From 2509f6974c9f809d489cba267c65fd37f5a70239 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 28 2021 07:40:24 +0000
Subject: import rh-nodejs12-nodejs-12.22.2-1.el7


---

diff --git a/.gitignore b/.gitignore
index 1b30db8..08162fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/node-ssl-shim-6fc0b05.tar.gz
-SOURCES/node-v12.21.0-stripped.tar.gz
+SOURCES/node-ssl-shim-70e39fd.tar.gz
+SOURCES/node-v12.22.2-stripped.tar.gz
diff --git a/.rh-nodejs12-nodejs.metadata b/.rh-nodejs12-nodejs.metadata
index 7fd6bad..6a195dd 100644
--- a/.rh-nodejs12-nodejs.metadata
+++ b/.rh-nodejs12-nodejs.metadata
@@ -1,2 +1,2 @@
-9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz
-d1a2ba595dc378234691c4c6ce70c8e0ffe1b779 SOURCES/node-v12.21.0-stripped.tar.gz
+a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz
+b8b3a8cee7a4fa4f99818c8a1eb86a9ba474b839 SOURCES/node-v12.22.2-stripped.tar.gz
diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch
index bf0d6fc..a5d74e2 100644
--- a/SOURCES/0001-Link-with-ssl-shim.patch
+++ b/SOURCES/0001-Link-with-ssl-shim.patch
@@ -1,4 +1,4 @@
-From f2b5ee60b7e1f01a6678ee3172c6fa59c6ce8da1 Mon Sep 17 00:00:00 2001
+From 2b3df37eb2e1dfe324b935332b958b45a89ec9c6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Tue, 28 Apr 2020 11:15:24 +0200
 Subject: [PATCH] Link with ssl-shim
@@ -35,7 +35,7 @@ index 116c1c7149..0e40a2b441 100644
      }],
  
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index db2e122ab0..90df5f25e0 100644
+index 764dcb8720..e472892b68 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -1135,7 +1135,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
@@ -48,7 +48,7 @@ index db2e122ab0..90df5f25e0 100644
    ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
    Environment* env = sc->env();
 diff --git a/src/node_crypto.h b/src/node_crypto.h
-index 38fd806e62..0b9dab833d 100644
+index 573d59ddf4..7bce7706a9 100644
 --- a/src/node_crypto.h
 +++ b/src/node_crypto.h
 @@ -41,6 +41,8 @@
@@ -61,5 +61,5 @@ index 38fd806e62..0b9dab833d 100644
  namespace crypto {
  
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
index d672569..cb2a128 100644
--- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch
+++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
@@ -1,6 +1,6 @@
-From ae4f772872661d6435c27e50937a0c3cbcede43c Mon Sep 17 00:00:00 2001
+From 6d27ddf97c68d2e80925dc25b790d598170b7a0f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 11:56:26 +0100
+Date: Thu, 8 Jul 2021 14:08:31 +0200
 Subject: [PATCH] Use OpenSSL 1.0 API
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -27,16 +27,25 @@ Content-Transfer-Encoding: 8bit
 
 - Sanitize inputs into PBKDF2
 
+- Setup ECDHE curve negotiation
+
+  - SSL_OP_SINGLE_ECDH_USE is no-op and default in OpenSSL 1.1,
+    but should be specified in OpenSSL 1.0
+  - SSL_CTX_set_ecdh_auto() is presumably the same case;
+    does not even exist in OpenSSL 1.1
+
+  Without this setup, ECDHE curve negotiation is broken: rhbz#1910749
+
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
- src/node_crypto.cc        | 26 ++++++++++++++++++++++++--
+ src/node_crypto.cc        | 30 ++++++++++++++++++++++++++++--
  src/node_crypto.h         |  4 ++++
  src/node_crypto_bio.cc    |  4 ++++
  src/node_crypto_common.cc |  8 ++++++++
- 4 files changed, 40 insertions(+), 2 deletions(-)
+ 4 files changed, 44 insertions(+), 2 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 90df5f25e0..7be3f77e1a 100644
+index e472892b68..0cc97f99ea 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -123,7 +123,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
@@ -51,7 +60,18 @@ index 90df5f25e0..7be3f77e1a 100644
      int len,
      int* copy);
  template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
-@@ -1746,7 +1750,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
+@@ -1189,6 +1193,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
+   THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "ECDH curve name");
+ 
+   node::Utf8Value curve(env->isolate(), args[0]);
++#if OPENSSL_IS_LEGACY
++  SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_SINGLE_ECDH_USE);
++  SSL_CTX_set_ecdh_auto(sc->ctx_.get(), 1);
++#endif
+ 
+   if (strcmp(*curve, "auto") == 0)
+     return;
+@@ -1746,7 +1754,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
  
  template <class Base>
  SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
@@ -63,7 +83,7 @@ index 90df5f25e0..7be3f77e1a 100644
                                                 int len,
                                                 int* copy) {
    Base* w = static_cast<Base*>(SSL_get_app_data(s));
-@@ -5917,9 +5925,23 @@ struct PBKDF2Job : public CryptoJob {
+@@ -5921,9 +5933,23 @@ struct PBKDF2Job : public CryptoJob {
    }
  
    inline void DoThreadPoolWork() override {
@@ -90,7 +110,7 @@ index 90df5f25e0..7be3f77e1a 100644
      success = Just(ok);
      Cleanse();
 diff --git a/src/node_crypto.h b/src/node_crypto.h
-index 0b9dab833d..7d6417b66f 100644
+index 7bce7706a9..780e1893f4 100644
 --- a/src/node_crypto.h
 +++ b/src/node_crypto.h
 @@ -234,7 +234,11 @@ class SSLWrap {
@@ -141,5 +161,5 @@ index 6c3bb0b1b6..d1d9edd6cd 100644
  MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
    return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
index dcff61a..244871e 100644
--- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
+++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
@@ -1,6 +1,6 @@
-From 7dc5dae056d1b77a748ebfb8a3e312b4306789b4 Mon Sep 17 00:00:00 2001
+From aef9bc657e0da83f5b540d8aeea100d0784aab4f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 11:57:01 +0100
+Date: Thu, 8 Jul 2021 14:09:22 +0200
 Subject: [PATCH] Backport necessary OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -43,7 +43,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  2 files changed, 180 insertions(+), 8 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 7be3f77e1a..c2b5aaa1a1 100644
+index 0cc97f99ea..65912d7db4 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -518,6 +518,11 @@ inline void SecureContext::Reset() {
@@ -131,7 +131,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
  
    // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
    // exposed in the public API. To retain compatibility, install a callback
-@@ -1244,6 +1262,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
+@@ -1248,6 +1266,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
      return env->ThrowTypeError("Error setting temp DH parameter");
  }
  
@@ -197,7 +197,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
  
  void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -1254,7 +1331,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1258,7 +1335,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -210,7 +210,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
  }
  
  
-@@ -1267,7 +1349,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1271,7 +1353,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -223,7 +223,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
  }
  
  
-@@ -1278,7 +1365,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1282,7 +1369,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -235,7 +235,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
    args.GetReturnValue().Set(static_cast<uint32_t>(version));
  }
  
-@@ -1290,11 +1381,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1294,11 +1385,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -251,7 +251,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
  void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
    ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
-@@ -6892,8 +6986,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
+@@ -6900,8 +6994,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
        CRYPTO_memcmp(buf1.data(), buf2.data(), buf1.length()) == 0);
  }
  
@@ -326,7 +326,7 @@ index 7be3f77e1a..c2b5aaa1a1 100644
  
    // --openssl-config=...
 diff --git a/src/node_crypto.h b/src/node_crypto.h
-index 7d6417b66f..746a2a3fc7 100644
+index 780e1893f4..2787e257ad 100644
 --- a/src/node_crypto.h
 +++ b/src/node_crypto.h
 @@ -182,6 +182,20 @@ class SecureContext final : public BaseObject {
@@ -351,5 +351,5 @@ index 7d6417b66f..746a2a3fc7 100644
  
  // SSLWrap implicitly depends on the inheriting class' handle having an
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
index 67a2a97..89ddb90 100644
--- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
+++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
@@ -1,6 +1,6 @@
-From 77cbd12e600a599351ec3b0b0302c7fcd1f9ec0b Mon Sep 17 00:00:00 2001
+From 64d17e7087842f367a931fb5694ef9a2c6af6a8e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 11:57:32 +0100
+Date: Thu, 8 Jul 2021 14:10:02 +0200
 Subject: [PATCH] Disable unsupported OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -41,10 +41,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
 
 diff --git a/doc/api/cli.md b/doc/api/cli.md
-index e6d49feef6..47976c670b 100644
+index 86635f267b..6a1cad9b74 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
-@@ -810,14 +810,6 @@ added: v12.0.0
+@@ -816,14 +816,6 @@ added: v12.0.0
  Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
  TLSv1.3.
  
@@ -59,7 +59,7 @@ index e6d49feef6..47976c670b 100644
  ### `--tls-min-v1.0`
  <!-- YAML
  added: v12.0.0
-@@ -843,14 +835,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
+@@ -849,14 +841,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
  12.x and later, but the option is supported for compatibility with older Node.js
  versions.
  
@@ -74,7 +74,7 @@ index e6d49feef6..47976c670b 100644
  ### `--trace-deprecation`
  <!-- YAML
  added: v0.8.0
-@@ -1234,11 +1218,9 @@ Node.js options that are allowed are:
+@@ -1240,11 +1224,9 @@ Node.js options that are allowed are:
  * `--tls-cipher-list`
  * `--tls-keylog`
  * `--tls-max-v1.2`
@@ -87,7 +87,7 @@ index e6d49feef6..47976c670b 100644
  * `--trace-event-categories`
  * `--trace-event-file-pattern`
 diff --git a/doc/api/tls.md b/doc/api/tls.md
-index 12d724e4d4..af3e42fcbe 100644
+index c9fabbc5b5..3c2dec97c3 100644
 --- a/doc/api/tls.md
 +++ b/doc/api/tls.md
 @@ -1947,10 +1947,10 @@ added: v11.4.0
@@ -122,7 +122,7 @@ index 12d724e4d4..af3e42fcbe 100644
  [`'newSession'`]: #tls_event_newsession
  [`'resumeSession'`]: #tls_event_resumesession
 diff --git a/src/env.h b/src/env.h
-index d0c0a18796..3df8b45532 100644
+index ed058866e9..cca3a26d0a 100644
 --- a/src/env.h
 +++ b/src/env.h
 @@ -51,6 +51,8 @@
@@ -148,7 +148,7 @@ index d0c0a18796..3df8b45532 100644
  // Private symbols are per-isolate primitives but Environment proxies them
  // for the sake of convenience.  Strings should be ASCII-only and have a
  // "node:" prefix to avoid name clashes with third-party code.
-@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =
+@@ -369,7 +378,7 @@ constexpr size_t kFsStatsBufferLength =
    V(sni_context_string, "sni_context")                                         \
    V(source_string, "source")                                                   \
    V(stack_string, "stack")                                                     \
@@ -285,7 +285,7 @@ index c373a97e47..220cb109bc 100644
  v8::MaybeLocal<v8::Value> GetCipherVersion(
      Environment* env,
 diff --git a/src/node_options.cc b/src/node_options.cc
-index 824004631f..6a4431f59b 100644
+index 0240b2ef58..8affde8753 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -9,6 +9,8 @@
@@ -297,7 +297,7 @@ index 824004631f..6a4431f59b 100644
  using v8::Boolean;
  using v8::Context;
  using v8::FunctionCallbackInfo;
-@@ -128,10 +130,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
+@@ -115,10 +117,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
      errors->push_back("invalid value for --unhandled-rejections");
    }
  
@@ -310,7 +310,7 @@ index 824004631f..6a4431f59b 100644
  
  #if HAVE_INSPECTOR
    if (!cpu_prof) {
-@@ -541,14 +545,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -526,14 +530,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
              &EnvironmentOptions::tls_min_v1_2,
              kAllowedInEnvironment);
@@ -329,7 +329,7 @@ index 824004631f..6a4431f59b 100644
    // Current plan is:
    // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
    // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
-@@ -557,6 +564,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -542,6 +549,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
              &EnvironmentOptions::tls_max_v1_3,
              kAllowedInEnvironment);
@@ -350,5 +350,5 @@ similarity index 100%
 rename from test/parallel/test-tls-cli-min-version-1.3.js
 rename to test/known_issues/test-tls-cli-min-version-1.3.js
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0005-Adjust-test-expectations.patch b/SOURCES/0005-Adjust-test-expectations.patch
index bcfde44..219f581 100644
--- a/SOURCES/0005-Adjust-test-expectations.patch
+++ b/SOURCES/0005-Adjust-test-expectations.patch
@@ -1,6 +1,6 @@
-From 91103dfdfdc7d34549e831717cf3f430b7f019e1 Mon Sep 17 00:00:00 2001
+From 1a0bb0ba167ea9417377e4adeca436ba321df3a3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 11:58:10 +0100
+Date: Thu, 8 Jul 2021 14:10:35 +0200
 Subject: [PATCH] Adjust test expectations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -236,5 +236,5 @@ index 7ef0f12426..4fcb9247d3 100644
      // TLS1.3 client hellos are are not understood by TLS1.1 or below.
      test(U, U, U, U, U, 'TLSv1_method',
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
index 816ec4d..6631a41 100644
--- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch
+++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
@@ -1,6 +1,6 @@
-From e135e79baadde7e26c18b7fc898af950ee870f84 Mon Sep 17 00:00:00 2001
+From babb845ad3cf7b65e228826385ee060c53e68e8d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 11:59:40 +0100
+Date: Thu, 8 Jul 2021 14:11:32 +0200
 Subject: [PATCH] Disable tests for unsupported features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -479,7 +479,7 @@ index d3011db79d..644a52a1c7 100644
    // Exporting an encrypted private key requires a cipher
    const privateKey = createPrivateKey(privatePem);
 diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js
-index 1f059c4694..ddcfaf696c 100644
+index 384f4fa68a..38432254f0 100644
 --- a/test/parallel/test-crypto-keygen.js
 +++ b/test/parallel/test-crypto-keygen.js
 @@ -265,42 +265,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
@@ -525,7 +525,7 @@ index 1f059c4694..ddcfaf696c 100644
  
  {
    const privateKeyEncoding = {
-@@ -965,22 +930,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
+@@ -975,22 +940,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
    }));
  }
  
@@ -810,5 +810,5 @@ index 4bcdf36860..0642e18d5e 100644
  test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
  // Recognized user but incorrect secret should fail handshake
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch
index de41f4e..1896009 100644
--- a/SOURCES/0007-Disable-tests-for-known-issues.patch
+++ b/SOURCES/0007-Disable-tests-for-known-issues.patch
@@ -1,6 +1,6 @@
-From 03bd2c4427a04d2affb16fe035d613723c31dc03 Mon Sep 17 00:00:00 2001
+From 7d2fcf06ab09ed018a8c8bef84c072f93218b7ff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 12:00:05 +0100
+Date: Thu, 8 Jul 2021 14:11:48 +0200
 Subject: [PATCH] Disable tests for known issues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -25,6 +25,10 @@ Content-Transfer-Encoding: 8bit
 
 - Disable failing REPL tests
 
+- Disable sequential/test-worker-prof
+
+  It times out on s390x.
+
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
  test/{sequential => known_issues}/test-async-wrap-getasyncid.js   | 0
@@ -49,7 +53,8 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  test/{parallel => known_issues}/test-tls-set-ciphers-error.js     | 0
  test/{parallel => known_issues}/test-tls-set-ciphers.js           | 0
  test/{parallel => known_issues}/test-tls-set-sigalgs.js           | 0
- 22 files changed, 0 insertions(+), 0 deletions(-)
+ test/{sequential => known_issues}/test-worker-prof.js             | 0
+ 23 files changed, 0 insertions(+), 0 deletions(-)
  rename test/{sequential => known_issues}/test-async-wrap-getasyncid.js (100%)
  rename test/{parallel => known_issues}/test-repl-pretty-custom-stack.js (100%)
  rename test/{parallel => known_issues}/test-repl-pretty-stack.js (100%)
@@ -72,6 +77,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  rename test/{parallel => known_issues}/test-tls-set-ciphers-error.js (100%)
  rename test/{parallel => known_issues}/test-tls-set-ciphers.js (100%)
  rename test/{parallel => known_issues}/test-tls-set-sigalgs.js (100%)
+ rename test/{sequential => known_issues}/test-worker-prof.js (100%)
 
 diff --git a/test/sequential/test-async-wrap-getasyncid.js b/test/known_issues/test-async-wrap-getasyncid.js
 similarity index 100%
@@ -161,6 +167,10 @@ diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/known_issues/test-tls-
 similarity index 100%
 rename from test/parallel/test-tls-set-sigalgs.js
 rename to test/known_issues/test-tls-set-sigalgs.js
+diff --git a/test/sequential/test-worker-prof.js b/test/known_issues/test-worker-prof.js
+similarity index 100%
+rename from test/sequential/test-worker-prof.js
+rename to test/known_issues/test-worker-prof.js
 -- 
-2.28.0
+2.31.1
 
diff --git a/SOURCES/0008-Disable-architecture-specific-failing-tests.patch b/SOURCES/0008-Disable-architecture-specific-failing-tests.patch
deleted file mode 100644
index 881b38a..0000000
--- a/SOURCES/0008-Disable-architecture-specific-failing-tests.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 1720f9c816214e849daa8e14e3502038817a04f3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Mon, 23 Nov 2020 12:00:52 +0100
-Subject: [PATCH] Disable architecture-specific failing tests
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-- Disable sequential/test-worker-prof
-
-  It times out on s390x.
-
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
----
- test/{sequential => known_issues}/test-worker-prof.js | 0
- 1 file changed, 0 insertions(+), 0 deletions(-)
- rename test/{sequential => known_issues}/test-worker-prof.js (100%)
-
-diff --git a/test/sequential/test-worker-prof.js b/test/known_issues/test-worker-prof.js
-similarity index 100%
-rename from test/sequential/test-worker-prof.js
-rename to test/known_issues/test-worker-prof.js
--- 
-2.28.0
-
diff --git a/SOURCES/always-available-fips-options.patch b/SOURCES/always-available-fips-options.patch
new file mode 100644
index 0000000..fb90f8f
--- /dev/null
+++ b/SOURCES/always-available-fips-options.patch
@@ -0,0 +1,622 @@
+From 7bc4111b770ada25cdd6e1b938ca7a914617ea53 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
+Date: Tue, 25 Aug 2020 14:04:54 +0200
+Subject: [PATCH] crypto: make FIPS related options always awailable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is no reason to hide FIPS functionality behind build flags.
+OpenSSL always provide the information about FIPS availability via
+`FIPS_mode()` function.
+
+This makes the user experience more consistent, because the OpenSSL
+library is always queried and the `crypto.getFips()` always returns
+OpenSSL settings.
+
+Fixes #34903
+
+PR-URL: https://github.com/nodejs/node/pull/36341
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ doc/api/cli.md                                |  8 +--
+ lib/crypto.js                                 | 22 ++----
+ node.gypi                                     |  3 -
+ src/node.cc                                   |  6 +-
+ src/node_config.cc                            |  2 -
+ src/node_crypto.cc                            | 45 +++++++-----
+ src/node_options.cc                           |  2 -
+ src/node_options.h                            |  2 -
+ test/parallel/test-cli-node-print-help.js     |  7 +-
+ test/parallel/test-crypto-fips.js             | 71 +++++++++----------
+ ...rocess-env-allowed-flags-are-documented.js | 11 +--
+ 11 files changed, 74 insertions(+), 105 deletions(-)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 86635f267b..6f14fa6810 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -183,8 +183,8 @@ code from strings throw an exception instead. This does not affect the Node.js
+ added: v6.0.0
+ -->
+ 
+-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
+-`./configure --openssl-fips`.)
++Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
++against FIPS-compatible OpenSSL.)
+ 
+ ### `--enable-source-maps`
+ <!-- YAML
+@@ -550,8 +550,8 @@ added: v6.9.0
+ -->
+ 
+ Load an OpenSSL configuration file on startup. Among other uses, this can be
+-used to enable FIPS-compliant crypto if Node.js is built with
+-`./configure --openssl-fips`.
++used to enable FIPS-compliant crypto if Node.js is built
++against FIPS-enabled OpenSSL.
+ 
+ ### `--pending-deprecation`
+ <!-- YAML
+diff --git a/lib/crypto.js b/lib/crypto.js
+index b2bcc4d0a4..93d5e21fa0 100644
+--- a/lib/crypto.js
++++ b/lib/crypto.js
+@@ -37,12 +37,10 @@ assertCrypto();
+ 
+ const {
+   ERR_CRYPTO_FIPS_FORCED,
+-  ERR_CRYPTO_FIPS_UNAVAILABLE
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+ const { getOptionValue } = require('internal/options');
+ const pendingDeprecation = getOptionValue('--pending-deprecation');
+-const { fipsMode } = internalBinding('config');
+ const fipsForced = getOptionValue('--force-fips');
+ const {
+   getFipsCrypto,
+@@ -191,10 +189,8 @@ module.exports = {
+   sign: signOneShot,
+   setEngine,
+   timingSafeEqual,
+-  getFips: !fipsMode ? getFipsDisabled :
+-    fipsForced ? getFipsForced : getFipsCrypto,
+-  setFips: !fipsMode ? setFipsDisabled :
+-    fipsForced ? setFipsForced : setFipsCrypto,
++  getFips: fipsForced ? getFipsForced : getFipsCrypto,
++  setFips: fipsForced ? setFipsForced : setFipsCrypto,
+   verify: verifyOneShot,
+ 
+   // Classes
+@@ -213,19 +209,11 @@ module.exports = {
+   Verify
+ };
+ 
+-function setFipsDisabled() {
+-  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
+-}
+-
+ function setFipsForced(val) {
+   if (val) return;
+   throw new ERR_CRYPTO_FIPS_FORCED();
+ }
+ 
+-function getFipsDisabled() {
+-  return 0;
+-}
+-
+ function getFipsForced() {
+   return 1;
+ }
+@@ -247,10 +235,8 @@ ObjectDefineProperties(module.exports, {
+   },
+   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
+   fips: {
+-    get: !fipsMode ? getFipsDisabled :
+-      fipsForced ? getFipsForced : getFipsCrypto,
+-    set: !fipsMode ? setFipsDisabled :
+-      fipsForced ? setFipsForced : setFipsCrypto
++    get: fipsForced ? getFipsForced : getFipsCrypto,
++    set: fipsForced ? setFipsForced : setFipsCrypto
+   },
+   DEFAULT_ENCODING: {
+     enumerable: false,
+diff --git a/node.gypi b/node.gypi
+index 116c1c7149..34f385f652 100644
+--- a/node.gypi
++++ b/node.gypi
+@@ -320,9 +320,6 @@
+     [ 'node_use_openssl=="true"', {
+       'defines': [ 'HAVE_OPENSSL=1' ],
+       'conditions': [
+-        ['openssl_fips != "" or openssl_is_fips=="true"', {
+-          'defines': [ 'NODE_FIPS_MODE' ],
+-        }],
+         [ 'node_shared_openssl=="false"', {
+           'dependencies': [
+             './deps/openssl/openssl.gyp:openssl',
+diff --git a/src/node.cc b/src/node.cc
+index 46e8f74cc2..0a5c3ee8ee 100644
+--- a/src/node.cc
++++ b/src/node.cc
+@@ -964,11 +964,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
+     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+       crypto::UseExtraCaCerts(extra_ca_certs);
+   }
+-#ifdef NODE_FIPS_MODE
+   // In the case of FIPS builds we should make sure
+   // the random source is properly initialized first.
+-  OPENSSL_init();
+-#endif  // NODE_FIPS_MODE
++  if (FIPS_mode()) {
++    OPENSSL_init();
++  }
+   // V8 on Windows doesn't have a good source of entropy. Seed it from
+   // OpenSSL's pool.
+   V8::SetEntropySource(crypto::EntropySource);
+diff --git a/src/node_config.cc b/src/node_config.cc
+index 6ee3164a13..e229eee765 100644
+--- a/src/node_config.cc
++++ b/src/node_config.cc
+@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
+   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
+ #endif  // HAVE_OPENSSL
+ 
+-#ifdef NODE_FIPS_MODE
+   READONLY_TRUE_PROPERTY(target, "fipsMode");
+-#endif
+ 
+ #ifdef NODE_HAVE_I18N_SUPPORT
+ 
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 764dcb8720..f142e625ef 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -50,6 +50,11 @@
+ #include <openssl/hmac.h>
+ #include <openssl/rand.h>
+ #include <openssl/pkcs12.h>
++// The FIPS-related functions are only available
++// when the OpenSSL itself was compiled with FIPS support.
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif // OPENSSL_FIPS
+ 
+ #include <cerrno>
+ #include <climits>  // INT_MAX
+@@ -97,6 +102,7 @@ using v8::Signature;
+ using v8::String;
+ using v8::Uint32;
+ using v8::Undefined;
++using v8::TryCatch;
+ using v8::Value;
+ 
+ #ifdef OPENSSL_NO_OCB
+@@ -3595,12 +3601,10 @@ void CipherBase::Init(const char* cipher_type,
+   HandleScope scope(env()->isolate());
+   MarkPopErrorOnReturn mark_pop_error_on_return;
+ 
+-#ifdef NODE_FIPS_MODE
+   if (FIPS_mode()) {
+     return env()->ThrowError(
+         "crypto.createCipher() is not supported in FIPS mode.");
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
+   if (cipher == nullptr)
+@@ -3786,13 +3790,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
+       return false;
+     }
+ 
+-#ifdef NODE_FIPS_MODE
+     // TODO(tniessen) Support CCM decryption in FIPS mode
+     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
+       env()->ThrowError("CCM decryption not supported in FIPS mode");
+       return false;
+     }
+-#endif
+ 
+     // Tell OpenSSL about the desired length.
+     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
+@@ -4712,7 +4714,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
+ }
+ 
+ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+-#ifdef NODE_FIPS_MODE
+   /* Validate DSA2 parameters from FIPS 186-4 */
+   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
+     DSA* dsa = EVP_PKEY_get0_DSA(key);
+@@ -4728,7 +4729,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+            (L == 2048 && N == 256) ||
+            (L == 3072 && N == 256);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   return true;
+ }
+@@ -6889,7 +6889,6 @@ void InitCryptoOnce() {
+   settings = nullptr;
+ #endif
+ 
+-#ifdef NODE_FIPS_MODE
+   /* Override FIPS settings in cnf file, if needed. */
+   unsigned long err = 0;  // NOLINT(runtime/int)
+   if (per_process::cli_options->enable_fips_crypto ||
+@@ -6899,12 +6898,10 @@ void InitCryptoOnce() {
+     }
+   }
+   if (0 != err) {
+-    fprintf(stderr,
+-            "openssl fips failed: %s\n",
+-            ERR_error_string(err, nullptr));
+-    UNREACHABLE();
++      auto* isolate = Isolate::GetCurrent();
++      auto* env = Environment::GetCurrent(isolate);
++      return ThrowCryptoError(env, err);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+ 
+   // Turn off compression. Saves memory and protects against CRIME attacks.
+@@ -6950,7 +6947,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
+ }
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
+ }
+@@ -6968,17 +6964,33 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+     return ThrowCryptoError(env, err);
+   }
+ }
+-#endif /* NODE_FIPS_MODE */
++
++void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
++#ifdef OPENSSL_FIPS
++  const auto enabled = FIPS_selftest() ? 1 : 0;
++#else  // OPENSSL_FIPS
++  const auto enabled = 0;
++#endif  // OPENSSL_FIPS
++
++  args.GetReturnValue().Set(enabled);
++}
+ 
+ 
+ void Initialize(Local<Object> target,
+                 Local<Value> unused,
+                 Local<Context> context,
+                 void* priv) {
++  Environment* env = Environment::GetCurrent(context);
++
+   static uv_once_t init_once = UV_ONCE_INIT;
++  TryCatch try_catch{env->isolate()};
+   uv_once(&init_once, InitCryptoOnce);
+ 
+-  Environment* env = Environment::GetCurrent(context);
++  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
++    try_catch.ReThrow();
++    return;
++  }
++
+   SecureContext::Initialize(env, target);
+   target->Set(env->context(),
+             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
+@@ -7007,10 +7019,9 @@ void Initialize(Local<Object> target,
+   env->SetMethod(target, "setEngine", SetEngine);
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
+   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
+-#endif
++  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
+ 
+   env->SetMethod(target, "pbkdf2", PBKDF2);
+   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 0240b2ef58..d1230da1ad 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -729,7 +729,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             &PerProcessOptions::ssl_openssl_cert_store);
+   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
+   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
+-#if NODE_FIPS_MODE
+   AddOption("--enable-fips",
+             "enable FIPS crypto at startup",
+             &PerProcessOptions::enable_fips_crypto,
+@@ -738,7 +737,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             "force FIPS crypto (cannot be disabled)",
+             &PerProcessOptions::force_fips_crypto,
+             kAllowedInEnvironment);
+-#endif
+ #endif
+   AddOption("--use-largepages",
+             "Map the Node.js static code to large pages. Options are "
+diff --git a/src/node_options.h b/src/node_options.h
+index aa138c6970..f5e1e7da57 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -236,10 +236,8 @@ class PerProcessOptions : public Options {
+ #endif
+   bool use_openssl_ca = false;
+   bool use_bundled_ca = false;
+-#if NODE_FIPS_MODE
+   bool enable_fips_crypto = false;
+   bool force_fips_crypto = false;
+-#endif
+ #endif
+ 
+   // Per-process because reports can be triggered outside a known V8 context.
+diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
+index e115124b04..ed58bf085c 100644
+--- a/test/parallel/test-cli-node-print-help.js
++++ b/test/parallel/test-cli-node-print-help.js
+@@ -8,8 +8,6 @@ const common = require('../common');
+ 
+ const assert = require('assert');
+ const { exec } = require('child_process');
+-const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
+ let stdOut;
+ 
+ 
+@@ -29,9 +27,8 @@ function validateNodePrintHelp() {
+   const cliHelpOptions = [
+     { compileConstant: HAVE_OPENSSL,
+       flags: [ '--openssl-config=...', '--tls-cipher-list=...',
+-               '--use-bundled-ca', '--use-openssl-ca' ] },
+-    { compileConstant: fipsMode,
+-      flags: [ '--enable-fips', '--force-fips' ] },
++               '--use-bundled-ca', '--use-openssl-ca',
++               '--enable-fips', '--force-fips' ] },
+     { compileConstant: NODE_HAVE_I18N_SUPPORT,
+       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
+     { compileConstant: HAVE_INSPECTOR,
+diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
+index eae3134402..a1ed645184 100644
+--- a/test/parallel/test-crypto-fips.js
++++ b/test/parallel/test-crypto-fips.js
+@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
+ const path = require('path');
+ const fixtures = require('../common/fixtures');
+ const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
++const { testFipsCrypto } = internalBinding('crypto');
+ 
+ const FIPS_ENABLED = 1;
+ const FIPS_DISABLED = 0;
+-const FIPS_ERROR_STRING =
+-  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
+-  'non-FIPS build.';
+ const FIPS_ERROR_STRING2 =
+   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
+   '--force-fips at startup.';
+-const OPTION_ERROR_STRING = 'bad option';
++const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
+ 
+ const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
+ const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
+ 
+ let num_children_ok = 0;
+ 
+-function compiledWithFips() {
+-  return fipsMode ? true : false;
+-}
+-
+ function sharedOpenSSL() {
+   return process.config.variables.node_shared_openssl;
+ }
+@@ -75,17 +68,17 @@ testHelper(
+ 
+ // --enable-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // --force-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     process.env);
+ 
+@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
+ 
+@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ }
+@@ -136,50 +129,50 @@ testHelper(
+ 
+ // --enable-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // OPENSSL_CONF should _not_ make a difference to --enable-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // --force-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // Using OPENSSL_CONF should not make a difference to --force-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // setFipsCrypto should be able to turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto should be able to turn FIPS mode on and off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+@@ -187,27 +180,27 @@ testHelper(
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [`--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  'stdout',
+   [`--openssl-config=${CNF_FIPS_ON}`],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  FIPS_DISABLED,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // --enable-fips does not prevent use of setFipsCrypto API
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -216,15 +209,15 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+ // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -233,7 +226,7 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips', '--enable-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+@@ -241,6 +234,6 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--enable-fips', '--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 0e0af9471c..af10809634 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -44,17 +44,8 @@ const conditionalOpts = [
+   { include: common.hasCrypto,
+     filter: (opt) => {
+       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
+-              '--use-openssl-ca' ].includes(opt);
++              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
+     } },
+-  {
+-    // We are using openssl_is_fips from the configuration because it could be
+-    // the case that OpenSSL is FIPS compatible but fips has not been enabled
+-    // (starting node with --enable-fips). If we use common.hasFipsCrypto
+-    // that would only tells us if fips has been enabled, but in this case we
+-    // want to check options which will be available regardless of whether fips
+-    // is enabled at runtime or not.
+-    include: process.config.variables.openssl_is_fips,
+-    filter: (opt) => opt.includes('-fips') },
+   { include: common.hasIntl,
+     filter: (opt) => opt === '--icu-data-dir' },
+   { include: process.features.inspector,
+-- 
+2.31.1
+
diff --git a/SOURCES/deps-y18n-address-prototype-pollution-issue.patch b/SOURCES/deps-y18n-address-prototype-pollution-issue.patch
deleted file mode 100644
index ef06ee2..0000000
--- a/SOURCES/deps-y18n-address-prototype-pollution-issue.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From f6321dad88a280ac7fa24afa2aa07c868d395586 Mon Sep 17 00:00:00 2001
-From: bcoe <bencoe@google.com>
-Date: Sat, 24 Oct 2020 19:15:20 -0700
-Subject: [PATCH] deps(y18n): address prototype pollution issue
-
-Fixes: CVE-2020-7774
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/y18n/index.js | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
-index d720681..727362a 100644
---- a/deps/npm/node_modules/y18n/index.js
-+++ b/deps/npm/node_modules/y18n/index.js
-@@ -11,7 +11,7 @@ function Y18N (opts) {
-   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
- 
-   // internal stuff.
--  this.cache = {}
-+  this.cache = Object.create(null)
-   this.writeQueue = []
- }
- 
--- 
-2.28.0
-
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 0b0bdd9..bdf2bd8 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -22,8 +22,8 @@
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_major 12
-%global nodejs_minor 21
-%global nodejs_patch 0
+%global nodejs_minor 22
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release 1
@@ -80,7 +80,7 @@
 # npm - from deps/npm/package.json
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 11
+%global npm_patch 13
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -129,7 +129,7 @@ Source100: %{pkg_name}-tarball.sh
 
 # Use separate shim library to smooth the rough edges of the API incompatibility
 # between OpenSSL versions
-Source1: https://github.com/sclorg/node-ssl-shim/archive/6fc0b05d38215f1ea8b9b22c0131c9476628aef1/node-ssl-shim-6fc0b05.tar.gz
+Source1: https://github.com/sclorg/node-ssl-shim/archive/70e39fdc1db4525191acc765f9d524ddb58a1756/node-ssl-shim-70e39fd.tar.gz
 
 # Patches for making nodejs compatible with older openssl
 # Squashed and exported from https://gitlab.cee.redhat.com/nodejs/node
@@ -141,16 +141,13 @@ Patch04: 0004-Disable-unsupported-OpenSSL-features.patch
 Patch05: 0005-Adjust-test-expectations.patch
 Patch06: 0006-Disable-tests-for-unsupported-features.patch
 Patch07: 0007-Disable-tests-for-known-issues.patch
-# See rhbz#1888605 for details
-Patch08: 0008-Disable-architecture-specific-failing-tests.patch
 
 # Remove libuv attempts to use statx syscall – rhbz#1760184
 Patch10: deps-Remove-statx-from-libuv.patch
 # Fix test suite decoding of test outputs
 Patch11: tools-test-Replace-malformed-input-from-tests.patch
-
-# Backport upstream fixes
-Patch20: deps-y18n-address-prototype-pollution-issue.patch
+# Always defer to OS when it comes to FIPS
+Patch12: always-available-fips-options.patch
 
 
 %{?scl:Requires: %{scl}-runtime}
@@ -228,7 +225,7 @@ Provides: bundled(%{?scl_prefix}zlib) = %{zlib_version}
 # Bundle uvwasi, since it is not available on RHEL7
 Provides: bundled(%{?scl_prefix}uvwasi) = %{uvwasi_version}
 
-Provides: bundled(%{?scl_prefix}histogram} = %{histogram_version}
+Provides: bundled(%{?scl_prefix}histogram) = %{histogram_version}
 
 # Make sure we keep NPM up to date when we update Node.js
 Requires: %{?scl_prefix}npm = %{npm_version}-%{npm_release}%{?dist}
@@ -502,6 +499,10 @@ python2 tools/test.py "${RUN_SUITES[@]}"
 
 
 %changelog
+* Thu Jul 08 2021 Jan Staněk <jstanek@redhat.com> - 12.22.2-1
+- Rebase to 12.22.2
+- Drop upstreamed deps-y18n-address-prototype-pollution-issue.patch
+
 * Tue Feb 23 2021 Jan Staněk <jstanek@redhat.com> - 12.21.0-1
 - Rebase to 12.21.0
 - Resolves: CVE-2021-22883 CVE-2021-22884