diff --git a/.github/workflows/update-openssl.yml b/.github/workflows/update-openssl.yml index 856a486dcc6d62..f4f198104bfd23 100644 --- a/.github/workflows/update-openssl.yml +++ b/.github/workflows/update-openssl.yml @@ -35,7 +35,7 @@ jobs: author: Node.js GitHub Bot body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}. branch: actions/tools-update-openssl # Custom branch *just* for this Action. - commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}' + commit-message: 'deps: upgrade openssl sources to openssl-${{ env.NEW_VERSION }}' labels: dependencies, openssl title: 'deps: update OpenSSL to ${{ env.NEW_VERSION }}' path: deps/openssl diff --git a/doc/contributing/maintaining/maintaining-openssl.md b/doc/contributing/maintaining/maintaining-openssl.md index 2814634dd76a03..aba013bb3c58e0 100644 --- a/doc/contributing/maintaining/maintaining-openssl.md +++ b/doc/contributing/maintaining/maintaining-openssl.md @@ -4,28 +4,6 @@ OpenSSL is automatically updated by the [update-openssl-action][]. There is also a script in `tools/dep_updaters` that can be used to update it. This document describes how to manually update `deps/openssl/`. -If you need to provide updates across all active release lines you will -currently need to generate four PRs as follows: - -* a PR for `main` which is generated following the instructions - below for OpenSSL 3.x.x. -* a PR for 18.x following the instructions in the v18.x-staging version - of this guide. -* a PR for 16.x following the instructions in the v16.x-staging version - of this guide. - -## Use of the quictls/openssl fork - -Node.js currently uses the quictls/openssl fork, which closely tracks -the main openssl/openssl releases with the addition of APIs to support -the QUIC protocol. - -Details on the fork, as well as the latest sources, can be found at -. - -Branches are used per OpenSSL version (for instance, -). - ## Requirements * Linux environment. @@ -52,35 +30,33 @@ NASM version 2.11.08 ## 1. Obtain and extract new OpenSSL sources -Get a new source from +Get a new source from and copy all files into `deps/openssl/openssl`. Then add all files and commit them. (The link above, and the branch, will change with each new OpenSSL release). -### OpenSSL 3.x.x - ```bash -git clone https://github.com/quictls/openssl +git clone https://github.com/openssl/openssl cd openssl cd ../node/deps/openssl rm -rf openssl cp -R ../../../openssl openssl -rm -rf openssl/.git* openssl/.travis* +rm -rf openssl/.git* git add --all openssl git commit openssl ``` ```text -deps: upgrade openssl sources to quictls/openssl-3.0.5+quic +deps: upgrade openssl sources to openssl-3.0.16 This updates all sources in deps/openssl/openssl by: - $ git clone git@github.com:quictls/openssl.git + $ git clone git@github.com:openssl/openssl.git $ cd openssl - $ git checkout openssl-3.0.5+quic + $ git checkout openssl-3.0.16 $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../../../openssl openssl - $ rm -rf openssl/.git* openssl/.travis* + $ rm -rf openssl/.git* $ git add --all openssl $ git commit openssl ``` @@ -99,7 +75,8 @@ make -C deps/openssl/config clean make -C deps/openssl/config ``` -**Note**: If the 32-bit Windows is failing to compile run this workflow instead: +Fix up 32-bit Windows assembler directives. This will allow the commits to be +cherry-picked to older release lines that still provide binaries on 32-bit Windows. ```bash make -C deps/openssl/config clean @@ -140,10 +117,8 @@ git commit The commit message can be written as (with the openssl version set to the relevant value): -### OpenSSL 3.x.x - ```text -deps: update archs files for quictls/openssl-3.0.5+quic +deps: update archs files for openssl-3.0.16 After an OpenSSL source update, all the config files need to be regenerated and committed by: