openssl: update to 3.0.17

ci_config.json

@@ -1115,11 +1115,13 @@
       "nasm",
       "patch",
       "perl",
-      "perl-text-template"
+      "perl-text-template",
+      "rsync"
     ],
     "debian_packages": [
       "libtext-template-perl",
-      "nasm"
+      "nasm",
+      "rsync"
     ],
     "build_options": [
       "openssl:build_cli=true"

releases.json

@@ -3234,6 +3234,7 @@
       "openssl"
     ],
     "versions": [
+      "3.0.17-1",
       "3.0.8-3",
       "3.0.8-2",
       "3.0.8-1",

subprojects/openssl.wrap

@@ -1,8 +1,9 @@
 [wrap-file]
-directory = openssl-3.0.8
-source_url = https://www.openssl.org/source/openssl-3.0.8.tar.gz
-source_filename = openssl-3.0.8.tar.gz
-source_hash = 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
+directory = openssl-3.0.17
+node_version = v22.18.0
+source_url = https://github.com/openssl/openssl/releases/download/openssl-3.0.17/openssl-3.0.17.tar.gz
+source_filename = openssl-3.0.17.tar.gz
+source_hash = dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce
 patch_directory = openssl
 
 [provide]

subprojects/packagefiles/openssl/Makefile.patch

@@ -0,0 +1,59 @@
+diff --git a/deps/openssl/config/Makefile b/deps/openssl/config/Makefile
+index 48d2af80..8913d9c5 100644
+--- a/deps/openssl/config/Makefile
++++ b/deps/openssl/config/Makefile
+@@ -1,23 +1,33 @@
+-# This Makefile is confirmed to be run only on Linux (CentOS and
+-# Ubuntu). perl5 and gas(>=2.26) are needed.
++# This Makefile is confirmed to be run on Linux (CentOS and
++# Ubuntu), macOS, or on a MSYS2 shell.
++# perl5, nasm, and either gas(>=2.26) or LLVM(>= 9.0) are needed.
+
+-UNAME_S := $(shell uname -s)
+-ifneq ($(UNAME_S),Linux)
+-  $(error This can be run only on Linux)
++UNAME_S := $(shell uname -o)
++ifneq (, $(findstring Linux,$(UNAME_S)))
++	UNAME_OK:=true
++endif
++ifeq ($(UNAME_S),Msys)
++	UNAME_OK:=true
++endif
++ifeq ($(UNAME_S),Darwin)
++	UNAME_OK:=true
++endif
++ifneq ($(UNAME_OK),true)
++  $(error This can be run only on Linux, MSYS or macOS)
+ endif
+
+ PERL    = perl
+
+ # Supported architecture list
+-ASM_ARCHS = aix64-gcc-as BSD-x86 BSD-x86_64 \
++ASM_ARCHS = BSD-x86 BSD-x86_64 \
+ darwin64-x86_64-cc darwin-i386-cc darwin64-arm64-cc linux-aarch64 \
+-linux-armv4 linux-elf linux-x86_64 \
+-linux-ppc64le linux32-s390x linux64-s390x linux64-mips64\
+-solaris-x86-gcc solaris64-x86_64-gcc VC-WIN64A VC-WIN32
++linux-armv4 linux-elf linux-x32 linux-x86_64 linux-ppc \
++linux-ppc64le linux64-s390x linux64-mips64\
++solaris-x86-gcc solaris64-x86_64-gcc VC-WIN64A VC-WIN32 mingw mingw64
+
+ NO_ASM_ARCHS = VC-WIN64-ARM linux64-riscv64 linux64-loongarch64
+
+-CC = gcc
++CC ?= gcc
+ FAKE_GCC = ../config/fake_gcc.pl
+
+ CONFIGURE = ./Configure
+@@ -53,10 +63,6 @@ all: $(ASM_ARCHS) $(NO_ASM_ARCHS) generate_headers
+ $(ASM_ARCHS):
+ 	cd $(OPSSL_SRC); $(NO_WARN_ENV) CC=$(CC) $(PERL) $(CONFIGURE) $(COPTS) $@;
+ 	$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) asm $@ "${GEN_HEADERS}" "${CRYPTO_GEN_HEADERS}"
+-# Confgure asm_avx2 and generate upto avx2 support
+-	cd $(OPSSL_SRC); $(NO_WARN_ENV) CC=$(FAKE_GCC) $(PERL) $(CONFIGURE) \
+-	$(COPTS) $@;
+-	$(PERL) -w -I$(OPSSL_SRC) $(GENERATE) asm_avx2 $@ "${GEN_HEADERS}" "${CRYTO_GEN_HEADERS}"
+ # Configure no-asm and generate no-asm sources
+ 	cd $(OPSSL_SRC); $(NO_WARN_ENV) $(PERL) $(CONFIGURE) $(COPTS) \
+ 	no-asm $@;

subprojects/packagefiles/openssl/exclude-library-directive-msvc.patch

@@ -0,0 +1,13 @@
+diff --git a/util/mkdef.pl b/util/mkdef.pl
+index d9534674..eb98b1cf 100755
+--- a/util/mkdef.pl
++++ b/util/mkdef.pl
+@@ -299,8 +299,6 @@ sub writer_windows {
+ ; Definition file for the DLL version of the $libname library from OpenSSL
+ ;
+
+-LIBRARY         "$libname"
+-
+ EXPORTS
+ _____
+     for (@_) {

subprojects/packagefiles/openssl/generate_gypi.pl.patch

@@ -1,10 +1,101 @@
 diff --git a/openssl/config/generate_gypi.pl b/openssl/config/generate_gypi.pl
+index be7d357f..aafdc73d 100755
 --- a/openssl/config/generate_gypi.pl
 +++ b/openssl/config/generate_gypi.pl
-@@ -361,7 +361,35 @@
+@@ -27,13 +27,31 @@ my $arch = shift @ARGV;
+ my $nasm_banner = `nasm -v`;
+ die "Error: nasm is not installed." if (!$nasm_banner);
+
+-# gas version check
+-my $gas_version_min = 2.30;
+-my $gas_banner = `gcc -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`;
+-my ($gas_version) = ($gas_banner =~/GNU assembler version ([2-9]\.[0-9]+)/);
+-if ($gas_version < $gas_version_min) {
+-  die "Error: gas version $gas_version is too old." .
+-    "$gas_version_min or higher is required.";
++# gas/llvm-as version check
++my $gas_banner = `gcc -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`;
++if ($gas_banner) {
++  my $gas_version_min = 2.30;
++  my ($gas_version) = ($gas_banner =~/GNU assembler version ([2-9]\.[0-9]+)/);
++  if ($gas_version < $gas_version_min) {
++    die "Error: gas version $gas_version is too old." .
++      "$gas_version_min or higher is required.";
++  }
++} else {
++  my $llvm_version_min = 9.0;
++  my $llvm_banner = `clang -Wa,--version -c -o /dev/null -x assembler /dev/null 2>&1`;
++  my ($llvm_as_version) = ($llvm_banner =~/clang version ([0-9]+\.[0-9]+)/);
++  if ($llvm_as_version < $llvm_version_min) {
++    die "Error: LLVM $llvm_as_version is too old." .
++      "$llvm_version_min or higher is required."
++  }
++}
++
++# Set the compiler
++my $compiler;
++if ($gas_banner) {
++  $compiler = 'cc';
++} else {
++  $compiler = 'clang';
+ }
+
+ our $src_dir = "../openssl";
+@@ -108,6 +126,11 @@ if ($fips_ld ne "" and not $is_win) {
+        "$base_dir/providers/fips.ld") or die "Copy failed: $!";
+ }
+
++# list headers following the Makefile glob
++my @openssl_arch_headers = ();
++foreach my $obj (glob("$base_dir/include/openssl/*.{h,H}")) {
++  push(@openssl_arch_headers, substr($obj, length($base_dir) + 1));
++}
+
+ # read openssl source lists from configdata.pm
+ my @libapps_srcs = ();
+@@ -265,10 +288,36 @@ foreach my $obj (@{$unified_info{sources}->{'apps/openssl'}}) {
+   push(@apps_openssl_srcs, ${$unified_info{sources}->{$obj}}[0]);
+ }
+
++# msvc and mingw requires the .rc but none appears in
++# sources; we need to pluck them out of generate
++# (in 1.x this also included the .def but now it's Makefile generated)
++my @win_resources = grep {/(.rc$)/} (keys %{$unified_info{generate}});
++foreach my $src (@win_resources) {
++  # VC makefiles are intended for static files
++  # Execute the rules straight out of configdata
++  my $generation_cmd = join(" ", @{$unified_info{generate}->{$src}});
++  my $cmd = "cd ../openssl && $generation_cmd > $src && " .
++    "rsync -R $src ../config/archs/$arch/$asm && cd ../config";
++  system("$cmd") == 0 or die "Error in system($cmd)";
++}
++
++my $libssl_rc;
++if (exists $unified_info{generate}->{'libssl.rc'}) {
++  $libssl_rc = 'libssl.rc';
++} else {
++  $libssl_rc = '';
++}
++my $libcrypto_rc;
++if (exists $unified_info{generate}->{'libcrypto.rc'}) {
++  $libcrypto_rc = 'libcrypto.rc';
++} else {
++  $libcrypto_rc = '';
++}
++
+ # Generate all asm files and copy into config/archs
+ foreach my $src (@generated_srcs) {
+-  my $cmd = "cd ../openssl; CC=gcc ASM=nasm make -f $makefile $src;" .
+-    "cp --parents $src ../config/archs/$arch/$asm; cd ../config";
++  my $cmd = "cd ../openssl; CC=$compiler ASM=nasm make -f $makefile $src;" .
++    "rsync -R $src ../config/archs/$arch/$asm; cd ../config";
+   system("$cmd") == 0 or die "Error in system($cmd)";
+ }
+
+@@ -361,9 +410,40 @@ open(CLGYPI, "> ./archs/$arch/$asm/openssl-cl.gypi");
  print CLGYPI "$clgypi";
  close(CLGYPI);
-
+ 
 +# Create meson.build
 +my $mtemplate =
 +    Text::Template->new(TYPE => 'FILE',
@@ -15,11 +106,14 @@ diff --git a/openssl/config/generate_gypi.pl b/openssl/config/generate_gypi.pl
 +my $meson = $mtemplate->fill_in(
 +    HASH => {
 +        libssl_srcs => \@libssl_srcs,
++        libssl_rc => \$libssl_rc,
 +        libcrypto_srcs => \@libcrypto_srcs,
 +        lib_defines => \@lib_defines,
++        libcrypto_rc => \$libcrypto_rc,
 +        generated_srcs => \@generated_srcs,
 +        apps_openssl_srcs => \@apps_openssl_srcs,
 +        libapps_srcs => \@libapps_srcs,
++        openssl_arch_headers => \@openssl_arch_headers,
 +        config => \%config,
 +        target => \%target,
 +        cflags => \@cflags,
@@ -38,3 +132,5 @@ diff --git a/openssl/config/generate_gypi.pl b/openssl/config/generate_gypi.pl
 -    "git clean -f $src_dir/crypto";
 +    "git clean -f crypto";
  system($cmd2) == 0 or die "Error in system($cmd2)";
+
+

subprojects/packagefiles/openssl/generator.sh

@@ -1,35 +1,54 @@
 #!/bin/bash
 set -e
+set -x
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
 # Node.js version should bundle OpenSSL of matching version to one specified in wrap file
-node_version=v19.7.0
+node_version="$NODE_VERSION"
 openssl_version="$OPENSSL_VERSION"
 
 if [ -z "$openssl_version" ]; then
-  openssl_version=$(grep 'directory = ' ../../openssl.wrap | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+  openssl_version=$(grep 'directory = ' ../../openssl.wrap | grep -oE '[0-9]+\.[0-9]+\.[0-9]+[a-z]?')
+  node_version=$(grep 'node_version = ' ../../openssl.wrap | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+')
 fi
 
-rm -rf node
-git clone --depth 1 --branch $node_version https://github.com/nodejs/node.git
+if [ ! -d "node" ]; then
+  git clone --depth 1 --branch $node_version https://github.com/nodejs/node.git
+else
+  pushd node
+  git checkout -f $node_version
+  popd
+fi
 
 rm -rf generated-config
 
 pushd node/deps/openssl
 
 # Apply patch that will allow us generate `meson.build` for different targets
+patch -u config/Makefile -i ../../../Makefile.patch
 patch -u config/generate_gypi.pl -i ../../../generate_gypi.pl.patch
 # Copy `meson.build` template file
 cp ../../../meson.build.tmpl config/
 
 # Swap bundled OpenSSL in Node.js with upstream
-rm -rf openssl
-git clone --depth 1 --branch "openssl-$openssl_version" https://github.com/openssl/openssl.git
+if [ -d "openssl" ]; then
+  if [ ! -d "openssl/.git" ]; then
+    rm -rf "openssl"
+    git clone --depth 1 --branch "openssl-$openssl_version" https://github.com/openssl/openssl.git
+  fi
+fi
 
 python3 ../../../generate_def.py --fixup-crypto < openssl/util/libcrypto.num > ../../../crypto.def
 python3 ../../../generate_def.py < openssl/util/libssl.num > ../../../ssl.def
 
+pushd openssl
+pwd
+git checkout -f "openssl-$openssl_version" 
+# Apply patch to block OpenSSL from renaming the Windows DLLs
+patch -p1 -i ../../../../exclude-library-directive-msvc.patch
+popd
+
 rm -rf config/archs
 LANG=C make -C config
 
@@ -39,17 +58,13 @@ find config/archs -name 'meson.build' -exec sh -c "$cmd" _ignored {} \;
 find config/archs -name '*.asm' -exec sh -c "$cmd" _ignored {} \;
 find config/archs -name '*.c' -exec sh -c "$cmd" _ignored {} \;
 find config/archs -name '*.h' -exec sh -c "$cmd" _ignored {} \;
-find config/archs -iname '*.s' -exec sh -c "$cmd" _ignored {} \;
-
-# AIX is not supported by Meson
-rm -rf ../../../generated-config/archs/aix*
-# 32-bit s390x supported in Meson
-rm -rf ../../../generated-config/archs/linux32-s390x
-# This is for old gas/nasm versions, we do not care about them
-rm -rf ../../../generated-config/archs/*/asm_avx2
+find config/archs -name '*.s' -exec sh -c "$cmd" _ignored {} \;
+find config/archs -name '*.rc' -exec sh -c "$cmd" _ignored {} \;
+
 # Remove build info files, we use hardcoded deterministic one instead
 rm -rf ../../../generated-config/archs/*/*/crypto/buildinf.h
 
 popd
 
-rm -rf node
+# Comment this line out when testing, so that it avoids repeated clones
+# rm -rf node