Skip to content

deps: update OpenSSL to 3.5 #57795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

deps: update OpenSSL to 3.5 #57795

wants to merge 5 commits into from

Conversation

targos
Copy link
Member

@targos targos commented Apr 8, 2025

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added the tools Issues and PRs related to the tools directory. label Apr 8, 2025
@ranisalt
Copy link

ranisalt commented Apr 8, 2025
edited
Loading

Beat me to it 😆

@targos
Copy link
Member Author

targos commented Apr 8, 2025

I tried to run it locally. The download step seems to work but I don't have the dependencies to try the regenerate one.

@targos
Copy link
Member Author

targos commented Apr 8, 2025

@ranisalt Feel free to reopen your PR and I'll close this one. Don't want to steal your first contribution!

@richardlau
Copy link
Member

It's not that simple, unfortunately. It will replace the tree inside deps/openssl but will fail to build.

I'm currently picking apart how we converted the OpenSSL 3.0 build to gyp to work out what needs to be updated (ideally without hardcoding filenames everywhere).

@targos
Copy link
Member Author

targos commented Apr 9, 2025

I ran the update script on my fork to generate the commits so we can see what issues need fixing.

@targos
Copy link
Member Author

targos commented Apr 9, 2025

Locally I get this first error:

FAILED: obj/deps/openssl/openssl/ssl/openssl.ssl_ciph.o 
cc -MMD -MF obj/deps/openssl/openssl/ssl/openssl.ssl_ciph.o.d -D_GLIBCXX_USE_CXX11_ABI=1 -DNODE_OPENSSL_CONF_NAME=nodejs_conf -DICU_NO_USER_DATA_OVERRIDE -D_DARWIN_USE_64_BIT_INODE=1 -DOPENSSL_NO_PINSHARED -DOPENSSL_THREADS -DOPENSSL_NO_HW -DOPENSSL_API_COMPAT=0x10100001L -DSTATIC_LEGACY -DNDEBUG -DL_ENDIAN -DOPENSSL_BUILDING_OPENSSL -DBSAES_ASM -DECP_NISTZ256_ASM -DECP_SM2P256_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_MONT -DOPENSSL_CPUID_OBJ -DOPENSSL_SM3_ASM -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DSM4_ASM -DVPAES_ASM -DVPSM4_ASM -DOPENSSL_PIC '-DMODULESDIR="/Users/mzasso/git/nodejs/node/out/out/Debug/obj.target/deps/openssl/lib/openssl-modules"' '-DOPENSSLDIR="/System/Library/OpenSSL/"' '-DENGINESDIR="/dev/null"' -I../../deps/openssl/openssl -I../../deps/openssl/openssl/include -I../../deps/openssl/openssl/crypto -I../../deps/openssl/openssl/crypto/include -I../../deps/openssl/openssl/crypto/modes -I../../deps/openssl/openssl/crypto/ec/curve448 -I../../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I../../deps/openssl/openssl/providers/common/include -I../../deps/openssl/openssl/providers/implementations/include -I../../deps/openssl/config -I../../deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2 -I../../deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include -I../../deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto -I../../deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/include/internal -I../../deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/providers/common/include -O3 -gdwarf-2 -fno-strict-aliasing -mmacosx-version-min=13.5 -arch arm64 -Wall -Wendif-labels -W -Wno-unused-parameter -Wno-missing-field-initializers   -c ../../deps/openssl/openssl/ssl/ssl_ciph.c -o obj/deps/openssl/openssl/ssl/openssl.ssl_ciph.o
../../deps/openssl/openssl/ssl/ssl_ciph.c:15:10: fatal error: 'openssl/comp.h' file not found
   15 | #include <openssl/comp.h>
      |          ^~~~~~~~~~~~~~~~
1 error generated.

@targos targos changed the title tools: switch OpenSSL updater to 3.5 tools: update OpenSSL to 3.5 Apr 9, 2025
@targos targos changed the title tools: update OpenSSL to 3.5 deps: update OpenSSL to 3.5 Apr 9, 2025
@targos
Copy link
Member Author

targos commented Apr 10, 2025

OK, I think comp.h is not generated because we explicitly pass no-comp: https://github.com/targos/node/blob/a0a0297126347145784e793ea057892c47763269/deps/openssl/config/Makefile#L24-L28

@targos
Copy link
Member Author

targos commented Apr 10, 2025

That was introduced in #19794 with the comment "against CRIME attack" in the code.

@targos
Copy link
Member Author

targos commented Apr 10, 2025

On main, we have comp.h: https://github.com/nodejs/node/blob/9bbbe60f6b0001964cb62182ce17e7f3980ccf06/deps/openssl/openssl/include/openssl/comp.h

@richardlau
Copy link
Member

In OpenSSL 3.5 comp.h is now generated from comp.h.in.

Before the CI security incident kicked off, I'd started looking at how we translated the OpenSSL build to Node.js.
Ref: https://github.com/nodejs/node/blob/main/deps/openssl/README.md

The second part of the update script runs a configuration step that runs through OpenSSL's Perl scripts to generate additional files.

I've tried this diff to add generation of comp.h during the second part of the update process (note the Makefiles say not to edit, but our own deps/openssl/README.md says these are hand crafted):

diff --git a/deps/openssl/config/Makefile b/deps/openssl/config/Makefile
index 48d2af80019..c8e6889fb70 100644
--- a/deps/openssl/config/Makefile
+++ b/deps/openssl/config/Makefile
@@ -37,7 +37,7 @@ OPSSL_SRC = ../openssl
 # Header files generated with Configure
 #INT_CFGS = bn_conf.h dso_conf.h
 INT_CFG_DIR = $(OPSSL_SRC)/include/crypto
-GEN_HEADERS = asn1 asn1t bio cmp cms configuration conf crmf crypto ct err    \
+GEN_HEADERS = asn1 asn1t bio comp cmp cms configuration conf crmf crypto ct err    \
               ess fipskey lhash ocsp opensslv pkcs12 pkcs7 safestack srp ssl  \
              ui x509 x509v3 x509_vfy conf

diff --git a/deps/openssl/config/Makefile_VC-WIN32 b/deps/openssl/config/Makefile_VC-WIN32
index fdbef72361b..b5c746fb2df 100644
--- a/deps/openssl/config/Makefile_VC-WIN32
+++ b/deps/openssl/config/Makefile_VC-WIN32
@@ -1,7 +1,7 @@
 BLDDIR=.
 PERL=perl
 RM= rm -f
-GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
+GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/comp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
 GENERATED=apps/CA.pl apps/openssl.rc apps/progs.h apps/tsget.pl crypto/aes/aes-586.asm crypto/aes/aesni-x86.asm crypto/aes/vpaes-x86.asm crypto/bf/bf-586.asm crypto/bn/bn-586.asm crypto/bn/co-586.asm crypto/bn/x86-gf2m.asm crypto/bn/x86-mont.asm crypto/buildinf.h crypto/camellia/cmll-x86.asm crypto/chacha/chacha-x86.asm crypto/des/crypt586.asm crypto/des/des-586.asm crypto/ec/ecp_nistz256-x86.asm crypto/md5/md5-586.asm crypto/modes/ghash-x86.asm crypto/poly1305/poly1305-x86.asm crypto/rc4/rc4-586.asm crypto/ripemd/rmd-586.asm crypto/sha/sha1-586.asm crypto/sha/sha256-586.asm crypto/sha/sha512-586.asm crypto/whrlpool/wp-mmx.asm crypto/x86cpuid.asm engines/capi.def engines/dasync.def engines/e_padlock-x86.asm engines/ossltest.def engines/padlock.def libcrypto.def libcrypto.rc libssl.def libssl.rc test/buildtest_aes.c test/buildtest_asn1.c test/buildtest_asn1t.c test/buildtest_async.c test/buildtest_bio.c test/buildtest_blowfish.c test/buildtest_bn.c test/buildtest_buffer.c test/buildtest_camellia.c test/buildtest_cast.c test/buildtest_cmac.c test/buildtest_cms.c test/buildtest_comp.c test/buildtest_conf.c test/buildtest_conf_api.c test/buildtest_crypto.c test/buildtest_ct.c test/buildtest_des.c test/buildtest_dh.c test/buildtest_dsa.c test/buildtest_dtls1.c test/buildtest_e_os2.c test/buildtest_ebcdic.c test/buildtest_ec.c test/buildtest_ecdh.c test/buildtest_ecdsa.c test/buildtest_engine.c test/buildtest_evp.c test/buildtest_hmac.c test/buildtest_idea.c test/buildtest_kdf.c test/buildtest_lhash.c test/buildtest_md4.c test/buildtest_md5.c test/buildtest_mdc2.c test/buildtest_modes.c test/buildtest_obj_mac.c test/buildtest_objects.c test/buildtest_ocsp.c test/buildtest_opensslv.c test/buildtest_ossl_typ.c test/buildtest_pem.c test/buildtest_pem2.c test/buildtest_pkcs12.c test/buildtest_pkcs7.c test/buildtest_rand.c test/buildtest_rand_drbg.c test/buildtest_rc2.c test/buildtest_rc4.c test/buildtest_ripemd.c test/buildtest_rsa.c test/buildtest_safestack.c test/buildtest_seed.c test/buildtest_sha.c test/buildtest_srp.c test/buildtest_srtp.c test/buildtest_ssl.c test/buildtest_ssl2.c test/buildtest_stack.c test/buildtest_store.c test/buildtest_symhacks.c test/buildtest_tls1.c test/buildtest_ts.c test/buildtest_txt_db.c test/buildtest_ui.c test/buildtest_whrlpool.c test/buildtest_x509.c test/buildtest_x509_vfy.c test/buildtest_x509v3.c tools/c_rehash.pl providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c

 # Variables starting with LIB_ are used to build library object files
@@ -54,6 +54,9 @@ include/openssl/bio.h: include/openssl/bio.h.in configdata.pm
 include/openssl/cmp.h: include/openssl/cmp.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cmp.h.in" > $@
+include/openssl/comp.h: include/openssl/comp.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/comp.h.in" > $@
 include/openssl/cms.h: include/openssl/cms.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cms.h.in" > $@
diff --git a/deps/openssl/config/Makefile_VC-WIN64-ARM b/deps/openssl/config/Makefile_VC-WIN64-ARM
index 52fc9cd9cf4..4a1d558a2a0 100644
--- a/deps/openssl/config/Makefile_VC-WIN64-ARM
+++ b/deps/openssl/config/Makefile_VC-WIN64-ARM
@@ -16,7 +16,7 @@ MINOR=1.1

 SHLIB_VERSION_NUMBER=1.1

-GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
+GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/comp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
 GENERATED=crypto/buildinf.h apps/progs.h providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c apps/progs.c providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c

 INSTALL_LIBS="libcrypto.lib" "libssl.lib"
@@ -157,6 +157,9 @@ include/openssl/bio.h: include/openssl/bio.h.in configdata.pm
 include/openssl/cmp.h: include/openssl/cmp.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cmp.h.in" > $@
+include/openssl/comp.h: include/openssl/comp.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/comp.h.in" > $@
 include/openssl/cms.h: include/openssl/cms.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cms.h.in" > $@
diff --git a/deps/openssl/config/Makefile_VC-WIN64A b/deps/openssl/config/Makefile_VC-WIN64A
index d8fde1e0f39..c9ac8a33a15 100644
--- a/deps/openssl/config/Makefile_VC-WIN64A
+++ b/deps/openssl/config/Makefile_VC-WIN64A
@@ -5,7 +5,7 @@ RM= rm -f
 AS=nasm
 ASFLAGS=-g

-GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
+GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/comp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
 GENERATED=apps/CA.pl apps/openssl.rc apps/progs.h apps/tsget.pl crypto/aes/aes-x86_64.asm crypto/aes/aesni-mb-x86_64.asm crypto/aes/aesni-sha1-x86_64.asm crypto/aes/aesni-sha256-x86_64.asm crypto/aes/aesni-x86_64.asm crypto/aes/bsaes-x86_64.asm crypto/aes/vpaes-x86_64.asm crypto/bn/rsaz-avx2.asm crypto/bn/rsaz-x86_64.asm crypto/bn/x86_64-gf2m.asm crypto/bn/x86_64-mont.asm crypto/bn/x86_64-mont5.asm crypto/buildinf.h crypto/camellia/cmll-x86_64.asm crypto/chacha/chacha-x86_64.asm crypto/ec/ecp_nistz256-x86_64.asm crypto/ec/x25519-x86_64.asm crypto/md5/md5-x86_64.asm crypto/modes/aesni-gcm-x86_64.asm crypto/modes/ghash-x86_64.asm crypto/poly1305/poly1305-x86_64.asm crypto/rc4/rc4-md5-x86_64.asm crypto/rc4/rc4-x86_64.asm crypto/sha/keccak1600-x86_64.asm crypto/sha/sha1-mb-x86_64.asm crypto/sha/sha1-x86_64.asm crypto/sha/sha256-mb-x86_64.asm crypto/sha/sha256-x86_64.asm crypto/sha/sha512-x86_64.asm crypto/uplink-x86_64.asm crypto/whrlpool/wp-x86_64.asm crypto/x86_64cpuid.asm engines/e_padlock-x86_64.asm libcrypto.def libcrypto.rc libssl.def libssl.rc test/buildtest_aes.c test/buildtest_asn1.c test/buildtest_asn1t.c test/buildtest_async.c test/buildtest_bio.c test/buildtest_blowfish.c test/buildtest_bn.c test/buildtest_buffer.c test/buildtest_camellia.c test/buildtest_cast.c test/buildtest_cmac.c test/buildtest_cms.c test/buildtest_comp.c test/buildtest_conf.c test/buildtest_conf_api.c test/buildtest_crypto.c test/buildtest_ct.c test/buildtest_des.c test/buildtest_dh.c test/buildtest_dsa.c test/buildtest_dtls1.c test/buildtest_e_os2.c test/buildtest_ebcdic.c test/buildtest_ec.c test/buildtest_ecdh.c test/buildtest_ecdsa.c test/buildtest_engine.c test/buildtest_evp.c test/buildtest_hmac.c test/buildtest_idea.c test/buildtest_kdf.c test/buildtest_lhash.c test/buildtest_md4.c test/buildtest_md5.c test/buildtest_mdc2.c test/buildtest_modes.c test/buildtest_obj_mac.c test/buildtest_objects.c test/buildtest_ocsp.c test/buildtest_opensslv.c test/buildtest_ossl_typ.c test/buildtest_pem.c test/buildtest_pem2.c test/buildtest_pkcs12.c test/buildtest_pkcs7.c test/buildtest_rand.c test/buildtest_rand_drbg.c test/buildtest_rc2.c test/buildtest_rc4.c test/buildtest_ripemd.c test/buildtest_rsa.c test/buildtest_safestack.c test/buildtest_seed.c test/buildtest_sha.c test/buildtest_srp.c test/buildtest_srtp.c test/buildtest_ssl.c test/buildtest_ssl2.c test/buildtest_stack.c test/buildtest_store.c test/buildtest_symhacks.c test/buildtest_tls1.c test/buildtest_ts.c test/buildtest_txt_db.c test/buildtest_ui.c test/buildtest_whrlpool.c test/buildtest_x509.c test/buildtest_x509_vfy.c test/buildtest_x509v3.c tools/c_rehash.pl providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c

 PERLASM_SCHEME= auto
@@ -30,6 +30,9 @@ include/openssl/bio.h: include/openssl/bio.h.in configdata.pm
 include/openssl/cmp.h: include/openssl/cmp.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cmp.h.in" > $@
+include/openssl/comp.h: include/openssl/comp.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/comp.h.in" > $@
 include/openssl/cms.h: include/openssl/cms.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cms.h.in" > $@

but this now errors on the next now generated but wasn't before header:

../deps/openssl/openssl/ssl/t1_lib.c:16:10: fatal error: openssl/core_names.h: No such file or directory
   16 | #include <openssl/core_names.h>
      |          ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

Comparing all of the *.in files between OpenSSL 3.0 (from a v20.x-staging checkout) and 3.5:

--- ../openssl30.in.sort.txt    2025-04-10 12:27:12.373225504 +0000
+++ ../openssl35.in.sort.txt    2025-04-10 12:27:23.287465350 +0000
@@ -1,6 +1,7 @@
 deps/openssl/openssl/apps/CA.pl.in
 deps/openssl/openssl/apps/tsget.in
 deps/openssl/openssl/configdata.pm.in
+deps/openssl/openssl/crypto/params_idx.c.in
 deps/openssl/openssl/doc/build.info.in
 deps/openssl/openssl/doc/man1/openssl-asn1parse.pod.in
 deps/openssl/openssl/doc/man1/openssl-ca.pod.in
@@ -44,6 +45,7 @@
 deps/openssl/openssl/doc/man1/openssl-rsautl.pod.in
 deps/openssl/openssl/doc/man1/openssl-s_client.pod.in
 deps/openssl/openssl/doc/man1/openssl-sess_id.pod.in
+deps/openssl/openssl/doc/man1/openssl-skeyutl.pod.in
 deps/openssl/openssl/doc/man1/openssl-smime.pod.in
 deps/openssl/openssl/doc/man1/openssl-speed.pod.in
 deps/openssl/openssl/doc/man1/openssl-spkac.pod.in
@@ -56,15 +58,23 @@
 deps/openssl/openssl/doc/man1/openssl-version.pod.in
 deps/openssl/openssl/doc/man1/openssl-x509.pod.in
 deps/openssl/openssl/doc/man7/openssl_user_macros.pod.in
+deps/openssl/openssl/exporters/cmake/OpenSSLConfig.cmake.in
+deps/openssl/openssl/exporters/cmake/OpenSSLConfigVersion.cmake.in
+deps/openssl/openssl/exporters/pkg-config/libcrypto.pc.in
+deps/openssl/openssl/exporters/pkg-config/libssl.pc.in
+deps/openssl/openssl/exporters/pkg-config/openssl.pc.in
 deps/openssl/openssl/include/crypto/bn_conf.h.in
 deps/openssl/openssl/include/crypto/dso_conf.h.in
+deps/openssl/openssl/include/internal/param_names.h.in
 deps/openssl/openssl/include/openssl/asn1.h.in
 deps/openssl/openssl/include/openssl/asn1t.h.in
 deps/openssl/openssl/include/openssl/bio.h.in
 deps/openssl/openssl/include/openssl/cmp.h.in
 deps/openssl/openssl/include/openssl/cms.h.in
+deps/openssl/openssl/include/openssl/comp.h.in
 deps/openssl/openssl/include/openssl/conf.h.in
 deps/openssl/openssl/include/openssl/configuration.h.in
+deps/openssl/openssl/include/openssl/core_names.h.in
 deps/openssl/openssl/include/openssl/crmf.h.in
 deps/openssl/openssl/include/openssl/crypto.h.in
 deps/openssl/openssl/include/openssl/ct.h.in
@@ -80,26 +90,34 @@
 deps/openssl/openssl/include/openssl/srp.h.in
 deps/openssl/openssl/include/openssl/ssl.h.in
 deps/openssl/openssl/include/openssl/ui.h.in
+deps/openssl/openssl/include/openssl/x509_acert.h.in
 deps/openssl/openssl/include/openssl/x509.h.in
 deps/openssl/openssl/include/openssl/x509v3.h.in
 deps/openssl/openssl/include/openssl/x509_vfy.h.in
+deps/openssl/openssl/makefile.in
+deps/openssl/openssl/Makefile.in
 deps/openssl/openssl/providers/common/der/der_digests_gen.c.in
 deps/openssl/openssl/providers/common/der/der_dsa_gen.c.in
 deps/openssl/openssl/providers/common/der/der_ec_gen.c.in
 deps/openssl/openssl/providers/common/der/der_ecx_gen.c.in
+deps/openssl/openssl/providers/common/der/der_ml_dsa_gen.c.in
 deps/openssl/openssl/providers/common/der/der_rsa_gen.c.in
+deps/openssl/openssl/providers/common/der/der_slh_dsa_gen.c.in
 deps/openssl/openssl/providers/common/der/der_sm2_gen.c.in
 deps/openssl/openssl/providers/common/der/der_wrap_gen.c.in
 deps/openssl/openssl/providers/common/include/prov/der_digests.h.in
 deps/openssl/openssl/providers/common/include/prov/der_dsa.h.in
 deps/openssl/openssl/providers/common/include/prov/der_ec.h.in
 deps/openssl/openssl/providers/common/include/prov/der_ecx.h.in
+deps/openssl/openssl/providers/common/include/prov/der_ml_dsa.h.in
 deps/openssl/openssl/providers/common/include/prov/der_rsa.h.in
+deps/openssl/openssl/providers/common/include/prov/der_slh_dsa.h.in
 deps/openssl/openssl/providers/common/include/prov/der_sm2.h.in
 deps/openssl/openssl/providers/common/include/prov/der_wrap.h.in
 deps/openssl/openssl/test/dane-cross.in
 deps/openssl/openssl/test/danetest.in
 deps/openssl/openssl/test/provider_internal_test.cnf.in
+deps/openssl/openssl/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in
 deps/openssl/openssl/test/ssl-tests/01-simple.cnf.in
 deps/openssl/openssl/test/ssl-tests/02-protocol-version.cnf.in
 deps/openssl/openssl/test/ssl-tests/03-custom_verify.cnf.in
@@ -130,10 +148,9 @@
 deps/openssl/openssl/test/ssl-tests/28-seclevel.cnf.in
 deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
 deps/openssl/openssl/test/ssl-tests/30-extended-master-secret.cnf.in
+deps/openssl/openssl/test/ssl-tests/32-compressed-certificate.cnf.in
 deps/openssl/openssl/tools/c_rehash.in
-deps/openssl/openssl/util/local_shlib.com.in
 deps/openssl/openssl/util/shlib_wrap.sh.in
-deps/openssl/openssl/util/unlocal_shlib.com.in
 deps/openssl/openssl/util/wrap.pl.in
 deps/openssl/openssl/VMS/openssl_ivp.com.in
 deps/openssl/openssl/VMS/openssl_shutdown.com.in

@khaosdoctor
Copy link
Member

That's one big PR 🤯

@jasnell
Copy link
Member

jasnell commented Apr 10, 2025
edited
Loading

image

Ummmm..... good lord. It's going to be quite difficult to review this, unfortunately. The GitHub UI hangs and crashes whenever I try to open the changes tab.

@richardlau
Copy link
Member

Unfortunately I've run out of time before being out until after Easter. At least for the next few days I'm unlikely to be online.

This is as far as I've got (adding core_names.h and x509_acert.h):

diff --git a/deps/openssl/config/Makefile b/deps/openssl/config/Makefile
index 48d2af80019..e1ad0bb8e90 100644
--- a/deps/openssl/config/Makefile
+++ b/deps/openssl/config/Makefile
@@ -37,9 +37,9 @@ OPSSL_SRC = ../openssl
 # Header files generated with Configure
 #INT_CFGS = bn_conf.h dso_conf.h
 INT_CFG_DIR = $(OPSSL_SRC)/include/crypto
-GEN_HEADERS = asn1 asn1t bio cmp cms configuration conf crmf crypto ct err    \
-              ess fipskey lhash ocsp opensslv pkcs12 pkcs7 safestack srp ssl  \
-             ui x509 x509v3 x509_vfy conf
+GEN_HEADERS = asn1 asn1t bio comp cmp cms conf configuration core_names crmf \
+              crypto ct err ess fipskey lhash ocsp opensslv pkcs12 pkcs7 \
+              safestack srp ssl ui x509_acert x509 x509v3 x509_vfy

 CRYPTO_GEN_HEADERS = bn_conf dso_conf

diff --git a/deps/openssl/config/Makefile_VC-WIN32 b/deps/openssl/config/Makefile_VC-WIN32
index fdbef72361b..7584152ac3f 100644
--- a/deps/openssl/config/Makefile_VC-WIN32
+++ b/deps/openssl/config/Makefile_VC-WIN32
@@ -1,7 +1,7 @@
 BLDDIR=.
 PERL=perl
 RM= rm -f
-GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
+GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/comp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/core_names.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_acert.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
 GENERATED=apps/CA.pl apps/openssl.rc apps/progs.h apps/tsget.pl crypto/aes/aes-586.asm crypto/aes/aesni-x86.asm crypto/aes/vpaes-x86.asm crypto/bf/bf-586.asm crypto/bn/bn-586.asm crypto/bn/co-586.asm crypto/bn/x86-gf2m.asm crypto/bn/x86-mont.asm crypto/buildinf.h crypto/camellia/cmll-x86.asm crypto/chacha/chacha-x86.asm crypto/des/crypt586.asm crypto/des/des-586.asm crypto/ec/ecp_nistz256-x86.asm crypto/md5/md5-586.asm crypto/modes/ghash-x86.asm crypto/poly1305/poly1305-x86.asm crypto/rc4/rc4-586.asm crypto/ripemd/rmd-586.asm crypto/sha/sha1-586.asm crypto/sha/sha256-586.asm crypto/sha/sha512-586.asm crypto/whrlpool/wp-mmx.asm crypto/x86cpuid.asm engines/capi.def engines/dasync.def engines/e_padlock-x86.asm engines/ossltest.def engines/padlock.def libcrypto.def libcrypto.rc libssl.def libssl.rc test/buildtest_aes.c test/buildtest_asn1.c test/buildtest_asn1t.c test/buildtest_async.c test/buildtest_bio.c test/buildtest_blowfish.c test/buildtest_bn.c test/buildtest_buffer.c test/buildtest_camellia.c test/buildtest_cast.c test/buildtest_cmac.c test/buildtest_cms.c test/buildtest_comp.c test/buildtest_conf.c test/buildtest_conf_api.c test/buildtest_crypto.c test/buildtest_ct.c test/buildtest_des.c test/buildtest_dh.c test/buildtest_dsa.c test/buildtest_dtls1.c test/buildtest_e_os2.c test/buildtest_ebcdic.c test/buildtest_ec.c test/buildtest_ecdh.c test/buildtest_ecdsa.c test/buildtest_engine.c test/buildtest_evp.c test/buildtest_hmac.c test/buildtest_idea.c test/buildtest_kdf.c test/buildtest_lhash.c test/buildtest_md4.c test/buildtest_md5.c test/buildtest_mdc2.c test/buildtest_modes.c test/buildtest_obj_mac.c test/buildtest_objects.c test/buildtest_ocsp.c test/buildtest_opensslv.c test/buildtest_ossl_typ.c test/buildtest_pem.c test/buildtest_pem2.c test/buildtest_pkcs12.c test/buildtest_pkcs7.c test/buildtest_rand.c test/buildtest_rand_drbg.c test/buildtest_rc2.c test/buildtest_rc4.c test/buildtest_ripemd.c test/buildtest_rsa.c test/buildtest_safestack.c test/buildtest_seed.c test/buildtest_sha.c test/buildtest_srp.c test/buildtest_srtp.c test/buildtest_ssl.c test/buildtest_ssl2.c test/buildtest_stack.c test/buildtest_store.c test/buildtest_symhacks.c test/buildtest_tls1.c test/buildtest_ts.c test/buildtest_txt_db.c test/buildtest_ui.c test/buildtest_whrlpool.c test/buildtest_x509.c test/buildtest_x509_vfy.c test/buildtest_x509v3.c tools/c_rehash.pl providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c

 # Variables starting with LIB_ are used to build library object files
@@ -54,6 +54,9 @@ include/openssl/bio.h: include/openssl/bio.h.in configdata.pm
 include/openssl/cmp.h: include/openssl/cmp.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cmp.h.in" > $@
+include/openssl/comp.h: include/openssl/comp.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/comp.h.in" > $@
 include/openssl/cms.h: include/openssl/cms.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cms.h.in" > $@
@@ -66,6 +69,9 @@ include/openssl/conf.h: include/openssl/conf.h.in configdata.pm
 include/openssl/configuration.h: include/openssl/configuration.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/configuration.h.in" > $@
+include/openssl/core_names.h: include/openssl/core_names.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/core_names.h.in" > $@
 include/openssl/crmf.h: include/openssl/crmf.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/crmf.h.in" > $@
@@ -117,6 +123,9 @@ include/openssl/ui.h: include/openssl/ui.h.in configdata.pm
 include/openssl/x509.h: include/openssl/x509.h.in configdata.pm
        $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
            "-omakefile" "include/openssl/x509.h.in" > $@
+include/openssl/x509_acert.h: include/openssl/x509_acert.h.in configdata.pm
+       $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
+           "-omakefile" "include/openssl/x509_acert.h.in" > $@
 include/openssl/x509_vfy.h: include/openssl/x509_vfy.h.in configdata.pm
        $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
            "-omakefile" "include/openssl/x509_vfy.h.in" > $@
diff --git a/deps/openssl/config/Makefile_VC-WIN64-ARM b/deps/openssl/config/Makefile_VC-WIN64-ARM
index 52fc9cd9cf4..edc52c8ccf3 100644
--- a/deps/openssl/config/Makefile_VC-WIN64-ARM
+++ b/deps/openssl/config/Makefile_VC-WIN64-ARM
@@ -16,7 +16,7 @@ MINOR=1.1

 SHLIB_VERSION_NUMBER=1.1

-GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
+GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/comp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/core_names.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_acert.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
 GENERATED=crypto/buildinf.h apps/progs.h providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c apps/progs.c providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c

 INSTALL_LIBS="libcrypto.lib" "libssl.lib"
@@ -157,6 +157,9 @@ include/openssl/bio.h: include/openssl/bio.h.in configdata.pm
 include/openssl/cmp.h: include/openssl/cmp.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cmp.h.in" > $@
+include/openssl/comp.h: include/openssl/comp.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/comp.h.in" > $@
 include/openssl/cms.h: include/openssl/cms.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cms.h.in" > $@
@@ -169,6 +172,9 @@ include/openssl/conf.h: include/openssl/conf.h.in configdata.pm
 include/openssl/configuration.h: include/openssl/configuration.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/configuration.h.in" > $@
+include/openssl/core_names.h: include/openssl/core_names.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/core_names.h.in" > $@
 include/openssl/crmf.h: include/openssl/crmf.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/crmf.h.in" > $@
@@ -220,6 +226,9 @@ include/openssl/ui.h: include/openssl/ui.h.in configdata.pm
 include/openssl/x509.h: include/openssl/x509.h.in configdata.pm
        $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
            "-omakefile" "include/openssl/x509.h.in" > $@
+include/openssl/x509_acert.h: include/openssl/x509_acert.h.in configdata.pm
+       $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
+           "-omakefile" "include/openssl/x509_acert.h.in" > $@
 include/openssl/x509_vfy.h: include/openssl/x509_vfy.h.in configdata.pm
        $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
            "-omakefile" "include/openssl/x509_vfy.h.in" > $@
diff --git a/deps/openssl/config/Makefile_VC-WIN64A b/deps/openssl/config/Makefile_VC-WIN64A
index d8fde1e0f39..c5e2a83ac00 100644
--- a/deps/openssl/config/Makefile_VC-WIN64A
+++ b/deps/openssl/config/Makefile_VC-WIN64A
@@ -5,7 +5,7 @@ RM= rm -f
 AS=nasm
 ASFLAGS=-g

-GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
+GENERATED_MANDATORY=include/crypto/bn_conf.h include/crypto/dso_conf.h include/openssl/asn1.h include/openssl/asn1t.h include/openssl/bio.h include/openssl/cmp.h include/openssl/comp.h include/openssl/cms.h include/openssl/conf.h include/openssl/configuration.h include/openssl/core_names.h include/openssl/crmf.h include/openssl/crypto.h include/openssl/ct.h include/openssl/err.h include/openssl/ess.h include/openssl/fipskey.h include/openssl/lhash.h include/openssl/ocsp.h include/openssl/opensslv.h include/openssl/pkcs12.h include/openssl/pkcs7.h include/openssl/safestack.h include/openssl/srp.h include/openssl/ssl.h include/openssl/ui.h include/openssl/x509.h include/openssl/x509_acert.h include/openssl/x509_vfy.h include/openssl/x509v3.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_rsa.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_wrap.h
 GENERATED=apps/CA.pl apps/openssl.rc apps/progs.h apps/tsget.pl crypto/aes/aes-x86_64.asm crypto/aes/aesni-mb-x86_64.asm crypto/aes/aesni-sha1-x86_64.asm crypto/aes/aesni-sha256-x86_64.asm crypto/aes/aesni-x86_64.asm crypto/aes/bsaes-x86_64.asm crypto/aes/vpaes-x86_64.asm crypto/bn/rsaz-avx2.asm crypto/bn/rsaz-x86_64.asm crypto/bn/x86_64-gf2m.asm crypto/bn/x86_64-mont.asm crypto/bn/x86_64-mont5.asm crypto/buildinf.h crypto/camellia/cmll-x86_64.asm crypto/chacha/chacha-x86_64.asm crypto/ec/ecp_nistz256-x86_64.asm crypto/ec/x25519-x86_64.asm crypto/md5/md5-x86_64.asm crypto/modes/aesni-gcm-x86_64.asm crypto/modes/ghash-x86_64.asm crypto/poly1305/poly1305-x86_64.asm crypto/rc4/rc4-md5-x86_64.asm crypto/rc4/rc4-x86_64.asm crypto/sha/keccak1600-x86_64.asm crypto/sha/sha1-mb-x86_64.asm crypto/sha/sha1-x86_64.asm crypto/sha/sha256-mb-x86_64.asm crypto/sha/sha256-x86_64.asm crypto/sha/sha512-x86_64.asm crypto/uplink-x86_64.asm crypto/whrlpool/wp-x86_64.asm crypto/x86_64cpuid.asm engines/e_padlock-x86_64.asm libcrypto.def libcrypto.rc libssl.def libssl.rc test/buildtest_aes.c test/buildtest_asn1.c test/buildtest_asn1t.c test/buildtest_async.c test/buildtest_bio.c test/buildtest_blowfish.c test/buildtest_bn.c test/buildtest_buffer.c test/buildtest_camellia.c test/buildtest_cast.c test/buildtest_cmac.c test/buildtest_cms.c test/buildtest_comp.c test/buildtest_conf.c test/buildtest_conf_api.c test/buildtest_crypto.c test/buildtest_ct.c test/buildtest_des.c test/buildtest_dh.c test/buildtest_dsa.c test/buildtest_dtls1.c test/buildtest_e_os2.c test/buildtest_ebcdic.c test/buildtest_ec.c test/buildtest_ecdh.c test/buildtest_ecdsa.c test/buildtest_engine.c test/buildtest_evp.c test/buildtest_hmac.c test/buildtest_idea.c test/buildtest_kdf.c test/buildtest_lhash.c test/buildtest_md4.c test/buildtest_md5.c test/buildtest_mdc2.c test/buildtest_modes.c test/buildtest_obj_mac.c test/buildtest_objects.c test/buildtest_ocsp.c test/buildtest_opensslv.c test/buildtest_ossl_typ.c test/buildtest_pem.c test/buildtest_pem2.c test/buildtest_pkcs12.c test/buildtest_pkcs7.c test/buildtest_rand.c test/buildtest_rand_drbg.c test/buildtest_rc2.c test/buildtest_rc4.c test/buildtest_ripemd.c test/buildtest_rsa.c test/buildtest_safestack.c test/buildtest_seed.c test/buildtest_sha.c test/buildtest_srp.c test/buildtest_srtp.c test/buildtest_ssl.c test/buildtest_ssl2.c test/buildtest_stack.c test/buildtest_store.c test/buildtest_symhacks.c test/buildtest_tls1.c test/buildtest_ts.c test/buildtest_txt_db.c test/buildtest_ui.c test/buildtest_whrlpool.c test/buildtest_x509.c test/buildtest_x509_vfy.c test/buildtest_x509v3.c tools/c_rehash.pl providers/common/der/der_digests_gen.c providers/common/der/der_dsa_gen.c providers/common/der/der_ec_gen.c providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_sm2_gen.c providers/common/der/der_wrap_gen.c

 PERLASM_SCHEME= auto
@@ -30,6 +30,9 @@ include/openssl/bio.h: include/openssl/bio.h.in configdata.pm
 include/openssl/cmp.h: include/openssl/cmp.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cmp.h.in" > $@
+include/openssl/comp.h: include/openssl/comp.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/comp.h.in" > $@
 include/openssl/cms.h: include/openssl/cms.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/cms.h.in" > $@
@@ -42,6 +45,9 @@ include/openssl/conf.h: include/openssl/conf.h.in configdata.pm
 include/openssl/configuration.h: include/openssl/configuration.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/configuration.h.in" > $@
+include/openssl/core_names.h: include/openssl/core_names.h.in configdata.pm
+       "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
+           "-omakefile" "include/openssl/core_names.h.in" > $@
 include/openssl/crmf.h: include/openssl/crmf.h.in configdata.pm
        "$(PERL)" "-I$(BLDDIR)" -Mconfigdata "util/dofile.pl" \
            "-omakefile" "include/openssl/crmf.h.in" > $@
@@ -93,6 +99,9 @@ include/openssl/ui.h: include/openssl/ui.h.in configdata.pm
 include/openssl/x509.h: include/openssl/x509.h.in configdata.pm
        $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
            "-omakefile" "include/openssl/x509.h.in" > $@
+include/openssl/x509_acert.h: include/openssl/x509_acert.h.in configdata.pm
+       $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
+           "-omakefile" "include/openssl/x509_acert.h.in" > $@
 include/openssl/x509_vfy.h: include/openssl/x509_vfy.h.in configdata.pm
        $(PERL) -I$(BLDDIR) -Mconfigdata util/dofile.pl \
            "-omakefile" "include/openssl/x509_vfy.h.in" > $@

I haven't figured out where to put/generate include/internal/param_names.h.in. Or the providers/common/* files.

Unfortunately regenerating the config with the above diff, still fails to build:

In file included from ../deps/openssl/openssl/providers/common/digest_to_nid.c:16:
../deps/openssl/openssl/providers/common/include/prov/securitycheck.h:13:10: fatal error: fips/fipsindicator.h: No such file or directory
   13 | #include "fips/fipsindicator.h"
      |          ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[1]: *** [deps/openssl/openssl.target.mk:1327: /home/rlau/sandbox/github/node/out/Release/obj.target/openssl/deps/openssl/openssl/providers/common/digest_to_nid.o] Error 1
make[1]: *** Waiting for unfinished jobs....
In file included from ../deps/openssl/openssl/providers/common/securitycheck.c:21:
../deps/openssl/openssl/providers/common/include/prov/securitycheck.h:13:10: fatal error: fips/fipsindicator.h: No such file or directory
   13 | #include "fips/fipsindicator.h"
      |          ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from ../deps/openssl/openssl/providers/common/securitycheck_default.c:16:
../deps/openssl/openssl/providers/common/include/prov/securitycheck.h:13:10: fatal error: fips/fipsindicator.h: No such file or directory
   13 | #include "fips/fipsindicator.h"
      |          ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[1]: *** [deps/openssl/openssl.target.mk:1327: /home/rlau/sandbox/github/node/out/Release/obj.target/openssl/deps/openssl/openssl/providers/common/securitycheck.o] Error 1
make[1]: *** [deps/openssl/openssl.target.mk:1327: /home/rlau/sandbox/github/node/out/Release/obj.target/openssl/deps/openssl/openssl/providers/common/securitycheck_default.o] Error 1

fips/fipsindicator.h is not a generated file, so that probably indicates we need to update an include path somewhere and/or copy that file somewhere under our config.

@targos
Copy link
Member Author

targos commented Apr 11, 2025

@jasnell

Ummmm..... good lord. It's going to be quite difficult to review this, unfortunately. The GitHub UI hangs and crashes whenever I try to open the changes tab.

Hopefully #57835 will already improve things a bit.

@jasnell
Copy link
Member

jasnell commented Apr 12, 2025

Simply because I'm not able to go actually look at the files changed list yet without my browser crashing, I just wanted to ask... does this PR make any changes to the ncrypto or src/crypto files or is it JUST updating the dependency so far?

@targos
Copy link
Member Author

targos commented Apr 12, 2025
edited
Loading

Apart from 2d17835, the other commits only touch deps/openssl and are entirely auto-generated by the update script.

@targos
Copy link
Member Author

targos commented Apr 15, 2025

New problems:

../../deps/openssl/openssl/providers/implementations/signature/ml_dsa_sig.c:21:10: fatal error: 'prov/der_ml_dsa.h' file not found
   21 | #include "prov/der_ml_dsa.h"
      |          ^~~~~~~~~~~~~~~~~~~
...
../../deps/openssl/openssl/providers/implementations/signature/slh_dsa_sig.c:17:10: fatal error: 'prov/der_slh_dsa.h' file not found
   17 | #include "prov/der_slh_dsa.h"
      |          ^~~~~~~~~~~~~~~~~~~~
1 error generated.

These headers must be generated from .h.in files, but they are not in the openssl/include directory.
Someone will probably have to work on the generate_headers.pl script.

@targos targos added the help wanted Issues that need assistance from volunteers or PRs that need help to proceed. label Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marco-ippolito marco-ippolito marco-ippolito approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
help wanted Issues that need assistance from volunteers or PRs that need help to proceed. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@targos @nodejs-github-bot @ranisalt @richardlau @khaosdoctor @jasnell @marco-ippolito