node icon indicating copy to clipboard operation
node copied to clipboard
verified publisher icon nodejs

[do not land] deps: update OpenSSL to 3.5.0

Open nodejs-github-bot opened this issue 7 months ago • 6 comments

This is an automated update of OpenSSL to 3.5.0.

nodejs-github-bot avatar May 01 '25 16:05 nodejs-github-bot

Review requested:

  • [ ] @nodejs/security-wg

nodejs-github-bot avatar May 01 '25 16:05 nodejs-github-bot

FYI I'm testing the automation.

richardlau avatar May 01 '25 16:05 richardlau

This was opened by https://github.com/nodejs/node/actions/runs/14779389322/job/41494768590, running on the branch for https://github.com/nodejs/node/pull/58098.

richardlau avatar May 01 '25 17:05 richardlau

Marked [do not land] (and labelled blocked). The intention is to land https://github.com/nodejs/node/pull/58099 and https://github.com/nodejs/node/pull/58100 and then run the updater workflow from main to do the proper upgrade (e.g. in this PR the commits from https://github.com/nodejs/node/pull/58098 have been squashed into the first commit, which isn't what we want).

richardlau avatar May 01 '25 18:05 richardlau

CI: https://ci.nodejs.org/job/node-test-pull-request/66533/

nodejs-github-bot avatar May 02 '25 00:05 nodejs-github-bot

CI: https://ci.nodejs.org/job/node-test-pull-request/66533/

https://ci.nodejs.org/job/node-test-commit-linux/nodes=rhel8-x64/64390/console

02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s: Assembler messages:
02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s:85: Error: unsupported instruction `vpmadd52luq'
02:00:16 ../deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s:86: Error: unsupported instruction `vpmadd52luq'
...

So the build failures are a surprise as I wasn't seeing those locally (Linux x64). On further investigation it looks like some of the config files, specifically some of the assembly *.s files, are different when run on GitHub workflow vs generating them locally with deps/openssl/config/Dockerfile.

For example, compare

  • https://github.com/nodejs/node/blob/8573b4a8018920b95fdfc8e989c22c3c017a90d8/deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s (1167 lines)
  • https://github.com/richardlau/node-1/blob/537b8710d483ef67d129080f5ad509f90ff480db/deps/openssl/config/archs/linux-x86_64/asm/crypto/bn/rsaz-2k-avxifma.s (40 lines)

I think this is partly due to https://github.com/openssl/openssl/pull/25751 and e.g. https://github.com/nodejs/node/blob/8573b4a8018920b95fdfc8e989c22c3c017a90d8/deps/openssl/openssl/crypto/bn/asm/rsaz-2k-avxifma.pl#L30-L34 which is sensitive to GNU assembler version.

The version of GNU assembler in the Dockerfile (Ubuntu 20.04) is 2.34. My RHEL 9 build environment has GNU assembler 2.38. Both of those are less than 2.40. Ubuntu 24.04 appears to have GNU assembler 2.42, which passes the above check. The build in Jenkins will be running with different versions of GNU assembler depending on the installed version of binutils.

richardlau avatar May 02 '25 01:05 richardlau