Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to openssl-1.0.2b #1950

Closed
wants to merge 8 commits into from
Closed

Conversation

shigeki
Copy link
Contributor

@shigeki shigeki commented Jun 11, 2015

This is an update of openssl-1.0.2a to 1.0.2b. I made

  • update all sources
  • replace all symlnk headers
  • alt cert patches no longer needed but a new floating patch of -no_rand_screen option for s_client was added.
  • config files in all platforms are not changed.
  • asm files updated for especially armv8

This is a bug fix release so that no API/ABI are changed.

CI result of https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/811/ are fine except test failures of test-cluster-worker-wait-server-close.js. They are not related to this PR.

make test-internet is also fine to confirm that alt cert path works fine.

ia32 build for Win32 was tested on my machine and I found no error except test-http-pipeline-flood.js but it is not related to this PR.

R= @bnoordhuis @indutny

Shigeki Ohtsu and others added 8 commits June 12, 2015 00:00
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reapply b910613 .

Fixes: nodejs#589
PR-URL: nodejs#1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: nodejs#1461
PR-URL: nodejs#1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers
@shigeki
Copy link
Contributor Author

shigeki commented Jun 11, 2015

Fixes: #1921

@mscdex mscdex added the openssl Issues and PRs related to the OpenSSL dependency. label Jun 11, 2015
@shigeki
Copy link
Contributor Author

shigeki commented Jun 11, 2015

@indutny Does CVE-2015-1789 (Exploitable out-of-bounds read in X509_cmp_time) affect OCSPResponse ?

@indutny
Copy link
Member

indutny commented Jun 11, 2015

@shigeki yeah, I think so. But we don't really provide much APIs on this atm :) asn1.js is not vulnerable.

@indutny
Copy link
Member

indutny commented Jun 11, 2015

LGTM, @shigeki !

@shigeki
Copy link
Contributor Author

shigeki commented Jun 11, 2015

@indutny Yes, I agree. Thanks. Wait for another review form Ben.

@shigeki
Copy link
Contributor Author

shigeki commented Jun 11, 2015

From https://jbp.io/2015/06/11/cve-2015-1788-openssl-binpoly-hang/ , iojs is vulnerable to DoS of CVE-2015-1788. I've just confirmed that accessing to https://binpoly.jbp.io:4433 with TLS client of iojs leads 100% cpu load.

@bnoordhuis
Copy link
Member

LGTM

@Fishrock123
Copy link
Contributor

The CI seems a little unhappy recently but here's a run nonetheless: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/816/

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

Most of them are from test-cluster-worker-wait-server-close.js. But there are no error outputs to console.log.

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

No changes. Test failures are occurred only in test-cluster-worker-wait-server-close.js.
@Fishrock123 Can I land this PR?

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

@rvagg Should I also land this to v1.x branch for v1.8.3?

@rvagg
Copy link
Member

rvagg commented Jun 12, 2015

running CI again https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/817/

@shigeki yes, that's a good idea, please do once this lands

shigeki pushed a commit to shigeki/node that referenced this pull request Jun 12, 2015
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this pull request Jun 12, 2015
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this pull request Jun 12, 2015
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

The errors of test-cluster-worker-wait-server-close.js in CI is to be resolved by #1953.

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

Thanks for reviewing, @indutny and @bnoordhuis .

Landed in c21b24d dcd67cc f624d01 a130132 f62b613 3844491 and 9480496 to the current master.

shigeki pushed a commit to shigeki/node that referenced this pull request Jun 12, 2015
This just replaces all sources of openssl-1.0.2b.tar.gz
into deps/openssl/openssl

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this pull request Jun 12, 2015
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki pushed a commit to shigeki/node that referenced this pull request Jun 12, 2015
asm files are generated as
  - In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
  - In `deps/openssl/asm_obsolute/`, make with no envs for compilers

Fixes: nodejs#1921
PR-URL: nodejs#1950
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

CI is running for upgrading in v1.x branch https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/818/

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

Tests of tls-dhe using 512bits key are failed since missing #1739 in v1.x. I will backport them too.

@rvagg
Copy link
Member

rvagg commented Jun 12, 2015

I must have missed something but why is that cluster test failing so much all of a sudden?

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

@rvagg This error has been initially occurred since it was landed in https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/788/

@shigeki
Copy link
Contributor Author

shigeki commented Jun 12, 2015

CI are happy.
Landed in 2a3367a d593b55 2836428 2cd7f73 139da6a 151720f 1feaa68 and c65484a to v1.x branch.

@rvagg Please note in CHANGELOG that all iojs prior this upgrade were vulnerable to CVE-2015-1788.

@shigeki shigeki closed this Jun 12, 2015
@rvagg rvagg mentioned this pull request Jun 13, 2015
rvagg added a commit that referenced this pull request Jun 13, 2015
Notable Changes:

* libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details.
  (Saúl Ibarra Corretgé) #1905 #1889. Highlights include:
  - Fix TTY becoming blocked on OS X
  - Fix UDP send callbacks to not to be synchronous
  - Add uv_os_homedir() (exposed as os.homedir(), see below)
* npm: See full release notes for details. (Kat Marchán) #1899. Highlight:
  - Use GIT_SSH_COMMAND (available as of Git 2.3)
* openssl:
  - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection
    (Logjam) and fixes malformed ECParameters causing infinite loop
    (CVE-2015-1788). See the security advisory for full details.
    (Shigeki Ohtsu) #1950 #1958
  - Support FIPS mode of OpenSSL, see README for instructions.
    (Fedor Indutny) #1890
* os: Add os.homedir() method. (Colin Ihrig) #1791
* smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822
* Add new collaborators:
  - Alex Kocharin (@rlidwka)
  - Christopher Monsanto (@monsanto)
  - Ali Ijaz Sheikh (@ofrobots)
  - Oleg Elifantiev (@Olegas)
  - Domenic Denicola (@domenic)
  - Rich Trott (@Trott)
rvagg added a commit that referenced this pull request Jul 4, 2015
Maintenance release

Notable Changes:

* v8: Fixed an out-of-band write in utf8 decoder. This is an important
  security update as it can be used to cause a denial of service
  attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
  man-in-the-middle protection (Logjam) and fixes malformed
  ECParameters causing infinite loop (CVE-2015-1788). See the
  security advisory for full details. (Shigeki Ohtsu) #1950 #1958
* build:
  - Added support for compiling with Microsoft Visual C++ 2015
  - Started building and distributing headers-only tarballs along with
    binaries
rvagg added a commit to rvagg/io.js that referenced this pull request Sep 16, 2015
Maintenance release

Notable Changes:

* v8: Fixed an out-of-band write in utf8 decoder. This is an important
  security update as it can be used to cause a denial of service
  attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
  man-in-the-middle protection (Logjam) and fixes malformed
  ECParameters causing infinite loop (CVE-2015-1788). See the
  security advisory for full details. (Shigeki Ohtsu) nodejs#1950 nodejs#1958
* build:
  - Added support for compiling with Microsoft Visual C++ 2015
  - Started building and distributing headers-only tarballs along with
    binaries
ChALkeR pushed a commit to ChALkeR/io.js that referenced this pull request Dec 20, 2015
Maintenance release

Notable Changes:

* v8: Fixed an out-of-band write in utf8 decoder. This is an important
  security update as it can be used to cause a denial of service
  attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
  man-in-the-middle protection (Logjam) and fixes malformed
  ECParameters causing infinite loop (CVE-2015-1788). See the
  security advisory for full details. (Shigeki Ohtsu) nodejs#1950 nodejs#1958
* build:
  - Added support for compiling with Microsoft Visual C++ 2015
  - Started building and distributing headers-only tarballs along with
    binaries
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Maintenance release

Notable Changes:

* v8: Fixed an out-of-band write in utf8 decoder. This is an important
  security update as it can be used to cause a denial of service
  attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
  man-in-the-middle protection (Logjam) and fixes malformed
  ECParameters causing infinite loop (CVE-2015-1788). See the
  security advisory for full details. (Shigeki Ohtsu) nodejs#1950 nodejs#1958
* build:
  - Added support for compiling with Microsoft Visual C++ 2015
  - Started building and distributing headers-only tarballs along with
    binaries
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants