From 5d412a738ac29ff5fed6cebbb1e6972fd7026464 Mon Sep 17 00:00:00 2001
From: Marco Ippolito <marcoippolito54@gmail.com>
Date: Sun, 7 Jan 2024 10:07:11 +0100
Subject: [PATCH] tools: remove openssl v1 update script
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/51378
Fixes: https://github.com/nodejs/security-wg/issues/1182
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
---
 .github/workflows/update-openssl.yml | 53 +------------------
 tools/dep_updaters/update-openssl.sh | 78 +++++-----------------------
 2 files changed, 14 insertions(+), 117 deletions(-)

diff --git a/.github/workflows/update-openssl.yml b/.github/workflows/update-openssl.yml
index 95802feaee36f3..23361dec160467 100644
--- a/.github/workflows/update-openssl.yml
+++ b/.github/workflows/update-openssl.yml
@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 jobs:
-  openssl-v3-update:
+  openssl-update:
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:
@@ -19,7 +19,7 @@ jobs:
           persist-credentials: false
       - name: Check and download new OpenSSL version
         run: |
-          ./tools/dep_updaters/update-openssl.sh download_v3 > temp-output
+          ./tools/dep_updaters/update-openssl.sh download > temp-output
           cat temp-output
           tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
           rm temp-output
@@ -58,52 +58,3 @@ jobs:
           branch: actions/tools-update-openssl  # Custom branch *just* for this Action.
           commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
           path: deps/openssl
-  openssl-v1-update:
-    if: github.repository == 'nodejs/node'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
-        with:
-          persist-credentials: false
-          ref: v16.x-staging
-      - name: Check and download new OpenSSL version
-        run: |
-          ./tools/dep_updaters/update-openssl.sh download_v1 > temp-output
-          cat temp-output
-          tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
-          rm temp-output
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-      - name: Create PR with first commit
-        if: env.NEW_VERSION
-        uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329  # v1.9.2
-        # Creates a PR with the new OpenSSL source code committed
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-        with:
-          author: Node.js GitHub Bot <github-bot@iojs.org>
-          body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
-          branch: actions/tools-update-openssl-v1  # Custom branch *just* for this Action.
-          commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
-          labels: dependencies
-          title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}'
-          path: deps/openssl
-          update-pull-request-title-and-body: true
-      - name: Regenerate platform specific files
-        if: env.NEW_VERSION
-        run: |
-          sudo apt install -y nasm libtext-template-perl
-          ./tools/dep_updaters/update-openssl.sh regenerate
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-      - name: Add second commit
-        # Adds a second commit to the PR with the generated platform-dependent files
-        if: env.NEW_VERSION
-        uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329  # v1.9.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-        with:
-          author: Node.js GitHub Bot <github-bot@iojs.org>
-          branch: actions/tools-update-openssl-v1  # Custom branch *just* for this Action.
-          commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
-          path: deps/openssl
diff --git a/tools/dep_updaters/update-openssl.sh b/tools/dep_updaters/update-openssl.sh
index bef379b707a04e..1437e9e8b940bd 100755
--- a/tools/dep_updaters/update-openssl.sh
+++ b/tools/dep_updaters/update-openssl.sh
@@ -9,80 +9,26 @@ cleanup() {
   exit $EXIT_CODE
 }
 
-download_v1() {
-  LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
-const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1');
-if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
-const releases = await res.json()
-const latest = releases.findLast(({ ref }) => ref.includes('quic'));
-if(!latest) throw new Error(`Could not find latest release for v1`);
-console.log(latest.ref.replace('refs/tags/',''));
-EOF
-)"
-
-  NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g')
-
-  case "$NEW_VERSION_V1" in
-    *quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;;
-    *) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;;
-  esac
-
-  VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h"
-  CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1)
-
-  # This function exit with 0 if new version and current version are the same
-  compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION"
-
-  echo "Making temporary workspace..."
-  WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp')
-  cd "$WORKSPACE"
-
-  echo "Fetching OpenSSL source archive..."
-  OPENSSL_TARBALL="openssl.tar.gz"
-  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME"
-  log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
-  gzip -dc "$OPENSSL_TARBALL" | tar xf -
-  rm "$OPENSSL_TARBALL"
-
-  mv quictls-openssl-* openssl
-
-  echo "Replacing existing OpenSSL..."
-  rm -rf "$DEPS_DIR/openssl/openssl"
-  mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/"
-  
-  echo "All done!"
-  echo ""
-  echo "Please git add openssl, and commit the new version:"
-  echo ""
-  echo "$ git add -A deps/openssl/openssl"
-  echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md"
-  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\""
-  echo ""
-  # The last line of the script should always print the new version,
-  # as we need to add it to $GITHUB_ENV variable.
-  echo "NEW_VERSION=$NEW_VERSION_V1"
-}
-
-download_v3() {
-  LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
+download() {
+  LATEST_TAG_NAME="$("$NODE" --input-type=module <<'EOF'
 const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0');
 if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res });
 const releases = await res.json()
 const latest = releases.findLast(({ ref }) => ref.includes('quic'));
-if(!latest) throw new Error(`Could not find latest release for v3.0`);
+if(!latest) throw new Error(`Could not find latest release`);
 console.log(latest.ref.replace('refs/tags/',''));
 EOF
 )"
-  NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g')
+  NEW_VERSION=$(echo "$LATEST_TAG_NAME" | sed 's/openssl-//;s/-/+/g')
 
-  case "$NEW_VERSION_V3" in
-    *quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;;
-    *) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;;
+  case "$NEW_VERSION" in
+    *quic1) NEW_VERSION_NO_RELEASE="${NEW_VERSION%1}" ;;
+    *) NEW_VERSION_NO_RELEASE="$NEW_VERSION" ;;
   esac
   VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
   CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p")
   # This function exit with 0 if new version and current version are the same
-  compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION"
+  compare_dependency_version "openssl" "$NEW_VERSION_NO_RELEASE" "$CURRENT_VERSION"
 
   echo "Making temporary workspace..."
 
@@ -93,7 +39,7 @@ EOF
 
   OPENSSL_TARBALL="openssl.tar.gz"
 
-  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME"
+  curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_TAG_NAME"
 
   log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL"
 
@@ -110,11 +56,11 @@ EOF
   echo "Please git add openssl, and commit the new version:"
   echo ""
   echo "$ git add -A deps/openssl/openssl"
-  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\""
+  echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION\""
   echo ""
   # The last line of the script should always print the new version,
   # as we need to add it to $GITHUB_ENV variable.
-  echo "NEW_VERSION=$NEW_VERSION_V3"
+  echo "NEW_VERSION=$NEW_VERSION"
 }
 
 regenerate() {
@@ -168,7 +114,7 @@ main() {
   . "$BASE_DIR/tools/dep_updaters/utils.sh"
 
   case ${1} in
-    help | regenerate | download_v1 | download_v3 )
+    help | regenerate | download )
       $1 "${2}"
     ;;
     * )