Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10.x backport] TLS1.3 (and dependent PRs) #27432

Closed
wants to merge 21 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a868ebe
deps: update OpenSSL upgrade process
sam-github Mar 1, 2019
c80bff3
deps: upgrade openssl sources to 1.1.1b
sam-github Apr 25, 2019
63aa831
deps: openssl-1.1.1b no longer packages .gitignore
sam-github Feb 26, 2019
1cea121
deps: add ARM64 Windows support in openssl
shigeki Feb 23, 2019
c2310c7
deps: add s390 asm rules for OpenSSL-1.1.1
shigeki Mar 7, 2018
f54db0b
deps: update archs files for OpenSSL-1.1.1b
sam-github Apr 25, 2019
f47e208
tls: support changing credentials dynamically
cjihrig Oct 13, 2018
5f5d3c9
tls: get the local certificate after tls handshake
sam-github Nov 8, 2018
4a82835
tls: fix initRead socket argument name
sam-github Dec 19, 2018
78b42fc
tls: do not confuse session and session ID
sam-github Dec 19, 2018
a6635b2
src: use consistent names for JSStream
sam-github Dec 19, 2018
ae7c74c
tls: remove unused ocsp extension parsing
sam-github Dec 19, 2018
6b327e5
src: in-source comments and minor TLS cleanups
sam-github Jan 16, 2019
2d25b65
tls: introduce client 'session' event
sam-github Jan 30, 2019
8c7406f
tls: do not free cert in `.getCertificate()`
addaleax Jan 14, 2019
38838af
src: remove unused TLWrap::EnableTrace()
sam-github Jan 31, 2019
d3c7020
src: organize TLSWrap declarations by parent
sam-github Jan 31, 2019
1c3c9f3
tls: don't shadow the tls global with a local
sam-github Jan 31, 2019
750b906
src: const_cast is necessary for 1.1.1, not 0.9.7
sam-github Jan 31, 2019
5febe41
src: refactor SSLError case statement
sam-github Jan 31, 2019
1f65f18
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
sam-github Nov 30, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
19 changes: 12 additions & 7 deletions deps/openssl/config/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,14 @@ endif
PERL = perl

# Supported architecture list
ARCHS = aix-gcc aix64-gcc BSD-x86_64 \
ASM_ARCHS = aix-gcc aix64-gcc BSD-x86_64 \
darwin64-x86_64-cc darwin-i386-cc linux-aarch64 \
linux-armv4 linux-elf linux-x32 linux-x86_64 linux-ppc \
linux-ppc64 linux-ppc64le linux32-s390x linux64-s390x \
solaris-x86-gcc solaris64-x86_64-gcc VC-WIN64A VC-WIN32

NO_ASM_ARCHS = VC-WIN64-ARM

CC = gcc
FAKE_GCC = ../config/fake_gcc.pl

Expand All @@ -27,7 +29,6 @@ COPTS = no-comp no-shared no-afalgeng
# disable platform check in Configure
NO_WARN_ENV = CONFIGURE_CHECKER_WARN=1

GITIGNORE = $(OPSSL_SRC)/.gitignore
GENERATE = ./generate_gypi.pl

OPSSL_SRC = ../openssl
Expand All @@ -41,19 +42,23 @@ INT_CFG_DIR = $(OPSSL_SRC)/crypto/include/internal
PHONY = all clean replace
.PHONY: $(PHONY)

all: $(ARCHS) replace
all: $(ASM_ARCHS) $(NO_ASM_ARCHS) replace

# Configure and generate openssl asm files for each archs
$(ARCHS):
# Remove openssl .gitignore to follow nodejs .gitignore
if [ -e $(GITIGNORE) ]; then rm $(GITIGNORE); fi
$(ASM_ARCHS):
cd $(OPSSL_SRC); $(NO_WARN_ENV) CC=$(CC) $(PERL) $(CONFIGURE) $(COPTS) $@;
$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) asm $@
# Confgure asm_avx2 and generate upto avx2 support
cd $(OPSSL_SRC); $(NO_WARN_ENV) CC=$(FAKE_GCC) $(PERL) $(CONFIGURE) \
$(COPTS) $@;
$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) asm_avx2 $@
# Confgure no-asm and generate no-asm sources
# Configure no-asm and generate no-asm sources
cd $(OPSSL_SRC); $(NO_WARN_ENV) $(PERL) $(CONFIGURE) $(COPTS) \
no-asm $@;
$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) no-asm $@

$(NO_ASM_ARCHS):
# Configure no-asm and generate no-asm sources
cd $(OPSSL_SRC); $(NO_WARN_ENV) $(PERL) $(CONFIGURE) $(COPTS) \
no-asm $@;
$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) no-asm $@
Expand Down
147 changes: 147 additions & 0 deletions deps/openssl/config/Makefile_VC-WIN64-ARM
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@

##
## Makefile for OpenSSL
##
## WARNING: do not edit!
## Generated by Configure from Configurations/common0.tmpl, Configurations/windows-makefile.tmpl, Configurations/common.tmpl


PLATFORM=VC-WIN64-ARM
SRCDIR=.
BLDDIR=.

VERSION=1.1.1a
MAJOR=1
MINOR=1.1

SHLIB_VERSION_NUMBER=1.1

GENERATED_MANDATORY=crypto/include/internal/bn_conf.h crypto/include/internal/dso_conf.h include/openssl/opensslconf.h

INSTALL_LIBS="libcrypto.lib" "libssl.lib"
INSTALL_SHLIBS="libcrypto-1_1-arm64.dll" "libssl-1_1-arm64.dll"
INSTALL_SHLIBPDBS="libcrypto-1_1-arm64.pdb" "libssl-1_1-arm64.pdb"
INSTALL_ENGINES="engines/capi.dll" "engines/padlock.dll"
INSTALL_ENGINEPDBS="engines/capi.pdb" "engines/padlock.pdb"
INSTALL_PROGRAMS="apps/openssl.exe"
INSTALL_PROGRAMPDBS="apps/openssl.pdb"

BIN_SCRIPTS="$(BLDDIR)\tools\c_rehash.pl"
MISC_SCRIPTS="$(BLDDIR)\apps\CA.pl" "$(BLDDIR)\apps\tsget.pl"


APPS_OPENSSL="apps/openssl"

# Do not edit these manually. Use Configure with --prefix or --openssldir
# to change this! Short explanation in the top comment in Configure
INSTALLTOP_dev=
INSTALLTOP_dir=\OpenSSL
OPENSSLDIR_dev=
OPENSSLDIR_dir=\SSL
LIBDIR=lib
ENGINESDIR_dev=
ENGINESDIR_dir=\OpenSSL/lib/engines-1_1
INSTALLTOP=$(INSTALLTOP_dev)$(INSTALLTOP_dir)
OPENSSLDIR=$(OPENSSLDIR_dev)$(OPENSSLDIR_dir)
ENGINESDIR=$(ENGINESDIR_dev)$(ENGINESDIR_dir)

# $(libdir) is chosen to be compatible with the GNU coding standards
libdir=$(INSTALLTOP)\$(LIBDIR)

##### User defined commands and flags ################################

CC=cl
CPP=$(CC) /EP /C
CPPFLAGS=
CFLAGS=/W3 /wd4090 /nologo /O2
LD=link
LDFLAGS=/nologo /debug
EX_LIBS=

PERL=/usr/bin/perl

AR=lib
ARFLAGS= /nologo

MT=mt
MTFLAGS= -nologo

AS=
ASFLAGS=

RC=rc

ECHO="$(PERL)" "$(SRCDIR)\util\echo.pl"

##### Special command flags ##########################################

COUTFLAG=/Fo$(OSSL_EMPTY)
LDOUTFLAG=/out:$(OSSL_EMPTY)
AROUTFLAG=/out:$(OSSL_EMPTY)
MTINFLAG=-manifest $(OSSL_EMPTY)
MTOUTFLAG=-outputresource:$(OSSL_EMPTY)
ASOUTFLAG=$(OSSL_EMPTY)
RCOUTFLAG=/fo$(OSSL_EMPTY)

##### Project flags ##################################################

# Variables starting with CNF_ are common variables for all product types

CNF_ASFLAGS=
CNF_CPPFLAGS=-D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE" -D"OPENSSL_SYS_WIN_CORE" -D"NDEBUG"
CNF_CFLAGS=/Gs0 /GF /Gy /MD
CNF_CXXFLAGS=
CNF_LDFLAGS=/NODEFAULTLIB:kernel32.lib
CNF_EX_LIBS=onecore.lib

# Variables starting with LIB_ are used to build library object files
# and shared libraries.
# Variables starting with DSO_ are used to build DSOs and their object files.
# Variables starting with BIN_ are used to build programs and their object
# files.

LIB_ASFLAGS=$(CNF_ASFLAGS) $(ASFLAGS)
LIB_CPPFLAGS=-D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSLDIR=\"\\SSL\"" -D"ENGINESDIR=\"\\OpenSSL/lib/engines-1_1\"" $(CNF_CPPFLAGS) $(CPPFLAGS)
LIB_CFLAGS=/Zi /Fdossl_static.pdb $(CNF_CFLAGS) $(CFLAGS)
LIB_LDFLAGS=/dll $(CNF_LDFLAGS) $(LDFLAGS)
LIB_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
DSO_ASFLAGS=$(CNF_ASFLAGS) $(ASFLAGS)
DSO_CPPFLAGS=$(CNF_CPPFLAGS) $(CPPFLAGS)
DSO_CFLAGS=/Zi /Fddso.pdb $(CNF_CFLAGS) $(CFLAGS)
DSO_LDFLAGS=/dll $(CNF_LDFLAGS) $(LDFLAGS)
DSO_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
BIN_ASFLAGS=$(CNF_ASFLAGS) $(ASFLAGS)
BIN_CPPFLAGS=$(CNF_CPPFLAGS) $(CPPFLAGS)
BIN_CFLAGS=/Zi /Fdapp.pdb $(CNF_CFLAGS) $(CFLAGS)
BIN_LDFLAGS=/subsystem:console /opt:ref $(CNF_LDFLAGS) $(LDFLAGS)
BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)

# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
CPPFLAGS_Q=-D"L_ENDIAN" -D"OPENSSL_PIC"

PERLASM_SCHEME=

PROCESSOR=

build_generated: $(GENERATED_MANDATORY)

crypto/buildinf.h:
"$(PERL)" "util/mkbuildinf.pl" "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" > $@

apps/progs.h:
"$(PERL)" "apps/progs.pl" $(APPS_OPENSSL) > $@

crypto/include/internal/bn_conf.h:
"$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
"-omakefile" "crypto/include/internal/bn_conf.h.in" > $@
crypto/include/internal/dso_conf.h:
"$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
"-omakefile" "crypto/include/internal/dso_conf.h.in" > $@
include/openssl/opensslconf.h:
"$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
"-omakefile" "include/openssl/opensslconf.h.in" > $@

distclean:
$(RM) $(GENERATED)
$(RM) /Q /F configdata.pm
$(RM) /Q /F makefile
73 changes: 49 additions & 24 deletions deps/openssl/config/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Upgrading OpenSSL-1.1.0
## Upgrading OpenSSL

### Requirements
- Linux environment (Only CentOS7.1 and Ubuntu16 are tested)
Expand All @@ -22,12 +22,12 @@ Copyright (C) 2015 Free Software Foundation, Inc.
$ nasm -v
NASM version 2.11.08
```

### 1. Obtain and extract new OpenSSL sources

Get a new source from https://www.openssl.org/source/ and extract
all files into `deps/openssl/openssl`. Then add all files and commit
them.

```sh
$ cd deps/openssl/
$ rm -rf openssl
Expand All @@ -36,36 +36,58 @@ $ mv openssl-1.1.0h openssl
$ git add --all openssl
$ git commit openssl
````
The commit message can be

The commit message can be (with the openssl version set to the relevant value):
```
deps: upgrade openssl sources to 1.1.0h

This updates all sources in deps/openssl/openssl with openssl-1.1.0h.
This updates all sources in deps/openssl/openssl by:
$ cd deps/openssl/
$ rm -rf openssl
$ tar zxf ~/tmp/openssl-1.1.0h.tar.gz
$ mv openssl-1.1.0h openssl
$ git add --all openssl
$ git commit openssl
```

### 2. Apply a floating patch

Currently, one floating patch is needed to build S390 asm files.
Currently, one floating patch is needed to build S390 asm files:
```
commit 094465362758ebf967b33c84d5c96230b46a34b3
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Wed Mar 7 23:52:52 2018 +0900
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Wed Mar 7 23:52:52 2018 +0900

deps: add s390 asm rules for OpenSSL-1.1.0

deps: add s390 asm rules for OpenSSL-1.1.0
This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.

This is a floating patch against OpenSSL-1.1.0 to generate asm files
with Makefile rules and it is to be submitted to the upstream.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

deps/openssl/openssl/crypto/poly1305/build.info | 2 ++
```

Cherry pick it from the previous commit.
Find the SHA of the previous commit of this patch:
```sh
$ git log -n1 --oneline -- deps/openssl/openssl/crypto/poly1305/build.info
```

Using the SHA found in the previous step, cherry pick it from the previous
commit (with the openssl version in the commit message set to the relevant
value):
```sh
$ git cherry-pick 45b9f5df6ff1548f01ed646ebee75e3f0873cefd
```
### 3. Execute `make` in `deps/openssl/config` directory

Just type `make` then it generates all platform dependent files into
`deps/openssl/config/archs` directory.

### 3. Execute `make` in `deps/openssl/config` directory

Use `make` to regenerate all platform dependent files in
`deps/openssl/config/archs/`:
```sh
$ cd deps/openssl/config; make
```
Expand Down Expand Up @@ -96,19 +118,22 @@ $ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
$ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git add deps/openssl/openssl/.gitignore
$ git commit
```

The commit message can be
The commit message can be (with the openssl version set to the relevant value):
```
commit 8cb1de45c60f2d520551166610115531db673518
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Thu Mar 29 16:46:11 2018 +0900

deps: update archs files for OpenSSL-1.1.0

`cd deps/openssl/config; make` updates all archs dependant files.
deps: update archs files for OpenSSL-1.1.0

After an OpenSSL source update, all the config files need to be regenerated and
comitted by:
$ cd deps/openssl/config
$ make
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
$ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
```

Finally, build Node and run tests.
Loading