would no longer be clear what in the commit came from upstream, and what came from us, which is something of a "con". I've no strong opinion either way, other than that we should be probably be consistent with how we manage all our deps, and I confess to not paying much attention to anything but the openssl updates and the mozilla certificate updates (https://github.com/nodejs/node/blob/master/doc/guides/updating-root-certs.md). The latter creates two commits in a row, too, but the first commit is just data, and doesn't break make all or make test.

[Trott]

@sam-github Ah, thanks for the explanation. That makes a lot of sense.