rpms / rh-nodejs12-nodejs

Clone
Source Code
GIT

Blame SOURCES/0004-Disable-unsupported-OpenSSL-features.patch

c7
  1.   b24b2a480cd50f82b73a5e3f6cf11d9f520be177
  2.   SOURCES
  3.   0004-Disable-unsupported-OpenSSL-features.patch
Blob History Raw
b24b2a 
From 77cbd12e600a599351ec3b0b0302c7fcd1f9ec0b Mon Sep 17 00:00:00 2001
d744d0 
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
b24b2a 
Date: Mon, 23 Nov 2020 11:57:32 +0100
d744d0 
Subject: [PATCH] Disable unsupported OpenSSL features
d744d0 
MIME-Version: 1.0
d744d0 
Content-Type: text/plain; charset=UTF-8
d744d0 
Content-Transfer-Encoding: 8bit
d744d0
d744d0 
- Disable no-certificate PSK authentication
d744d0
d744d0 
  There is no obvious way to reimplement it using only OpenSSL 1.0 public APIs.
d744d0
d744d0 
- Disable queries for standard cipher name
d744d0
d744d0 
  OpenSSL 1.0 does not record said names.
d744d0
d744d0 
- Remove ClientHello getters
d744d0
d744d0 
  The disabled functions internally use
d744d0 
  `SSL_client_hello_get0_ext`/`SSL_client_hello_get0_ciphers`,
d744d0 
  which are not available on legacy OpenSSL.
d744d0 
  There may be another way to get to the same data,
d744d0 
  but nothing jumps out in the OpenSSL 1.0.2 documentation.
d744d0
d744d0 
- Remove TLSv1.3 CLI options
d744d0
d744d0 
Signed-off-by: Jan Staněk <jstanek@redhat.com>
d744d0 
---
d744d0 
 doc/api/cli.md                                 | 18 ------------------
d744d0 
 doc/api/tls.md                                 | 15 +++++++--------
d744d0 
 src/env.h                                      | 11 ++++++++++-
d744d0 
 src/node_crypto_common.cc                      | 12 ++++++++++++
d744d0 
 src/node_crypto_common.h                       |  6 ++++++
d744d0 
 src/node_options.cc                            | 10 +++++++++-
d744d0 
 .../test-tls-cli-max-version-1.3.js            |  0
d744d0 
 .../test-tls-cli-min-max-conflict.js           |  0
d744d0 
 .../test-tls-cli-min-version-1.3.js            |  0
d744d0 
 9 files changed, 44 insertions(+), 28 deletions(-)
d744d0 
 rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)
d744d0 
 rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)
d744d0 
 rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
d744d0
d744d0 
diff --git a/doc/api/cli.md b/doc/api/cli.md
b24b2a 
index e6d49feef6..47976c670b 100644
d744d0 
--- a/doc/api/cli.md
d744d0 
+++ b/doc/api/cli.md
b24b2a 
@@ -810,14 +810,6 @@ added: v12.0.0
d744d0 
 Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
d744d0 
 TLSv1.3.
d744d0
d744d0 
-### `--tls-max-v1.3`
d744d0 
-
d744d0 
-added: v12.0.0
d744d0 
--->
d744d0 
-
d744d0 
-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
d744d0 
-for TLSv1.3.
d744d0 
-
d744d0 
 ### `--tls-min-v1.0`
d744d0
d744d0 
 added: v12.0.0
b24b2a 
@@ -843,14 +835,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
d744d0 
 12.x and later, but the option is supported for compatibility with older Node.js
d744d0 
 versions.
d744d0
d744d0 
-### `--tls-min-v1.3`
d744d0 
-
d744d0 
-added: v12.0.0
d744d0 
--->
d744d0 
-
d744d0 
-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
d744d0 
-for TLSv1.2, which is not as secure as TLSv1.3.
d744d0 
-
d744d0 
 ### `--trace-deprecation`
d744d0
d744d0 
 added: v0.8.0
b24b2a 
@@ -1234,11 +1218,9 @@ Node.js options that are allowed are:
d744d0 
 * `--tls-cipher-list`
d744d0 
 * `--tls-keylog`
d744d0 
 * `--tls-max-v1.2`
d744d0 
-* `--tls-max-v1.3`
d744d0 
 * `--tls-min-v1.0`
d744d0 
 * `--tls-min-v1.1`
d744d0 
 * `--tls-min-v1.2`
d744d0 
-* `--tls-min-v1.3`
d744d0 
 * `--trace-deprecation`
d744d0 
 * `--trace-event-categories`
d744d0 
 * `--trace-event-file-pattern`
d744d0 
diff --git a/doc/api/tls.md b/doc/api/tls.md
b24b2a 
index 12d724e4d4..af3e42fcbe 100644
d744d0 
--- a/doc/api/tls.md
d744d0 
+++ b/doc/api/tls.md
b24b2a 
@@ -1947,10 +1947,10 @@ added: v11.4.0
d744d0
d744d0 
 * {string} The default value of the `maxVersion` option of
d744d0 
   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
d744d0 
-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
d744d0 
-  **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
d744d0 
-  `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets
d744d0 
-  the default to `'TLSv1.3'`. If multiple of the options are provided, the
d744d0 
+  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
d744d0 
+  **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
d744d0 
+  `--tls-max-v1.2` sets the default to `'TLSv1.2'`.
d744d0 
+  If multiple of the options are provided, the
d744d0 
   highest maximum is used.
d744d0
d744d0 
 ## `tls.DEFAULT_MIN_VERSION`
b24b2a 
@@ -1960,12 +1960,11 @@ added: v11.4.0
d744d0
d744d0 
 * {string} The default value of the `minVersion` option of
d744d0 
   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
d744d0 
-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
d744d0 
+  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
d744d0 
   **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
d744d0 
   `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
d744d0 
-  the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
d744d0 
-  `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
d744d0 
-  used.
d744d0 
+  the default to `'TLSv1.1'`. If multiple of the options are provided,
d744d0 
+  the lowest minimum is used.
d744d0
b24b2a 
 [`'newSession'`]: #tls_event_newsession
b24b2a 
 [`'resumeSession'`]: #tls_event_resumesession
d744d0 
diff --git a/src/env.h b/src/env.h
b24b2a 
index d0c0a18796..3df8b45532 100644
d744d0 
--- a/src/env.h
d744d0 
+++ b/src/env.h
d744d0 
@@ -51,6 +51,8 @@
d744d0 
 #include <unordered_set>
d744d0 
 #include <vector>
d744d0
d744d0 
+#include <node-ssl-shim/ssl-shim.h>
d744d0 
+
d744d0 
 struct nghttp2_rcbuf;
d744d0
d744d0 
 namespace node {
d744d0 
@@ -148,6 +150,13 @@ constexpr size_t kFsStatsBufferLength =
d744d0 
 // Make sure that any macro V defined for use with the PER_ISOLATE_* macros is
d744d0 
 // undefined again after use.
d744d0
d744d0 
+// Some symbols/strings are not defined when using legacy OpenSSL
d744d0 
+#if OPENSSL_IS_LEGACY
d744d0 
+#   define NODE_ENV_STANDARD_NAME_STRING
d744d0 
+#else // OPENSSL_IS_LEGACY
d744d0 
+#   define NODE_ENV_STANDARD_NAME_STRING V(standard_name_string, "standardName")
d744d0 
+#endif // OPENSSL_IS_LEGACY
d744d0 
+
d744d0 
 // Private symbols are per-isolate primitives but Environment proxies them
d744d0 
 // for the sake of convenience.  Strings should be ASCII-only and have a
d744d0 
 // "node:" prefix to avoid name clashes with third-party code.
b24b2a 
@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =
d744d0 
   V(sni_context_string, "sni_context")                                         \
d744d0 
   V(source_string, "source")                                                   \
d744d0 
   V(stack_string, "stack")                                                     \
d744d0 
-  V(standard_name_string, "standardName")                                      \
d744d0 
+  NODE_ENV_STANDARD_NAME_STRING                                                \
d744d0 
   V(start_time_string, "startTime")                                            \
d744d0 
   V(status_string, "status")                                                   \
d744d0 
   V(stdio_string, "stdio")                                                     \
d744d0 
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
b24b2a 
index d1d9edd6cd..a5724a51fe 100644
d744d0 
--- a/src/node_crypto_common.cc
d744d0 
+++ b/src/node_crypto_common.cc
d744d0 
@@ -210,6 +210,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
d744d0 
   if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {
d744d0 
     X509_free(peer_cert);
d744d0 
     err = SSL_get_verify_result(ssl.get());
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
   } else {
d744d0 
     const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());
d744d0 
     const SSL_SESSION* sess = SSL_get_session(ssl.get());
d744d0 
@@ -221,6 +222,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
d744d0 
          SSL_session_reused(ssl.get()))) {
d744d0 
       return X509_V_OK;
d744d0 
     }
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0 
   }
d744d0 
   return err;
d744d0 
 }
d744d0 
@@ -238,6 +240,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
d744d0 
   return err;
d744d0 
 }
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 const char* GetClientHelloALPN(const SSLPointer& ssl) {
d744d0 
   const unsigned char* buf;
d744d0 
   size_t len;
d744d0 
@@ -284,6 +287,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
d744d0 
     return nullptr;
d744d0 
   return reinterpret_cast<const char*>(buf + 5);
d744d0 
 }
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0 
 const char* GetServerName(SSL* ssl) {
d744d0 
   return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
b24b2a 
@@ -405,11 +409,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
b24b2a 
   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
d744d0 
 }
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 MaybeLocal<Value> GetCipherStandardName(
d744d0 
     Environment* env,
d744d0 
     const SSL_CIPHER* cipher) {
b24b2a 
   return GetCipherValue(env, cipher, SSL_CIPHER_standard_name);
d744d0 
 }
b24b2a 
+#endif  // !OPENSSL_IS_LEGACY
d744d0
b24b2a 
 MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
b24b2a 
   return GetCipherValue(env, cipher, SSL_CIPHER_get_version);
b24b2a 
@@ -761,16 +767,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
d744d0 
   return GetCipherName(env, SSL_get_current_cipher(ssl.get()));
d744d0 
 }
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 MaybeLocal<Value> GetCipherStandardName(
d744d0 
     Environment* env,
d744d0 
     const SSLPointer& ssl) {
d744d0 
   return GetCipherStandardName(env, SSL_get_current_cipher(ssl.get()));
d744d0 
 }
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0 
 MaybeLocal<Value> GetCipherVersion(Environment* env, const SSLPointer& ssl) {
d744d0 
   return GetCipherVersion(env, SSL_get_current_cipher(ssl.get()));
d744d0 
 }
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 MaybeLocal<Array> GetClientHelloCiphers(
d744d0 
     Environment* env,
d744d0 
     const SSLPointer& ssl) {
b24b2a 
@@ -803,6 +812,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
d744d0 
   Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
d744d0 
   return scope.Escape(ret);
d744d0 
 }
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0
d744d0 
 MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
b24b2a 
@@ -813,10 +823,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
d744d0 
                   info,
d744d0 
                   env->name_string(),
d744d0 
                   GetCipherName(env, ssl)) ||
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
       !Set<Value>(env->context(),
d744d0 
                   info,
d744d0 
                   env->standard_name_string(),
d744d0 
                   GetCipherStandardName(env, ssl)) ||
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0 
       !Set<Value>(env->context(),
d744d0 
                   info,
d744d0 
                   env->version_string(),
d744d0 
diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
d744d0 
index c373a97e47..220cb109bc 100644
d744d0 
--- a/src/node_crypto_common.h
d744d0 
+++ b/src/node_crypto_common.h
d744d0 
@@ -73,15 +73,19 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
d744d0
d744d0 
 int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 const char* GetClientHelloALPN(const SSLPointer& ssl);
d744d0
d744d0 
 const char* GetClientHelloServerName(const SSLPointer& ssl);
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0 
 const char* GetServerName(SSL* ssl);
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 v8::MaybeLocal<v8::Array> GetClientHelloCiphers(
d744d0 
     Environment* env,
d744d0 
     const SSLPointer& ssl);
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0 
 bool SetGroups(SecureContext* sc, const char* groups);
d744d0
d744d0 
@@ -97,9 +101,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(
d744d0 
     Environment* env,
d744d0 
     const SSLPointer& ssl);
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
 v8::MaybeLocal<v8::Value> GetCipherStandardName(
d744d0 
     Environment* env,
d744d0 
     const SSLPointer& ssl);
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0 
 v8::MaybeLocal<v8::Value> GetCipherVersion(
d744d0 
     Environment* env,
d744d0 
diff --git a/src/node_options.cc b/src/node_options.cc
b24b2a 
index 824004631f..6a4431f59b 100644
d744d0 
--- a/src/node_options.cc
d744d0 
+++ b/src/node_options.cc
d744d0 
@@ -9,6 +9,8 @@
d744d0 
 #include <sstream>
d744d0 
 #include <cstdlib>  // strtoul, errno
d744d0
d744d0 
+#include <node-ssl-shim/features.h>
d744d0 
+
d744d0 
 using v8::Boolean;
d744d0 
 using v8::Context;
d744d0 
 using v8::FunctionCallbackInfo;
d744d0 
@@ -128,10 +130,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
d744d0 
     errors->push_back("invalid value for --unhandled-rejections");
d744d0 
   }
d744d0
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
   if (tls_min_v1_3 && tls_max_v1_2) {
d744d0 
     errors->push_back("either --tls-min-v1.3 or --tls-max-v1.2 can be "
d744d0 
                       "used, not both");
d744d0 
   }
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0
d744d0 
 #if HAVE_INSPECTOR
d744d0 
   if (!cpu_prof) {
b24b2a 
@@ -541,14 +545,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
d744d0 
             "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
d744d0 
             &EnvironmentOptions::tls_min_v1_2,
d744d0 
             kAllowedInEnvironment);
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
   AddOption("--tls-min-v1.3",
d744d0 
             "set default TLS minimum to TLSv1.3 (default: TLSv1.2)",
d744d0 
             &EnvironmentOptions::tls_min_v1_3,
d744d0 
             kAllowedInEnvironment);
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0 
   AddOption("--tls-max-v1.2",
d744d0 
-            "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
d744d0 
+            "set default TLS maximum to TLSv1.2 (default: TLSv1.2)",
d744d0 
             &EnvironmentOptions::tls_max_v1_2,
d744d0 
             kAllowedInEnvironment);
d744d0 
+#if !OPENSSL_IS_LEGACY
d744d0 
   // Current plan is:
d744d0 
   // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
d744d0 
   // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
b24b2a 
@@ -557,6 +564,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
d744d0 
             "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
d744d0 
             &EnvironmentOptions::tls_max_v1_3,
d744d0 
             kAllowedInEnvironment);
d744d0 
+#endif // !OPENSSL_IS_LEGACY
d744d0 
 }
d744d0
d744d0 
 PerIsolateOptionsParser::PerIsolateOptionsParser(
d744d0 
diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/known_issues/test-tls-cli-max-version-1.3.js
d744d0 
similarity index 100%
d744d0 
rename from test/parallel/test-tls-cli-max-version-1.3.js
d744d0 
rename to test/known_issues/test-tls-cli-max-version-1.3.js
d744d0 
diff --git a/test/parallel/test-tls-cli-min-max-conflict.js b/test/known_issues/test-tls-cli-min-max-conflict.js
d744d0 
similarity index 100%
d744d0 
rename from test/parallel/test-tls-cli-min-max-conflict.js
d744d0 
rename to test/known_issues/test-tls-cli-min-max-conflict.js
d744d0 
diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/known_issues/test-tls-cli-min-version-1.3.js
d744d0 
similarity index 100%
d744d0 
rename from test/parallel/test-tls-cli-min-version-1.3.js
d744d0 
rename to test/known_issues/test-tls-cli-min-version-1.3.js
d744d0 
--
b24b2a 
2.28.0
d744d0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation