From e6582081598cac76cf41155f5cf65adcf18344fc Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Sun, 7 Jan 2024 10:07:11 +0100 Subject: [PATCH] tools: remove openssl v1 update script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/51378 Fixes: https://github.com/nodejs/security-wg/issues/1182 Reviewed-By: Michaƫl Zasso Reviewed-By: Richard Lau Reviewed-By: Rafael Gonzaga Reviewed-By: Luigi Pinca Reviewed-By: Benjamin Gruenbaum Reviewed-By: Michael Dawson --- .github/workflows/update-openssl.yml | 53 +------------------ tools/dep_updaters/update-openssl.sh | 78 +++++----------------------- 2 files changed, 14 insertions(+), 117 deletions(-) diff --git a/.github/workflows/update-openssl.yml b/.github/workflows/update-openssl.yml index 95802feaee36f3..23361dec160467 100644 --- a/.github/workflows/update-openssl.yml +++ b/.github/workflows/update-openssl.yml @@ -10,7 +10,7 @@ permissions: contents: read jobs: - openssl-v3-update: + openssl-update: if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: @@ -19,7 +19,7 @@ jobs: persist-credentials: false - name: Check and download new OpenSSL version run: | - ./tools/dep_updaters/update-openssl.sh download_v3 > temp-output + ./tools/dep_updaters/update-openssl.sh download > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output @@ -58,52 +58,3 @@ jobs: branch: actions/tools-update-openssl # Custom branch *just* for this Action. commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}' path: deps/openssl - openssl-v1-update: - if: github.repository == 'nodejs/node' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - ref: v16.x-staging - - name: Check and download new OpenSSL version - run: | - ./tools/dep_updaters/update-openssl.sh download_v1 > temp-output - cat temp-output - tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true - rm temp-output - env: - GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} - - name: Create PR with first commit - if: env.NEW_VERSION - uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2 - # Creates a PR with the new OpenSSL source code committed - env: - GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} - with: - author: Node.js GitHub Bot - body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}. - branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action. - commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}' - labels: dependencies - title: '[v16.x] deps: update OpenSSL to ${{ env.NEW_VERSION }}' - path: deps/openssl - update-pull-request-title-and-body: true - - name: Regenerate platform specific files - if: env.NEW_VERSION - run: | - sudo apt install -y nasm libtext-template-perl - ./tools/dep_updaters/update-openssl.sh regenerate - env: - GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} - - name: Add second commit - # Adds a second commit to the PR with the generated platform-dependent files - if: env.NEW_VERSION - uses: gr2m/create-or-update-pull-request-action@df20b2c073090271599a08c55ae26e0c3522b329 # v1.9.2 - env: - GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} - with: - author: Node.js GitHub Bot - branch: actions/tools-update-openssl-v1 # Custom branch *just* for this Action. - commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}' - path: deps/openssl diff --git a/tools/dep_updaters/update-openssl.sh b/tools/dep_updaters/update-openssl.sh index bef379b707a04e..1437e9e8b940bd 100755 --- a/tools/dep_updaters/update-openssl.sh +++ b/tools/dep_updaters/update-openssl.sh @@ -9,80 +9,26 @@ cleanup() { exit $EXIT_CODE } -download_v1() { - LATEST_V1_TAG_NAME="$("$NODE" --input-type=module <<'EOF' -const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1'); -if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res }); -const releases = await res.json() -const latest = releases.findLast(({ ref }) => ref.includes('quic')); -if(!latest) throw new Error(`Could not find latest release for v1`); -console.log(latest.ref.replace('refs/tags/','')); -EOF -)" - - NEW_VERSION_V1=$(echo "$LATEST_V1_TAG_NAME" | sed 's/OpenSSL_//;s/_/./g;s/-/+/g') - - case "$NEW_VERSION_V1" in - *quic1) NEW_VERSION_V1_NO_RELEASE="${NEW_VERSION_V1%1}" ;; - *) NEW_VERSION_V1_NO_RELEASE="$NEW_VERSION_V1" ;; - esac - - VERSION_H="$DEPS_DIR/openssl/openssl/include/openssl/opensslv.h" - CURRENT_VERSION=$(grep "OPENSSL_VERSION_TEXT" "$VERSION_H" | sed -n "s/.*OpenSSL \([^\"]*\).*/\1/p" | cut -d ' ' -f 1) - - # This function exit with 0 if new version and current version are the same - compare_dependency_version "openssl" "$NEW_VERSION_V1_NO_RELEASE" "$CURRENT_VERSION" - - echo "Making temporary workspace..." - WORKSPACE=$(mktemp -d 2> /dev/null || mktemp -d -t 'tmp') - cd "$WORKSPACE" - - echo "Fetching OpenSSL source archive..." - OPENSSL_TARBALL="openssl.tar.gz" - curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V1_TAG_NAME" - log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL" - gzip -dc "$OPENSSL_TARBALL" | tar xf - - rm "$OPENSSL_TARBALL" - - mv quictls-openssl-* openssl - - echo "Replacing existing OpenSSL..." - rm -rf "$DEPS_DIR/openssl/openssl" - mv "$WORKSPACE/openssl" "$DEPS_DIR/openssl/" - - echo "All done!" - echo "" - echo "Please git add openssl, and commit the new version:" - echo "" - echo "$ git add -A deps/openssl/openssl" - echo "$ git add doc/contributing/maintaining/maintaining-dependencies.md" - echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V1\"" - echo "" - # The last line of the script should always print the new version, - # as we need to add it to $GITHUB_ENV variable. - echo "NEW_VERSION=$NEW_VERSION_V1" -} - -download_v3() { - LATEST_V3_TAG_NAME="$("$NODE" --input-type=module <<'EOF' +download() { + LATEST_TAG_NAME="$("$NODE" --input-type=module <<'EOF' const res = await fetch('https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/openssl-3.0'); if (!res.ok) throw new Error(`FetchError: ${res.status} ${res.statusText}`, { cause: res }); const releases = await res.json() const latest = releases.findLast(({ ref }) => ref.includes('quic')); -if(!latest) throw new Error(`Could not find latest release for v3.0`); +if(!latest) throw new Error(`Could not find latest release`); console.log(latest.ref.replace('refs/tags/','')); EOF )" - NEW_VERSION_V3=$(echo "$LATEST_V3_TAG_NAME" | sed 's/openssl-//;s/-/+/g') + NEW_VERSION=$(echo "$LATEST_TAG_NAME" | sed 's/openssl-//;s/-/+/g') - case "$NEW_VERSION_V3" in - *quic1) NEW_VERSION_V3_NO_RELEASE="${NEW_VERSION_V3%1}" ;; - *) NEW_VERSION_V3_NO_RELEASE="$NEW_VERSION_V3" ;; + case "$NEW_VERSION" in + *quic1) NEW_VERSION_NO_RELEASE="${NEW_VERSION%1}" ;; + *) NEW_VERSION_NO_RELEASE="$NEW_VERSION" ;; esac VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h" CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p") # This function exit with 0 if new version and current version are the same - compare_dependency_version "openssl" "$NEW_VERSION_V3_NO_RELEASE" "$CURRENT_VERSION" + compare_dependency_version "openssl" "$NEW_VERSION_NO_RELEASE" "$CURRENT_VERSION" echo "Making temporary workspace..." @@ -93,7 +39,7 @@ EOF OPENSSL_TARBALL="openssl.tar.gz" - curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_V3_TAG_NAME" + curl -sL -o "$OPENSSL_TARBALL" "https://api.github.com/repos/quictls/openssl/tarball/$LATEST_TAG_NAME" log_and_verify_sha256sum "openssl" "$OPENSSL_TARBALL" @@ -110,11 +56,11 @@ EOF echo "Please git add openssl, and commit the new version:" echo "" echo "$ git add -A deps/openssl/openssl" - echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION_V3\"" + echo "$ git commit -m \"deps: upgrade openssl sources to quictls/openssl-$NEW_VERSION\"" echo "" # The last line of the script should always print the new version, # as we need to add it to $GITHUB_ENV variable. - echo "NEW_VERSION=$NEW_VERSION_V3" + echo "NEW_VERSION=$NEW_VERSION" } regenerate() { @@ -168,7 +114,7 @@ main() { . "$BASE_DIR/tools/dep_updaters/utils.sh" case ${1} in - help | regenerate | download_v1 | download_v3 ) + help | regenerate | download ) $1 "${2}" ;; * )