After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
$ cd deps/openssl/config
$ make
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
$ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
PR-URL: https://github.com/nodejs/node/pull/29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Upstream V8 removed support for s390 earlier this year and it's known
to no longer build. Remove the support from our build scripts.
Fixes: https://github.com/nodejs/node/issues/28866
PR-URL: https://github.com/nodejs/node/pull/28883
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Add BSD-x86 to the list of arches and regenerate everything.
Everything in deps/openssl/config/archs/BSD-x86 is auto-generated,
everything else is manual edits to include the right files in the
right places.
I cheated a little: I didn't check in changes to files for other arches
because they contained mostly churn (updated buildstamps and such.)
Fixes: https://github.com/nodejs/node/issues/20326
PR-URL: https://github.com/nodejs/node/pull/28806
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The upstream commit fixes an incorrect initialization of memory in
rand_lib.c. This fixes all errors that are reported by valgrind during
startup.
Origin: https://github.com/openssl/openssl/commit/15d7e7997e219fc
PR-URL: https://github.com/nodejs/node/pull/28796
Fixes: https://github.com/nodejs/node/issues/28739
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
V8 now resume supporting for mipsel/mips64el.
This commit add linux64-mips64 platform dependent
files in 'deps/openssl/config/archs/linux64-mips64',
and update the corresponding gypi files and header
files.
Refs: https://groups.google.com/forum/#!topic/v8-dev/oXkv5OVCXyc
PR-URL: https://github.com/nodejs/node/pull/27992
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
$ cd deps/openssl/config
$ make
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
$ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
PR-URL: https://github.com/nodejs/node/pull/28211
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This change contains the results of running `make` in
`deps/openssl/config` (based on information in
deps/openssl/config/README.md) and not reverting anything.
This is not necessary, but it does indicate to the curious developer
that all architectures were automatically generated at the same time.
PR-URL: https://github.com/nodejs/node/pull/27544
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This change contains the results of running `make` in
`deps/openssl/config` (based on information in
deps/openssl/config/README.md) then reverting changes not in the
VC-WIN64-ARM directory.
This leverages a preceding change that fixes a cross-configuration file
reuse bug that only impacts VC-WIN64-ARM.
PR-URL: https://github.com/nodejs/node/pull/27544
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This change adds a clean target to the VC-WIN* Makefiles, then adjusts
the config generation script to call it before config file generation
as well as after. This prevents files from previous configurations from
causing make to incorrectly assume the files are up to date.
PR-URL: https://github.com/nodejs/node/pull/27543
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Ran:
$ cd deps/openssl/config; make
to update deps/openssl/config/archs/ with current configuration.
PR-URL: https://github.com/nodejs/node/pull/27376
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
OpenSSL doesn't compile `SSL_trace()` by default for historical reasons.
Add the enable-ssl-trace option to the OpenSSL Configure arguments.
PR-URL: https://github.com/nodejs/node/pull/27376
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
This change adds the generated files required for building OpenSSL for
Node.js for ARM64 Windows. I did this on a VM running Ubuntu 18.04. The
basic workflow is to cd to deps/openssl/config and run `make`,
installing any needed packages until all architectures build correctly.
Note that OpenSSL 1.1.1 does not support ASM on ARM64 Windows, so this
change also supports only no-asm on ARM64 Windows.
PR-URL: https://github.com/nodejs/node/pull/26001
Fixes: https://github.com/nodejs/node/issues/25998
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
This adds ARM64 Windows support in the OpenSSL build system.
Since OpenSSL's ARM64 Windows support does not have support for ASM--
that is, VC-WIN64-ARM inherits from VC-noCE-common which has no ASM
files--`openssl_no_asm.gypi` is always used for building. This
essentially forces the 'no-asm' Configure flag.
PR-URL: https://github.com/nodejs/node/pull/26001
Fixes: https://github.com/nodejs/node/issues/25998
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Particularly, ensure that the commit messages are self-explanatory so
that reviewers can understand that the large commits are the result of a
simple repeatable process. This should make them easier to review.
See: https://github.com/nodejs/node/pull/26327#issuecomment-468745161
PR-URL: https://github.com/nodejs/node/pull/26378
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Since its not packaged, we don't have to delete it, and the Makefile
and update can become a (tiny) bit simpler.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original:
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.1b.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit f395a4a401.
As of openssl-1.1.1b, the dot-files are no longer distributed, so this
is no longer necessary.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
OpenSSL is packaging its git and travis configuration files. Remove
them, Node.js has its own.
PR-URL: https://github.com/nodejs/node/pull/25689
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
AIX has own assembler not GNU as that does not support --noexecstack.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux. fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.
For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
PR-URL: https://github.com/nodejs/node/pull/24523
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.0j.
PR-URL: https://github.com/nodejs/node/pull/24523
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
There is reason to believe the generated assembly isn't working
correctly so let's disable it for now pending further investigation.
PR-URL: https://github.com/nodejs/node/pull/24270
Refs: https://github.com/nodejs/node/issues/23913
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Low severity timing vulnerability in the DSA signature algorithm
Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed
severe enough to be assigned a CVE #.
Ref: https://github.com/openssl/openssl/pull/7487
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: https://github.com/openssl/openssl/commit/415c3356
Original commit message:
DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
PR-URL: https://github.com/nodejs/node/pull/23965
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`cd deps/openssl/config; make` updates all archs dependant files.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.0i.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Pending OpenSSL 1.1.0i release.
Refs: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
PR-URL: https://github.com/nodejs/node/pull/21345
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Upstream: https://github.com/openssl/openssl/commit/0c27d793
Original commit message:
Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit has a new binding scheme in builing OpenSSL-1.1.0 library
with Node. OpenSSL-1.1.0 uses a new build system with perl for various
supported platforms. See `Configurations/README` and
`Configurations/README.design` in the OpenSSL source for details.
In order to build OpenSSL library without perl in the build of Node
for various supported platforms, platform dependent files (e.g. asm
and header files ) are pre-generated and stored into the `config/arch`
directory.
- Makefile and generate_gypi.pl
Makefile has supported platform list and generates and copies platform
dependent files (e.g. asm files) into arch directory with
generate_gypi.pl. Platform dependent gypi files also created obtaining
build information from `configdata.pm` that is generated with
`Configure` in the OpenSSL build system.
For Windows, `Configure` generates makefile that is only available to
nmake command. Since nmake is not supported in Linux,
`Makefile_VC-WIN32` and `Makefile_VC-WIN64A` are made created by hand
for the use of GNU make. If make rules or targets are changed in the
version up of OpenSSL, they should be also updated.
The following files are used in upgrading openssl-1.1.0.
- gyp and gypi files
openssl.gyp has two targets of openssl and openssl-cli referred from
node.gyp. They includes asm and no_asm gypi files with arch dependent
gypi according to its build options and platforms . The gyp data which
is common with asm and no_asm are stored in openssl_common.gypi.
- header files
bn_conf.h, dso_conf.h and opensslconf.h are platform dependent in the
OpenSSL sources. They are replaced with *.h.tmpl files to include the
file in the `../../../config/` and referred to each arch files that
depends on asm and no-asm option.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
