-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: update to openssl-3.0.1+quic #41177
Conversation
The `deps/openssl/config/generate_headers.pl` imports `Text::Template` but that Perl module is not present in the default Perl installation in the Dockerfile and needs to be explicitly installed.
Review requested:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This comment has been minimized.
This comment has been minimized.
Do we need to fast track this? I don't think we are in any hurry to get 17.x out today |
😞 We appear to be seeing the same I'm not seeing similar failures on either release line on Linux (and neither is our Jenkins CI). Anyone on macOS able to take a look? |
node:internal/crypto/util:111
throw new ERR_CRYPTO_ENGINE_UNKNOWN(id);
^
Error [ERR_CRYPTO_ENGINE_UNKNOWN]: Engine "/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1015/out/Release/libtest_crypto_engine.dylib" was not found
at new NodeError (node:internal/errors:371:5)
at Object.setEngine (node:internal/crypto/util:111:11)
at Object.<anonymous> (/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1015/test/parallel/test-crypto-engine.js:47:12)
at Module._compile (node:internal/modules/cjs/loader:1097:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1149:10)
at Module.load (node:internal/modules/cjs/loader:975:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
at node:internal/main/run_main_module:17:47 {
code: 'ERR_CRYPTO_ENGINE_UNKNOWN'
}
Node.js v18.0.0-pre Maybe cc @RaisinTen who updated the |
I don't use macos but my best guess is that this is due to openssl/openssl#17073. We are probably (incorrectly) loading the engine twice and OpenSSL did not report that as an error before as far as I can tell. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
I think this is correct. test-macstadium-macos11:osx11 iojs$ ./out/Release/openssl-cli version
OpenSSL 3.0.0+quic 7 sep 2021 (Library: OpenSSL 3.0.0+quic 7 sep 2021)
test-macstadium-macos11:osx11 iojs$ ./out/Release/openssl-cli-3.0.1 version
OpenSSL 3.0.1+quic 14 Dec 2021 (Library: OpenSSL 3.0.1+quic 14 Dec 2021)
test-macstadium-macos11:osx11 iojs$ OpenSSL 3.0.0, duplicate engines, no error ( test-macstadium-macos11:osx11 iojs$ ./out/Release/openssl-cli dgst -sha1 -engine /Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib -engine /Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib
Engine "libtest_crypto_engine" set.
Engine "libtest_crypto_engine" set.
SHA1(stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
test-macstadium-macos11:osx11 iojs$ OpenSSL 3.0.1 now throws an error for the same command: test-macstadium-macos11:osx11 iojs$ ./out/Release/openssl-cli-3.0.1 dgst -sha1 -engine /Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib -engine /Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib
Engine "libtest_crypto_engine" set.
Invalid engine "/Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib"
403DB30401000000:error:1300006D:engine routines:dynamic_load:init failed:../deps/openssl/openssl/crypto/engine/eng_dyn.c:494:
403DB30401000000:error:13000074:engine routines:ENGINE_by_id:no such engine:../deps/openssl/openssl/crypto/engine/eng_list.c:430:id=/Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib
403DB30401000000:error:1300006D:engine routines:dynamic_load:init failed:../deps/openssl/openssl/crypto/engine/eng_dyn.c:494:
SHA1(stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
test-macstadium-macos11:osx11 iojs$ It looks like it only objects with absolute paths. If the id is used for the second "duplicate" engine it still works: test-macstadium-macos11:osx11 iojs$ ./out/Release/openssl-cli-3.0.1 dgst -sha1 -engine /Users/iojs/build/workspace/node-test-commit-osx-arm/nodes/osx11/out/Release/libtest_crypto_engine.dylib -engine libtest_crypto_engine
Engine "libtest_crypto_engine" set.
Engine "libtest_crypto_engine" set.
SHA1(stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
test-macstadium-macos11:osx11 iojs$ |
429ee17
to
3af0b32
Compare
This comment has been minimized.
This comment has been minimized.
We should fix this eventually. The fact that this only fails on macOS probably means that we are are not doing things properly on other platforms either. Could you add a TODO comment in the test file and/or in the C++ source code? |
Newer versions of OpenSSL now throws an error if an engine is loaded twice by its absolute path (a second load by its id appears to be okay).
This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit
3af0b32
to
d9275b9
Compare
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
The `deps/openssl/config/generate_headers.pl` imports `Text::Template` but that Perl module is not present in the default Perl installation in the Dockerfile and needs to be explicitly installed. PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
Newer versions of OpenSSL now throws an error if an engine is loaded twice by its absolute path (a second load by its id appears to be okay). PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
The `deps/openssl/config/generate_headers.pl` imports `Text::Template` but that Perl module is not present in the default Perl installation in the Dockerfile and needs to be explicitly installed. PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
Newer versions of OpenSSL now throws an error if an engine is loaded twice by its absolute path (a second load by its id appears to be okay). PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
OpenSSL-3.0.1: OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js. More information can be read here: https://www.openssl.org/news/secadv/20211214.txt. Contributed by Richarad Lau #41177 Other Notable Changes: * lib: * make AbortSignal cloneable/transferable (James M Snell) #41050 * deps: * upgrade npm to 8.3.0 (npm team) #41127 * doc: * add @bnb as a collaborator (Tierney Cyren) #41100 * process: * add `getActiveResourcesInfo()` (Darshan Sen) #40813 * timers: * add experimental scheduler api (James M Snell) #40909 PR-URL: #41167
OpenSSL-3.0.1: OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js. More information can be read here: https://www.openssl.org/news/secadv/20211214.txt. Contributed by Richard Lau #41177 Other Notable Changes: * lib: * make AbortSignal cloneable/transferable (James M Snell) #41050 * deps: * upgrade npm to 8.3.0 (npm team) #41127 * doc: * add @bnb as a collaborator (Tierney Cyren) #41100 * process: * add `getActiveResourcesInfo()` (Darshan Sen) #40813 * timers: * add experimental scheduler api (James M Snell) #40909 PR-URL: #41167
OpenSSL-3.0.1: OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js. More information can be read here: https://www.openssl.org/news/secadv/20211214.txt. Contributed by Richard Lau #41177 Other Notable Changes: * lib: * make AbortSignal cloneable/transferable (James M Snell) #41050 * deps: * upgrade npm to 8.3.0 (npm team) #41127 * doc: * add @bnb as a collaborator (Tierney Cyren) #41100 * process: * add `getActiveResourcesInfo()` (Darshan Sen) #40813 * timers: * add experimental scheduler api (James M Snell) #40909 PR-URL: #41167
The `deps/openssl/config/generate_headers.pl` imports `Text::Template` but that Perl module is not present in the default Perl installation in the Dockerfile and needs to be explicitly installed. PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
Newer versions of OpenSSL now throws an error if an engine is loaded twice by its absolute path (a second load by its id appears to be okay). PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: #41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
OpenSSL-3.0.1: OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js. More information can be read here: https://www.openssl.org/news/secadv/20211214.txt. Contributed by Richard Lau #41177 Other Notable Changes: * lib: * make AbortSignal cloneable/transferable (James M Snell) #41050 * deps: * upgrade npm to 8.3.0 (npm team) #41127 * doc: * add @bnb as a collaborator (Tierney Cyren) #41100 * process: * add `getActiveResourcesInfo()` (Darshan Sen) #40813 * timers: * add experimental scheduler api (James M Snell) #40909 PR-URL: #41167
OpenSSL-3.0.1: OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js. More information can be read here: https://www.openssl.org/news/secadv/20211214.txt. Contributed by Richard Lau #41177 Other Notable Changes: * lib: * make AbortSignal cloneable/transferable (James M Snell) #41050 * deps: * upgrade npm to 8.3.0 (npm team) #41127 * doc: * add @bnb as a collaborator (Tierney Cyren) #41100 * process: * add `getActiveResourcesInfo()` (Darshan Sen) #40813 * timers: * add experimental scheduler api (James M Snell) #40909 PR-URL: #41167
The `deps/openssl/config/generate_headers.pl` imports `Text::Template` but that Perl module is not present in the default Perl installation in the Dockerfile and needs to be explicitly installed. PR-URL: nodejs#41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
Newer versions of OpenSSL now throws an error if an engine is loaded twice by its absolute path (a second load by its id appears to be okay). PR-URL: nodejs#41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
This updates all sources in deps/openssl/openssl by: $ git clone git@github.com:quictls/openssl.git $ cd openssl $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: nodejs#41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl $ git commit PR-URL: nodejs#41177 Refs: quictls/openssl#69 Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
OpenSSL-3.0.1: OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js. More information can be read here: https://www.openssl.org/news/secadv/20211214.txt. Contributed by Richard Lau nodejs#41177 Other Notable Changes: * lib: * make AbortSignal cloneable/transferable (James M Snell) nodejs#41050 * deps: * upgrade npm to 8.3.0 (npm team) nodejs#41127 * doc: * add @bnb as a collaborator (Tierney Cyren) nodejs#41100 * process: * add `getActiveResourcesInfo()` (Darshan Sen) nodejs#40813 * timers: * add experimental scheduler api (James M Snell) nodejs#40909 PR-URL: nodejs#41167
Refs: quictls/openssl#69
Refs: https://mta.openssl.org/pipermail/openssl-announce/2021-December/000212.html
Updated as per https://github.com/nodejs/node/blob/master/doc/guides/maintaining-openssl.md. This took longer than expected because it turned out the Dockerfile was missing a Perl module used by
deps/openssl/config/generate_headers.pl
(which only exists in the Node.js versions where we build with OpenSSL 3).cc @danielleadams