This change adds the generated files required for building OpenSSL for
Node.js for ARM64 Windows. I did this on a VM running Ubuntu 18.04. The
basic workflow is to cd to deps/openssl/config and run `make`,
installing any needed packages until all architectures build correctly.
Note that OpenSSL 1.1.1 does not support ASM on ARM64 Windows, so this
change also supports only no-asm on ARM64 Windows.
PR-URL: https://github.com/nodejs/node/pull/26001
Fixes: https://github.com/nodejs/node/issues/25998
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
This adds ARM64 Windows support in the OpenSSL build system.
Since OpenSSL's ARM64 Windows support does not have support for ASM--
that is, VC-WIN64-ARM inherits from VC-noCE-common which has no ASM
files--`openssl_no_asm.gypi` is always used for building. This
essentially forces the 'no-asm' Configure flag.
PR-URL: https://github.com/nodejs/node/pull/26001
Fixes: https://github.com/nodejs/node/issues/25998
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Particularly, ensure that the commit messages are self-explanatory so
that reviewers can understand that the large commits are the result of a
simple repeatable process. This should make them easier to review.
See: https://github.com/nodejs/node/pull/26327#issuecomment-468745161
PR-URL: https://github.com/nodejs/node/pull/26378
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Since its not packaged, we don't have to delete it, and the Makefile
and update can become a (tiny) bit simpler.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original:
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.1b.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit f395a4a401.
As of openssl-1.1.1b, the dot-files are no longer distributed, so this
is no longer necessary.
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
OpenSSL is packaging its git and travis configuration files. Remove
them, Node.js has its own.
PR-URL: https://github.com/nodejs/node/pull/25689
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
AIX has own assembler not GNU as that does not support --noexecstack.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Because llvm on MacOS does not support AVX-512, asm files need to be limited to
AVX-2 support even when they are generated on Linux. fake_gcc.pl returns the
fake llvm banner version for MacOS as if the assembler supports upto AVX-2.
For Windows, makefiles for nmake were updated in OpenSSL-1.1.1 and they are
rewritten into GNU makefile format by hand.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Some of defines and cppflags in the build config of OpenSSL-1.1.1 were
moved to new attributes. Gyp and gypi file generations are needed to be
fixed to include them.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This updates all sources in deps/openssl/openssl with openssl-1.1.1a.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
PR-URL: https://github.com/nodejs/node/pull/24523
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.0j.
PR-URL: https://github.com/nodejs/node/pull/24523
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
There is reason to believe the generated assembly isn't working
correctly so let's disable it for now pending further investigation.
PR-URL: https://github.com/nodejs/node/pull/24270
Refs: https://github.com/nodejs/node/issues/23913
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Low severity timing vulnerability in the DSA signature algorithm
Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed
severe enough to be assigned a CVE #.
Ref: https://github.com/openssl/openssl/pull/7487
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: https://github.com/openssl/openssl/commit/415c3356
Original commit message:
DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
PR-URL: https://github.com/nodejs/node/pull/23965
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`cd deps/openssl/config; make` updates all archs dependant files.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This updates all sources in deps/openssl/openssl with openssl-1.1.0i.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Pending OpenSSL 1.1.0i release.
Refs: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
PR-URL: https://github.com/nodejs/node/pull/21345
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Upstream: https://github.com/openssl/openssl/commit/0c27d793
Original commit message:
Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit has a new binding scheme in builing OpenSSL-1.1.0 library
with Node. OpenSSL-1.1.0 uses a new build system with perl for various
supported platforms. See `Configurations/README` and
`Configurations/README.design` in the OpenSSL source for details.
In order to build OpenSSL library without perl in the build of Node
for various supported platforms, platform dependent files (e.g. asm
and header files ) are pre-generated and stored into the `config/arch`
directory.
- Makefile and generate_gypi.pl
Makefile has supported platform list and generates and copies platform
dependent files (e.g. asm files) into arch directory with
generate_gypi.pl. Platform dependent gypi files also created obtaining
build information from `configdata.pm` that is generated with
`Configure` in the OpenSSL build system.
For Windows, `Configure` generates makefile that is only available to
nmake command. Since nmake is not supported in Linux,
`Makefile_VC-WIN32` and `Makefile_VC-WIN64A` are made created by hand
for the use of GNU make. If make rules or targets are changed in the
version up of OpenSSL, they should be also updated.
The following files are used in upgrading openssl-1.1.0.
- gyp and gypi files
openssl.gyp has two targets of openssl and openssl-cli referred from
node.gyp. They includes asm and no_asm gypi files with arch dependent
gypi according to its build options and platforms . The gyp data which
is common with asm and no_asm are stored in openssl_common.gypi.
- header files
bn_conf.h, dso_conf.h and opensslconf.h are platform dependent in the
OpenSSL sources. They are replaced with *.h.tmpl files to include the
file in the `../../../config/` and referred to each arch files that
depends on asm and no-asm option.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Backport-PR-URL: https://github.com/nodejs/node/pull/19638
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/19638
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>
This replaces all sources of openssl-1.0.2o.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/19638
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>
We already disable `-Wmissing-field-initializers` on other Unices but
not on MacOS.
PR-URL: https://github.com/nodejs/node/pull/19046
Fixes: https://github.com/nodejs/node/issues/18983
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.
Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.
PR-URL: https://github.com/nodejs/node/pull/17526
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Jon Kunkee
Shigeki Ohtsu
Sam Roberts
Thang Tran
Rod Vagg
Ben Noordhuis
Daniel Bevenius
Shigeki Ohtsu
Fedor Indutny