From d744d052b49cf690cf825698e88df78c4f2e1d94 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 11 2020 13:07:44 +0000 Subject: import rh-nodejs12-nodejs-12.18.4-3.el7 --- diff --git a/.gitignore b/.gitignore index 2129f2d..ee06d4c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/node-v12.18.2-stripped.tar.gz +SOURCES/node-ssl-shim-6fc0b05.tar.gz +SOURCES/node-v12.18.4-stripped.tar.gz diff --git a/.rh-nodejs12-nodejs.metadata b/.rh-nodejs12-nodejs.metadata index d6445da..aa63d7a 100644 --- a/.rh-nodejs12-nodejs.metadata +++ b/.rh-nodejs12-nodejs.metadata @@ -1 +1,2 @@ -2b5af5fe544a0aa310e962bb70f5e225022589b7 SOURCES/node-v12.18.2-stripped.tar.gz +9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz +002418dc06158c9068be2c4e18847243a6c4d9c5 SOURCES/node-v12.18.4-stripped.tar.gz diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch new file mode 100644 index 0000000..6b3f0bf --- /dev/null +++ b/SOURCES/0001-Link-with-ssl-shim.patch @@ -0,0 +1,65 @@ +From ef86c8e2907c82e956a997e2ed6cbce5e8d33312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= +Date: Tue, 28 Apr 2020 11:15:24 +0200 +Subject: [PATCH] Link with ssl-shim +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jan Staněk +--- + node.gypi | 10 +++++++--- + src/node_crypto.cc | 2 +- + src/node_crypto.h | 2 ++ + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/node.gypi b/node.gypi +index 116c1c7149..0e40a2b441 100644 +--- a/node.gypi ++++ b/node.gypi +@@ -365,9 +365,13 @@ + ], + }], + ], +- }]] +- +- }, { ++ }], ++ [ 'node_shared_openssl=="true"', { ++ 'include_dirs': ['deps/node-ssl-shim/include'], ++ 'libraries': ['& args) { + + void SecureContext::SetCipherSuites(const FunctionCallbackInfo& args) { + // BoringSSL doesn't allow API config of TLS1.3 cipher suites. +-#ifndef OPENSSL_IS_BORINGSSL ++#if !defined OPENSSL_IS_BORINGSSL && !OPENSSL_IS_LEGACY + SecureContext* sc; + ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); + Environment* env = sc->env(); +diff --git a/src/node_crypto.h b/src/node_crypto.h +index 772a34a7da..ec86debfea 100644 +--- a/src/node_crypto.h ++++ b/src/node_crypto.h +@@ -40,6 +40,8 @@ + #include + #include + ++#include ++ + namespace node { + namespace crypto { + +-- +2.26.2 + diff --git a/SOURCES/0001-Remove-or-backport-OpenSSL-features.patch b/SOURCES/0001-Remove-or-backport-OpenSSL-features.patch deleted file mode 100644 index b675a8d..0000000 --- a/SOURCES/0001-Remove-or-backport-OpenSSL-features.patch +++ /dev/null @@ -1,1415 +0,0 @@ -From 0bb0ed5712eaa274c0e025c74fe792c56c5c8c7f Mon Sep 17 00:00:00 2001 -From: Zuzana Svetlikova -Date: Wed, 19 Feb 2020 09:33:47 +0000 -Subject: [PATCH] Remove or backport OpenSSL features - -Signed-off-by: rpm-build ---- - doc/api/cli.md | 26 -- - lib/_tls_common.js | 2 +- - lib/internal/crypto/keygen.js | 8 +- - lib/tls.js | 9 +- - src/env.h | 1 - - src/node_constants.cc | 12 +- - src/node_crypto.cc | 461 +++++++++++++++++++++++++++++++--- - src/node_crypto.h | 77 ++++++ - src/node_crypto_bio.cc | 29 ++- - src/node_crypto_common.cc | 32 ++- - src/node_crypto_common.h | 2 + - src/node_errors.h | 4 +- - src/node_options.cc | 4 + - src/tls_wrap.cc | 2 + - 14 files changed, 592 insertions(+), 77 deletions(-) - -diff --git a/doc/api/cli.md b/doc/api/cli.md -index 5dd5ae4..2ea0732 100644 ---- a/doc/api/cli.md -+++ b/doc/api/cli.md -@@ -753,15 +753,6 @@ added: v4.0.0 - Specify an alternative default TLS cipher list. Requires Node.js to be built - with crypto support (default). - --### `--tls-keylog=file` -- -- --Log TLS key material to a file. The key material is in NSS `SSLKEYLOGFILE` --format and can be used by software (such as Wireshark) to decrypt the TLS --traffic. -- - ### `--tls-max-v1.2` - -- --Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support --for TLSv1.3. -- - ### `--tls-min-v1.0` - -- --Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support --for TLSv1.2, which is not as secure as TLSv1.3. -- - ### `--trace-deprecation` - - - * `privateKey` {Object | string | Buffer | KeyObject} -- * `dsaEncoding` {string} - * `padding` {integer} - * `saltLength` {integer} - * `outputEncoding` {string} The [encoding][] of the return value. -@@ -1423,10 +1422,6 @@ If `privateKey` is not a [`KeyObject`][], this function behaves as if - `privateKey` had been passed to [`crypto.createPrivateKey()`][]. If it is an - object, the following additional properties can be passed: - --* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the -- format of the generated signature. It can be one of the following: -- * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`. -- * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363. - * `padding` {integer} Optional padding value for RSA, one of the following: - * `crypto.constants.RSA_PKCS1_PADDING` (default) - * `crypto.constants.RSA_PKCS1_PSS_PADDING` -@@ -1523,7 +1518,6 @@ changes: - --> - - * `object` {Object | string | Buffer | KeyObject} -- * `dsaEncoding` {string} - * `padding` {integer} - * `saltLength` {integer} - * `signature` {string | Buffer | TypedArray | DataView} -@@ -1537,10 +1531,6 @@ If `object` is not a [`KeyObject`][], this function behaves as if - `object` had been passed to [`crypto.createPublicKey()`][]. If it is an - object, the following additional properties can be passed: - --* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the -- format of the generated signature. It can be one of the following: -- * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`. -- * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363. - * `padding` {integer} Optional padding value for RSA, one of the following: - * `crypto.constants.RSA_PKCS1_PADDING` (default) - * `crypto.constants.RSA_PKCS1_PSS_PADDING` -@@ -2464,9 +2454,6 @@ An array of supported digest functions can be retrieved using - -- --* `line` {Buffer} Line of ASCII text, in NSS `SSLKEYLOGFILE` format. --* `tlsSocket` {tls.TLSSocket} The `tls.TLSSocket` instance on which it was -- generated. -- --The `keylog` event is emitted when key material is generated or received by a --connection managed by this agent (typically before handshake has completed, but --not necessarily). This keying material can be stored for debugging, as it --allows captured TLS traffic to be decrypted. It may be emitted multiple times --for each socket. -- --A typical use case is to append received lines to a common text file, which is --later used by software (such as Wireshark) to decrypt the traffic: -- --```js --// ... --https.globalAgent.on('keylog', (line, tlsSocket) => { -- fs.appendFileSync('/tmp/ssl-keys.log', line, { mode: 0o600 }); --}); --``` -- - ## Class: `https.Server` - -- --TLS-PSK support is available as an alternative to normal certificate-based --authentication. It uses a pre-shared key instead of certificates to --authenticate a TLS connection, providing mutual authentication. --TLS-PSK and public key infrastructure are not mutually exclusive. Clients and --servers can accommodate both, choosing either of them during the normal cipher --negotiation step. -- --TLS-PSK is only a good choice where means exist to securely share a --key with every connecting machine, so it does not replace PKI --(Public Key Infrastructure) for the majority of TLS uses. --The TLS-PSK implementation in OpenSSL has seen many security flaws in --recent years, mostly because it is used only by a minority of applications. --Please consider all alternative solutions before switching to PSK ciphers. --Upon generating PSK it is of critical importance to use sufficient entropy as --discussed in [RFC 4086][]. Deriving a shared secret from a password or other --low-entropy sources is not secure. -- --PSK ciphers are disabled by default, and using TLS-PSK thus requires explicitly --specifying a cipher suite with the `ciphers` option. The list of available --ciphers can be retrieved via `openssl ciphers -v 'PSK'`. All TLS 1.3 --ciphers are eligible for PSK but currently only those that use SHA256 digest are --supported they can be retrieved via `openssl ciphers -v -s -tls1_3 -psk`. -- --According to the [RFC 4279][], PSK identities up to 128 bytes in length and --PSKs up to 64 bytes in length must be supported. As of OpenSSL 1.1.0 --maximum identity size is 128 bytes, and maximum PSK length is 256 bytes. -- --The current implementation doesn't support asynchronous PSK callbacks due to the --limitations of the underlying OpenSSL API. -- - ### Client-initiated renegotiation attack mitigation - - -@@ -861,27 +827,16 @@ changes: - pr-url: https://github.com/nodejs/node/pull/26625 - description: Return the minimum cipher version, instead of a fixed string - (`'TLSv1/SSLv3'`). -- - version: v12.16.0 -- pr-url: https://github.com/nodejs/node/pull/30637 -- description: Return the IETF cipher name as `standardName`. - --> - - * Returns: {Object} -- * `name` {string} OpenSSL name for the cipher suite. -- * `standardName` {string} IETF name for the cipher suite. -+ * `name` {string} The name of the cipher suite. - * `version` {string} The minimum TLS protocol version supported by this cipher - suite. - - Returns an object containing information on the negotiated cipher suite. - --For example: --```json --{ -- "name": "AES128-SHA256", -- "standardName": "TLS_RSA_WITH_AES_128_CBC_SHA256", -- "version": "TLSv1.2" --} --``` -+For example: `{ name: 'AES256-SHA', version: 'TLSv1.2' }`. - - See - [SSL_CIPHER_get_name](https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html) -@@ -1082,18 +1037,6 @@ See [Session Resumption][] for more information. - Note: `getSession()` works only for TLSv1.2 and below. For TLSv1.3, applications - must use the [`'session'`][] event (it also works for TLSv1.2 and below). - --### `tlsSocket.getSharedSigalgs()` -- -- --* Returns: {Array} List of signature algorithms shared between the server and --the client in the order of decreasing preference. -- --See --[SSL_get_shared_sigalgs](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html) --for more information. -- - ### `tlsSocket.exportKeyingMaterial(length, label[, context])` - - --Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for --TLSv1.3. -+Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. - - ### `--tls-min-v1.0` - +- +-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support +-for TLSv1.3. +- + ### `--tls-min-v1.0` + +- +-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support +-for TLSv1.2, which is not as secure as TLSv1.3. +- + ### `--trace-deprecation` +