From f0ceb11029a7ed49f8893ad80a54e1ed6d738f8e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 28 2021 07:40:39 +0000
Subject: import rh-nodejs14-nodejs-14.17.2-1.el7


---

diff --git a/.gitignore b/.gitignore
index a69187d..1e77ba2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/node-ssl-shim-6fc0b05.tar.gz
-SOURCES/node-v14.16.0-stripped.tar.gz
+SOURCES/node-ssl-shim-70e39fd.tar.gz
+SOURCES/node-v14.17.2-stripped.tar.gz
diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata
index 3380149..92f4234 100644
--- a/.rh-nodejs14-nodejs.metadata
+++ b/.rh-nodejs14-nodejs.metadata
@@ -1,2 +1,2 @@
-9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz
-f29df6df94e384907adc5c6353eeb6261ad4833e SOURCES/node-v14.16.0-stripped.tar.gz
+a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz
+2153195b43725df008e9edf540c5acb3405c00ae SOURCES/node-v14.17.2-stripped.tar.gz
diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch
index 44aeb62..b026050 100644
--- a/SOURCES/0001-Link-with-ssl-shim.patch
+++ b/SOURCES/0001-Link-with-ssl-shim.patch
@@ -1,4 +1,4 @@
-From 464d38829f78ac9858ce691af34ae04623865aeb Mon Sep 17 00:00:00 2001
+From 17d303f0b77132f0676c259515abef8e83a688e3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Tue, 28 Apr 2020 11:15:24 +0200
 Subject: [PATCH] Link with ssl-shim
@@ -35,10 +35,10 @@ index 43dbda7bbf..070f212d96 100644
      }],
  
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index ed886abd74..6118829b43 100644
+index bd40705e6b..dbef9d42f0 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -1155,7 +1155,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
+@@ -1158,7 +1158,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
  
  void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
    // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
@@ -61,5 +61,5 @@ index bef98b3e24..d46730c9ba 100644
  namespace crypto {
  
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
index 33535c7..bbdc0af 100644
--- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch
+++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
@@ -1,6 +1,6 @@
-From 79ea1491a221b2c87384f47f125df1544b11c97a Mon Sep 17 00:00:00 2001
+From ea610f38a05ca2b256e1f8b1d0dd8b33abc521ec Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Tue, 5 Jan 2021 11:33:47 +0100
+Date: Wed, 7 Jul 2021 13:37:46 +0200
 Subject: [PATCH] Use OpenSSL 1.0 API
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -36,10 +36,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  4 files changed, 41 insertions(+), 3 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 6118829b43..77940f0dea 100644
+index dbef9d42f0..c9de7d8a19 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -124,7 +124,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
+@@ -127,7 +127,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
  template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
  template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
      SSL* s,
@@ -51,7 +51,7 @@ index 6118829b43..77940f0dea 100644
      int len,
      int* copy);
  template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
-@@ -1766,7 +1770,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
+@@ -1769,7 +1773,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
  
  template <class Base>
  SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
@@ -63,7 +63,7 @@ index 6118829b43..77940f0dea 100644
                                                 int len,
                                                 int* copy) {
    Base* w = static_cast<Base*>(SSL_get_app_data(s));
-@@ -5895,9 +5903,23 @@ struct PBKDF2Job : public CryptoJob {
+@@ -5898,9 +5906,23 @@ struct PBKDF2Job : public CryptoJob {
    }
  
    inline void DoThreadPoolWork() override {
@@ -143,5 +143,5 @@ index 6473b652ac..da1033fdef 100644
  
  StackOfX509 CloneSSLCerts(X509Pointer&& cert,
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
index f505435..fd3dc6b 100644
--- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
+++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
@@ -1,6 +1,6 @@
-From 4f4ff18447ce5a4114d328d2e6175aae0b35b0fc Mon Sep 17 00:00:00 2001
+From 68c182525ba6d8289fcc58536373c51f9d20f07e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Tue, 5 Jan 2021 11:35:07 +0100
+Date: Wed, 7 Jul 2021 13:37:47 +0200
 Subject: [PATCH] Backport necessary OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -36,17 +36,26 @@ Content-Transfer-Encoding: 8bit
   This commit is probably a good candidate for inclusion in the shim,
   although probably as some sort of extras – it is not trivial!
 
+- Setup ECDHE curve negotiation
+
+  - SSL_OP_SINGLE_ECDH_USE is no-op and default in OpenSSL 1.1,
+    but should be specified in OpenSSL 1.0
+  - SSL_CTX_set_ecdh_auto() is presumably the same case;
+    does not even exist in OpenSSL 1.1
+
+  Without this setup, ECDHE curve negotiation is broken: rhbz#1910749
+
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
- src/node_crypto.cc | 192 +++++++++++++++++++++++++++++++++++++++------
+ src/node_crypto.cc | 196 +++++++++++++++++++++++++++++++++++++++------
  src/node_crypto.h  |  14 ++++
- 2 files changed, 180 insertions(+), 26 deletions(-)
+ 2 files changed, 184 insertions(+), 26 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 77940f0dea..ff562e3563 100644
+index c9de7d8a19..31e8276e97 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -538,6 +538,11 @@ inline void SecureContext::Reset() {
+@@ -541,6 +541,11 @@ inline void SecureContext::Reset() {
    ctx_.reset();
    cert_.reset();
    issuer_.reset();
@@ -58,7 +67,7 @@ index 77940f0dea..ff562e3563 100644
  }
  
  SecureContext::~SecureContext() {
-@@ -551,7 +556,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
+@@ -554,7 +559,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
  
  // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
  // Node.js doesn't, so pin the max to what we do support.
@@ -70,7 +79,7 @@ index 77940f0dea..ff562e3563 100644
  
  void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -606,38 +615,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+@@ -609,38 +618,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
        max_version = MAX_SUPPORTED_VERSION;
        method = TLS_client_method();
      } else if (sslmethod == "TLSv1_method") {
@@ -118,7 +127,7 @@ index 77940f0dea..ff562e3563 100644
      } else {
        const std::string msg("Unknown method: ");
        THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, (msg + * sslmethod).c_str());
-@@ -667,8 +661,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+@@ -670,8 +664,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
                                   SSL_SESS_CACHE_NO_INTERNAL |
                                   SSL_SESS_CACHE_NO_AUTO_CLEAR);
  
@@ -133,7 +142,18 @@ index 77940f0dea..ff562e3563 100644
  
    // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
    // exposed in the public API. To retain compatibility, install a callback
-@@ -1264,6 +1264,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
+@@ -1216,6 +1216,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
+   THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "ECDH curve name");
+ 
+   node::Utf8Value curve(env->isolate(), args[0]);
++#if OPENSSL_IS_LEGACY
++  SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_SINGLE_ECDH_USE);
++  SSL_CTX_set_ecdh_auto(sc->ctx_.get(), 1);
++#endif
+ 
+   if (strcmp(*curve, "auto") == 0)
+     return;
+@@ -1267,6 +1271,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
      return env->ThrowTypeError("Error setting temp DH parameter");
  }
  
@@ -199,7 +219,7 @@ index 77940f0dea..ff562e3563 100644
  
  void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -1274,7 +1333,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1277,7 +1340,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -212,7 +232,7 @@ index 77940f0dea..ff562e3563 100644
  }
  
  
-@@ -1287,7 +1351,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1290,7 +1358,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -225,7 +245,7 @@ index 77940f0dea..ff562e3563 100644
  }
  
  
-@@ -1298,7 +1367,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1301,7 +1374,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -237,7 +257,7 @@ index 77940f0dea..ff562e3563 100644
    args.GetReturnValue().Set(static_cast<uint32_t>(version));
  }
  
-@@ -1310,11 +1383,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1313,11 +1390,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -253,7 +273,7 @@ index 77940f0dea..ff562e3563 100644
  void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
    ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
-@@ -6870,8 +6946,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
+@@ -6873,8 +6953,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
        CRYPTO_memcmp(buf1.data(), buf2.data(), buf1.length()) == 0);
  }
  
@@ -353,5 +373,5 @@ index dbc46fbec8..d27125042b 100644
  
  // SSLWrap implicitly depends on the inheriting class' handle having an
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
index 749dc53..11588db 100644
--- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
+++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
@@ -1,6 +1,6 @@
-From f572d6ca73ec03c232fe0d4273ba5dc2e4329bd7 Mon Sep 17 00:00:00 2001
+From e7e0a4fc073b3d17fcdee6cebea74f1aae4e6f69 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Tue, 5 Jan 2021 11:35:51 +0100
+Date: Wed, 7 Jul 2021 13:37:48 +0200
 Subject: [PATCH] Disable unsupported OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -41,10 +41,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
 
 diff --git a/doc/api/cli.md b/doc/api/cli.md
-index 3c39689c62..a337ce69a1 100644
+index 6e0702498a..a8ef339430 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
-@@ -806,14 +806,6 @@ added:
+@@ -813,14 +813,6 @@ added:
  Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
  TLSv1.3.
  
@@ -59,7 +59,7 @@ index 3c39689c62..a337ce69a1 100644
  ### `--tls-min-v1.0`
  <!-- YAML
  added:
-@@ -845,14 +837,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
+@@ -852,14 +844,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
  12.x and later, but the option is supported for compatibility with older Node.js
  versions.
  
@@ -74,7 +74,7 @@ index 3c39689c62..a337ce69a1 100644
  ### `--trace-atomics-wait`
  <!-- YAML
  added: v14.3.0
-@@ -1270,11 +1254,9 @@ Node.js options that are allowed are:
+@@ -1298,11 +1282,9 @@ Node.js options that are allowed are:
  * `--tls-cipher-list`
  * `--tls-keylog`
  * `--tls-max-v1.2`
@@ -87,10 +87,10 @@ index 3c39689c62..a337ce69a1 100644
  * `--trace-deprecation`
  * `--trace-event-categories`
 diff --git a/doc/api/tls.md b/doc/api/tls.md
-index 9a7ea7ee04..10aa912ab3 100644
+index 055ba472b5..f286e9f7ee 100644
 --- a/doc/api/tls.md
 +++ b/doc/api/tls.md
-@@ -1966,10 +1966,10 @@ added: v11.4.0
+@@ -1970,10 +1970,10 @@ added: v11.4.0
  
  * {string} The default value of the `maxVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -105,7 +105,7 @@ index 9a7ea7ee04..10aa912ab3 100644
    highest maximum is used.
  
  ## `tls.DEFAULT_MIN_VERSION`
-@@ -1979,12 +1979,11 @@ added: v11.4.0
+@@ -1983,12 +1983,11 @@ added: v11.4.0
  
  * {string} The default value of the `minVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -122,7 +122,7 @@ index 9a7ea7ee04..10aa912ab3 100644
  [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
  [DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
 diff --git a/src/env.h b/src/env.h
-index f89365a1aa..0ff62672bd 100644
+index 1e930170bc..d990212241 100644
 --- a/src/env.h
 +++ b/src/env.h
 @@ -50,6 +50,8 @@
@@ -148,7 +148,7 @@ index f89365a1aa..0ff62672bd 100644
  // Private symbols are per-isolate primitives but Environment proxies them
  // for the sake of convenience.  Strings should be ASCII-only and have a
  // "node:" prefix to avoid name clashes with third-party code.
-@@ -361,7 +370,7 @@ constexpr size_t kFsStatsBufferLength =
+@@ -363,7 +372,7 @@ constexpr size_t kFsStatsBufferLength =
    V(sni_context_string, "sni_context")                                         \
    V(source_string, "source")                                                   \
    V(stack_string, "stack")                                                     \
@@ -285,7 +285,7 @@ index c373a97e47..220cb109bc 100644
  v8::MaybeLocal<v8::Value> GetCipherVersion(
      Environment* env,
 diff --git a/src/node_options.cc b/src/node_options.cc
-index e7dc220f5c..c708597a0c 100644
+index 3c9fe815df..010232940a 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -9,6 +9,8 @@
@@ -310,7 +310,7 @@ index e7dc220f5c..c708597a0c 100644
  
  #if HAVE_INSPECTOR
    if (!cpu_prof) {
-@@ -526,14 +530,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -537,14 +541,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
              &EnvironmentOptions::tls_min_v1_2,
              kAllowedInEnvironment);
@@ -329,7 +329,7 @@ index e7dc220f5c..c708597a0c 100644
    // Current plan is:
    // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
    // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
-@@ -542,6 +549,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -553,6 +560,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
              &EnvironmentOptions::tls_max_v1_3,
              kAllowedInEnvironment);
@@ -350,5 +350,5 @@ similarity index 100%
 rename from test/parallel/test-tls-cli-min-version-1.3.js
 rename to test/known_issues/test-tls-cli-min-version-1.3.js
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/0005-Adjust-tests-expectations.patch b/SOURCES/0005-Adjust-tests-expectations.patch
index dc09d73..951251b 100644
--- a/SOURCES/0005-Adjust-tests-expectations.patch
+++ b/SOURCES/0005-Adjust-tests-expectations.patch
@@ -1,6 +1,6 @@
-From d262e378ca48cf6a893a9dbc5ed5ec83b1adacbc Mon Sep 17 00:00:00 2001
+From 457d00cf1d7d4e60f8986c3ec0c1da8afb58e7f6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Tue, 5 Jan 2021 11:36:29 +0100
+Date: Wed, 7 Jul 2021 13:37:49 +0200
 Subject: [PATCH] Adjust tests expectations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -16,7 +16,7 @@ Content-Transfer-Encoding: 8bit
 
 - tls-dhe: Do not hang on unexpected cipher
 
-- util-inspect: Adjust expected identification of external JSStream
+- Adjust expected identification of external JSStream
 
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
@@ -239,7 +239,7 @@ index 7ef0f12426..4fcb9247d3 100644
      // TLS1.3 client hellos are are not understood by TLS1.1 or below.
      test(U, U, U, U, U, 'TLSv1_method',
 diff --git a/test/parallel/test-util-inspect.js b/test/parallel/test-util-inspect.js
-index 9187af18da..53e0840f5c 100644
+index ee67d2e79a..f11bfc20b5 100644
 --- a/test/parallel/test-util-inspect.js
 +++ b/test/parallel/test-util-inspect.js
 @@ -148,7 +148,7 @@ assert.strictEqual(
@@ -252,5 +252,5 @@ index 9187af18da..53e0840f5c 100644
  {
    const regexp = /regexp/;
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
index 34f5131..c943aa9 100644
--- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch
+++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
@@ -1,6 +1,6 @@
-From fdb39348a2f6c55fbdcaf8f88eaf3262ee8106a0 Mon Sep 17 00:00:00 2001
+From 8ee31149e63d15d26d4262eb0292bd81e389fbc8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Tue, 5 Jan 2021 11:38:28 +0100
+Date: Wed, 7 Jul 2021 13:37:50 +0200
 Subject: [PATCH] Disable tests for unsupported features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -807,5 +807,5 @@ index 4bcdf36860..0642e18d5e 100644
  test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
  // Recognized user but incorrect secret should fail handshake
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch
index ae7a16e..a1c6861 100644
--- a/SOURCES/0007-Disable-tests-for-known-issues.patch
+++ b/SOURCES/0007-Disable-tests-for-known-issues.patch
@@ -1,6 +1,6 @@
-From 4276326db77bc9012d8e73ed90f0c3e4c502b57a Mon Sep 17 00:00:00 2001
+From efc423d824250592d2236d9ff7f3b46b9ba9f909 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Tue, 5 Jan 2021 11:38:49 +0100
+Date: Wed, 7 Jul 2021 13:37:50 +0200
 Subject: [PATCH] Disable tests for known issues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -216,5 +216,5 @@ index 8fb15d3ba5..2fc22ca477 100644
    expect(opt, want, command, wantsError, false);
  }
 -- 
-2.29.2
+2.31.1
 
diff --git a/SOURCES/always-available-fips-options.patch b/SOURCES/always-available-fips-options.patch
new file mode 100644
index 0000000..26d4853
--- /dev/null
+++ b/SOURCES/always-available-fips-options.patch
@@ -0,0 +1,624 @@
+From 7c7f5159fcc71d915dfcc5f97ab18d5f8912f1b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
+Date: Tue, 25 Aug 2020 14:04:54 +0200
+Subject: [PATCH] crypto: make FIPS related options always awailable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is no reason to hide FIPS functionality behind build flags.
+OpenSSL always provide the information about FIPS availability via
+`FIPS_mode()` function.
+
+This makes the user experience more consistent, because the OpenSSL
+library is always queried and the `crypto.getFips()` always returns
+OpenSSL settings.
+
+Fixes #34903
+
+PR-URL: https://github.com/nodejs/node/pull/36341
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+Signed-off-by: rpm-build <rpm-build>
+---
+ doc/api/cli.md                                |  8 +--
+ lib/crypto.js                                 | 22 ++----
+ node.gypi                                     |  3 -
+ src/node.cc                                   |  6 +-
+ src/node_config.cc                            |  2 -
+ src/node_crypto.cc                            | 45 +++++++-----
+ src/node_options.cc                           |  2 -
+ src/node_options.h                            |  2 -
+ test/parallel/test-cli-node-print-help.js     |  7 +-
+ test/parallel/test-crypto-fips.js             | 71 +++++++++----------
+ ...rocess-env-allowed-flags-are-documented.js | 11 +--
+ 11 files changed, 74 insertions(+), 105 deletions(-)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index a8ef339..c41bd49 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -182,8 +182,8 @@ code from strings throw an exception instead. This does not affect the Node.js
+ added: v6.0.0
+ -->
+ 
+-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
+-`./configure --openssl-fips`.)
++Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
++against FIPS-compatible OpenSSL.)
+ 
+ ### `--enable-source-maps`
+ <!-- YAML
+@@ -543,8 +543,8 @@ added: v6.9.0
+ -->
+ 
+ Load an OpenSSL configuration file on startup. Among other uses, this can be
+-used to enable FIPS-compliant crypto if Node.js is built with
+-`./configure --openssl-fips`.
++used to enable FIPS-compliant crypto if Node.js is built
++against FIPS-enabled OpenSSL.
+ 
+ ### `--pending-deprecation`
+ <!-- YAML
+diff --git a/lib/crypto.js b/lib/crypto.js
+index a41b02d..5c15ab3 100644
+--- a/lib/crypto.js
++++ b/lib/crypto.js
+@@ -37,12 +37,10 @@ assertCrypto();
+ 
+ const {
+   ERR_CRYPTO_FIPS_FORCED,
+-  ERR_CRYPTO_FIPS_UNAVAILABLE
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+ const { getOptionValue } = require('internal/options');
+ const pendingDeprecation = getOptionValue('--pending-deprecation');
+-const { fipsMode } = internalBinding('config');
+ const fipsForced = getOptionValue('--force-fips');
+ const {
+   getFipsCrypto,
+@@ -193,10 +191,8 @@ module.exports = {
+   sign: signOneShot,
+   setEngine,
+   timingSafeEqual,
+-  getFips: !fipsMode ? getFipsDisabled :
+-    fipsForced ? getFipsForced : getFipsCrypto,
+-  setFips: !fipsMode ? setFipsDisabled :
+-    fipsForced ? setFipsForced : setFipsCrypto,
++  getFips: fipsForced ? getFipsForced : getFipsCrypto,
++  setFips: fipsForced ? setFipsForced : setFipsCrypto,
+   verify: verifyOneShot,
+ 
+   // Classes
+@@ -215,19 +211,11 @@ module.exports = {
+   Verify
+ };
+ 
+-function setFipsDisabled() {
+-  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
+-}
+-
+ function setFipsForced(val) {
+   if (val) return;
+   throw new ERR_CRYPTO_FIPS_FORCED();
+ }
+ 
+-function getFipsDisabled() {
+-  return 0;
+-}
+-
+ function getFipsForced() {
+   return 1;
+ }
+@@ -249,10 +237,8 @@ ObjectDefineProperties(module.exports, {
+   },
+   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
+   fips: {
+-    get: !fipsMode ? getFipsDisabled :
+-      fipsForced ? getFipsForced : getFipsCrypto,
+-    set: !fipsMode ? setFipsDisabled :
+-      fipsForced ? setFipsForced : setFipsCrypto
++    get: fipsForced ? getFipsForced : getFipsCrypto,
++    set: fipsForced ? setFipsForced : setFipsCrypto
+   },
+   DEFAULT_ENCODING: {
+     enumerable: false,
+diff --git a/node.gypi b/node.gypi
+index 070f212..45f6a9f 100644
+--- a/node.gypi
++++ b/node.gypi
+@@ -319,9 +319,6 @@
+     [ 'node_use_openssl=="true"', {
+       'defines': [ 'HAVE_OPENSSL=1' ],
+       'conditions': [
+-        ['openssl_fips != "" or openssl_is_fips=="true"', {
+-          'defines': [ 'NODE_FIPS_MODE' ],
+-        }],
+         [ 'node_shared_openssl=="false"', {
+           'dependencies': [
+             './deps/openssl/openssl.gyp:openssl',
+diff --git a/src/node.cc b/src/node.cc
+index 905afd8..c04d199 100644
+--- a/src/node.cc
++++ b/src/node.cc
+@@ -1035,11 +1035,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
+     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+       crypto::UseExtraCaCerts(extra_ca_certs);
+   }
+-#ifdef NODE_FIPS_MODE
+   // In the case of FIPS builds we should make sure
+   // the random source is properly initialized first.
+-  OPENSSL_init();
+-#endif  // NODE_FIPS_MODE
++  if (FIPS_mode()) {
++    OPENSSL_init();
++  }
+   // V8 on Windows doesn't have a good source of entropy. Seed it from
+   // OpenSSL's pool.
+   V8::SetEntropySource(crypto::EntropySource);
+diff --git a/src/node_config.cc b/src/node_config.cc
+index 6ee3164..e229eee 100644
+--- a/src/node_config.cc
++++ b/src/node_config.cc
+@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
+   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
+ #endif  // HAVE_OPENSSL
+ 
+-#ifdef NODE_FIPS_MODE
+   READONLY_TRUE_PROPERTY(target, "fipsMode");
+-#endif
+ 
+ #ifdef NODE_HAVE_I18N_SUPPORT
+ 
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 31e8276..721c9d1 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -51,6 +51,11 @@
+ #include <openssl/hmac.h>
+ #include <openssl/rand.h>
+ #include <openssl/pkcs12.h>
++// The FIPS-related functions are only available
++// when the OpenSSL itself was compiled with FIPS support.
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif // OPENSSL_FIPS
+ 
+ #include <cerrno>
+ #include <climits>  // INT_MAX
+@@ -101,6 +106,7 @@ using v8::String;
+ using v8::Uint32;
+ using v8::Uint8Array;
+ using v8::Undefined;
++using v8::TryCatch;
+ using v8::Value;
+ 
+ #ifdef OPENSSL_NO_OCB
+@@ -3706,12 +3712,10 @@ void CipherBase::Init(const char* cipher_type,
+   HandleScope scope(env()->isolate());
+   MarkPopErrorOnReturn mark_pop_error_on_return;
+ 
+-#ifdef NODE_FIPS_MODE
+   if (FIPS_mode()) {
+     return env()->ThrowError(
+         "crypto.createCipher() is not supported in FIPS mode.");
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
+   if (cipher == nullptr)
+@@ -3897,13 +3901,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
+       return false;
+     }
+ 
+-#ifdef NODE_FIPS_MODE
+     // TODO(tniessen) Support CCM decryption in FIPS mode
+     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
+       env()->ThrowError("CCM decryption not supported in FIPS mode");
+       return false;
+     }
+-#endif
+ 
+     // Tell OpenSSL about the desired length.
+     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
+@@ -4778,7 +4780,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
+ }
+ 
+ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+-#ifdef NODE_FIPS_MODE
+   /* Validate DSA2 parameters from FIPS 186-4 */
+   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
+     DSA* dsa = EVP_PKEY_get0_DSA(key);
+@@ -4794,7 +4795,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+            (L == 2048 && N == 256) ||
+            (L == 3072 && N == 256);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   return true;
+ }
+@@ -7032,7 +7032,6 @@ void InitCryptoOnce() {
+   settings = nullptr;
+ #endif
+ 
+-#ifdef NODE_FIPS_MODE
+   /* Override FIPS settings in cnf file, if needed. */
+   unsigned long err = 0;  // NOLINT(runtime/int)
+   if (per_process::cli_options->enable_fips_crypto ||
+@@ -7042,12 +7041,10 @@ void InitCryptoOnce() {
+     }
+   }
+   if (0 != err) {
+-    fprintf(stderr,
+-            "openssl fips failed: %s\n",
+-            ERR_error_string(err, nullptr));
+-    UNREACHABLE();
++      auto* isolate = Isolate::GetCurrent();
++      auto* env = Environment::GetCurrent(isolate);
++      return ThrowCryptoError(env, err);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+ 
+   // Turn off compression. Saves memory and protects against CRIME attacks.
+@@ -7093,7 +7090,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
+ }
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
+ }
+@@ -7111,7 +7107,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+     return ThrowCryptoError(env, err);
+   }
+ }
+-#endif /* NODE_FIPS_MODE */
++
++void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
++#ifdef OPENSSL_FIPS
++  const auto enabled = FIPS_selftest() ? 1 : 0;
++#else  // OPENSSL_FIPS
++  const auto enabled = 0;
++#endif  // OPENSSL_FIPS
++
++  args.GetReturnValue().Set(enabled);
++}
+ 
+ namespace {
+ // SecureBuffer uses openssl to allocate a Uint8Array using
+@@ -7147,10 +7152,17 @@ void Initialize(Local<Object> target,
+                 Local<Value> unused,
+                 Local<Context> context,
+                 void* priv) {
++  Environment* env = Environment::GetCurrent(context);
++
+   static uv_once_t init_once = UV_ONCE_INIT;
++  TryCatch try_catch{env->isolate()};
+   uv_once(&init_once, InitCryptoOnce);
+ 
+-  Environment* env = Environment::GetCurrent(context);
++  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
++    try_catch.ReThrow();
++    return;
++  }
++
+   SecureContext::Initialize(env, target);
+   target->Set(env->context(),
+             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
+@@ -7179,10 +7191,9 @@ void Initialize(Local<Object> target,
+   env->SetMethod(target, "setEngine", SetEngine);
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
+   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
+-#endif
++  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
+ 
+   env->SetMethod(target, "pbkdf2", PBKDF2);
+   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 0102329..1ad44f4 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -753,7 +753,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             &PerProcessOptions::ssl_openssl_cert_store);
+   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
+   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
+-#if NODE_FIPS_MODE
+   AddOption("--enable-fips",
+             "enable FIPS crypto at startup",
+             &PerProcessOptions::enable_fips_crypto,
+@@ -762,7 +761,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             "force FIPS crypto (cannot be disabled)",
+             &PerProcessOptions::force_fips_crypto,
+             kAllowedInEnvironment);
+-#endif
+ #endif
+   AddOption("--use-largepages",
+             "Map the Node.js static code to large pages. Options are "
+diff --git a/src/node_options.h b/src/node_options.h
+index 58a21e0..f22b254 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -243,10 +243,8 @@ class PerProcessOptions : public Options {
+ #endif
+   bool use_openssl_ca = false;
+   bool use_bundled_ca = false;
+-#if NODE_FIPS_MODE
+   bool enable_fips_crypto = false;
+   bool force_fips_crypto = false;
+-#endif
+ #endif
+ 
+   // Per-process because reports can be triggered outside a known V8 context.
+diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
+index ab8cd10..7e7c77f 100644
+--- a/test/parallel/test-cli-node-print-help.js
++++ b/test/parallel/test-cli-node-print-help.js
+@@ -8,8 +8,6 @@ const common = require('../common');
+ 
+ const assert = require('assert');
+ const { exec } = require('child_process');
+-const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
+ let stdOut;
+ 
+ 
+@@ -28,9 +26,8 @@ function validateNodePrintHelp() {
+   const cliHelpOptions = [
+     { compileConstant: HAVE_OPENSSL,
+       flags: [ '--openssl-config=...', '--tls-cipher-list=...',
+-               '--use-bundled-ca', '--use-openssl-ca' ] },
+-    { compileConstant: fipsMode,
+-      flags: [ '--enable-fips', '--force-fips' ] },
++               '--use-bundled-ca', '--use-openssl-ca',
++               '--enable-fips', '--force-fips' ] },
+     { compileConstant: NODE_HAVE_I18N_SUPPORT,
+       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
+     { compileConstant: HAVE_INSPECTOR,
+diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
+index eae3134..a1ed645 100644
+--- a/test/parallel/test-crypto-fips.js
++++ b/test/parallel/test-crypto-fips.js
+@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
+ const path = require('path');
+ const fixtures = require('../common/fixtures');
+ const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
++const { testFipsCrypto } = internalBinding('crypto');
+ 
+ const FIPS_ENABLED = 1;
+ const FIPS_DISABLED = 0;
+-const FIPS_ERROR_STRING =
+-  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
+-  'non-FIPS build.';
+ const FIPS_ERROR_STRING2 =
+   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
+   '--force-fips at startup.';
+-const OPTION_ERROR_STRING = 'bad option';
++const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
+ 
+ const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
+ const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
+ 
+ let num_children_ok = 0;
+ 
+-function compiledWithFips() {
+-  return fipsMode ? true : false;
+-}
+-
+ function sharedOpenSSL() {
+   return process.config.variables.node_shared_openssl;
+ }
+@@ -75,17 +68,17 @@ testHelper(
+ 
+ // --enable-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // --force-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     process.env);
+ 
+@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
+ 
+@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ }
+@@ -136,50 +129,50 @@ testHelper(
+ 
+ // --enable-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // OPENSSL_CONF should _not_ make a difference to --enable-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // --force-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // Using OPENSSL_CONF should not make a difference to --force-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // setFipsCrypto should be able to turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto should be able to turn FIPS mode on and off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+@@ -187,27 +180,27 @@ testHelper(
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [`--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  'stdout',
+   [`--openssl-config=${CNF_FIPS_ON}`],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  FIPS_DISABLED,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // --enable-fips does not prevent use of setFipsCrypto API
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -216,15 +209,15 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+ // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -233,7 +226,7 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips', '--enable-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+@@ -241,6 +234,6 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--enable-fips', '--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 1c91444..1d1605d 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -45,17 +45,8 @@ const conditionalOpts = [
+     include: common.hasCrypto,
+     filter: (opt) => {
+       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
+-              '--use-openssl-ca' ].includes(opt);
++              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
+     }
+-  }, {
+-    // We are using openssl_is_fips from the configuration because it could be
+-    // the case that OpenSSL is FIPS compatible but fips has not been enabled
+-    // (starting node with --enable-fips). If we use common.hasFipsCrypto
+-    // that would only tells us if fips has been enabled, but in this case we
+-    // want to check options which will be available regardless of whether fips
+-    // is enabled at runtime or not.
+-    include: process.config.variables.openssl_is_fips,
+-    filter: (opt) => opt.includes('-fips')
+   }, {
+     include: common.hasIntl,
+     filter: (opt) => opt === '--icu-data-dir'
+-- 
+2.31.1
+
diff --git a/SOURCES/deps-Remove-statx-from-libuv.patch b/SOURCES/deps-Remove-statx-from-libuv.patch
index 57de552..5c3d1d8 100644
--- a/SOURCES/deps-Remove-statx-from-libuv.patch
+++ b/SOURCES/deps-Remove-statx-from-libuv.patch
@@ -1,20 +1,20 @@
-From ba78c957478bdd5de98c6ad5d16eff9771275360 Mon Sep 17 00:00:00 2001
+From 001fe660b97e1be78622932d5b497f8415e8f7a0 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Wed, 19 Feb 2020 10:32:33 +0000
 Subject: [PATCH] deps: Remove statx from libuv
 
 Signed-off-by: rpm-build <rpm-build>
 ---
- deps/uv/src/unix/fs.c             | 91 -------------------------------
- deps/uv/src/unix/linux-syscalls.c | 32 -----------
+ deps/uv/src/unix/fs.c             | 92 -------------------------------
+ deps/uv/src/unix/linux-syscalls.c | 29 ----------
  deps/uv/src/unix/linux-syscalls.h | 35 ------------
- 3 files changed, 158 deletions(-)
+ 3 files changed, 156 deletions(-)
 
 diff --git a/deps/uv/src/unix/fs.c b/deps/uv/src/unix/fs.c
-index 87cb8b8..0a85307 100644
+index fd7ae08..04d5f0b 100644
 --- a/deps/uv/src/unix/fs.c
 +++ b/deps/uv/src/unix/fs.c
-@@ -1370,93 +1370,10 @@ static void uv__to_stat(struct stat* src, uv_stat_t* dst) {
+@@ -1400,94 +1400,10 @@ static void uv__to_stat(struct stat* src, uv_stat_t* dst) {
  }
  
  
@@ -55,8 +55,9 @@ index 87cb8b8..0a85307 100644
 -  case -1:
 -    /* EPERM happens when a seccomp filter rejects the system call.
 -     * Has been observed with libseccomp < 2.3.3 and docker < 18.04.
+-     * EOPNOTSUPP is used on DVS exported filesystems
 -     */
--    if (errno != EINVAL && errno != EPERM && errno != ENOSYS)
+-    if (errno != EINVAL && errno != EPERM && errno != ENOSYS && errno != EOPNOTSUPP)
 -      return -1;
 -    /* Fall through. */
 -  default:
@@ -69,12 +70,12 @@ index 87cb8b8..0a85307 100644
 -    return UV_ENOSYS;
 -  }
 -
--  buf->st_dev = 256 * statxbuf.stx_dev_major + statxbuf.stx_dev_minor;
+-  buf->st_dev = makedev(statxbuf.stx_dev_major, statxbuf.stx_dev_minor);
 -  buf->st_mode = statxbuf.stx_mode;
 -  buf->st_nlink = statxbuf.stx_nlink;
 -  buf->st_uid = statxbuf.stx_uid;
 -  buf->st_gid = statxbuf.stx_gid;
--  buf->st_rdev = statxbuf.stx_rdev_major;
+-  buf->st_rdev = makedev(statxbuf.stx_rdev_major, statxbuf.stx_rdev_minor);
 -  buf->st_ino = statxbuf.stx_ino;
 -  buf->st_size = statxbuf.stx_size;
 -  buf->st_blksize = statxbuf.stx_blksize;
@@ -108,7 +109,7 @@ index 87cb8b8..0a85307 100644
    ret = stat(path, &pbuf);
    if (ret == 0)
      uv__to_stat(&pbuf, buf);
-@@ -1469,10 +1386,6 @@ static int uv__fs_lstat(const char *path, uv_stat_t *buf) {
+@@ -1500,10 +1416,6 @@ static int uv__fs_lstat(const char *path, uv_stat_t *buf) {
    struct stat pbuf;
    int ret;
  
@@ -119,7 +120,7 @@ index 87cb8b8..0a85307 100644
    ret = lstat(path, &pbuf);
    if (ret == 0)
      uv__to_stat(&pbuf, buf);
-@@ -1485,10 +1398,6 @@ static int uv__fs_fstat(int fd, uv_stat_t *buf) {
+@@ -1516,10 +1428,6 @@ static int uv__fs_fstat(int fd, uv_stat_t *buf) {
    struct stat pbuf;
    int ret;
  
@@ -131,10 +132,10 @@ index 87cb8b8..0a85307 100644
    if (ret == 0)
      uv__to_stat(&pbuf, buf);
 diff --git a/deps/uv/src/unix/linux-syscalls.c b/deps/uv/src/unix/linux-syscalls.c
-index 160056b..e41f8c9 100644
+index 5071cd5..9bf67e9 100644
 --- a/deps/uv/src/unix/linux-syscalls.c
 +++ b/deps/uv/src/unix/linux-syscalls.c
-@@ -112,22 +112,6 @@
+@@ -108,22 +108,6 @@
  # endif
  #endif /* __NR_copy_file_range */
  
@@ -157,7 +158,7 @@ index 160056b..e41f8c9 100644
  #ifndef __NR_getrandom
  # if defined(__x86_64__)
  #  define __NR_getrandom 318
-@@ -220,22 +204,6 @@ uv__fs_copy_file_range(int fd_in,
+@@ -242,19 +226,6 @@ uv__fs_copy_file_range(int fd_in,
  }
  
  
@@ -166,22 +167,19 @@ index 160056b..e41f8c9 100644
 -              int flags,
 -              unsigned int mask,
 -              struct uv__statx* statxbuf) {
--  /* __NR_statx make Android box killed by SIGSYS.
--   * That looks like a seccomp2 sandbox filter rejecting the system call.
--   */
--#if defined(__NR_statx) && !defined(__ANDROID__)
--  return syscall(__NR_statx, dirfd, path, flags, mask, statxbuf);
--#else
+-#if !defined(__NR_statx) || defined(__ANDROID_API__) && __ANDROID_API__ < 30
 -  return errno = ENOSYS, -1;
+-#else
+-  return syscall(__NR_statx, dirfd, path, flags, mask, statxbuf);
 -#endif
 -}
 -
 -
  ssize_t uv__getrandom(void* buf, size_t buflen, unsigned flags) {
- #if defined(__NR_getrandom)
-   return syscall(__NR_getrandom, buf, buflen, flags);
+ #if !defined(__NR_getrandom) || defined(__ANDROID_API__) && __ANDROID_API__ < 28
+   return errno = ENOSYS, -1;
 diff --git a/deps/uv/src/unix/linux-syscalls.h b/deps/uv/src/unix/linux-syscalls.h
-index 761ff32..5dcf3a3 100644
+index c85231f..a14023d 100644
 --- a/deps/uv/src/unix/linux-syscalls.h
 +++ b/deps/uv/src/unix/linux-syscalls.h
 @@ -31,36 +31,6 @@
@@ -222,7 +220,7 @@ index 761ff32..5dcf3a3 100644
  ssize_t uv__pwritev(int fd, const struct iovec *iov, int iovcnt, int64_t offset);
  int uv__dup3(int oldfd, int newfd, int flags);
 @@ -71,11 +41,6 @@ uv__fs_copy_file_range(int fd_in,
-                        ssize_t* off_out,
+                        off_t* off_out,
                         size_t len,
                         unsigned int flags);
 -int uv__statx(int dirfd,
@@ -234,5 +232,5 @@ index 761ff32..5dcf3a3 100644
  
  #endif /* UV_LINUX_SYSCALL_H_ */
 -- 
-2.26.2
+2.31.1
 
diff --git a/SOURCES/deps-y18n-CVE-2020-7774.patch b/SOURCES/deps-y18n-CVE-2020-7774.patch
deleted file mode 100644
index 88a9d75..0000000
--- a/SOURCES/deps-y18n-CVE-2020-7774.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
-index d720681628..727362aac0 100644
---- a/deps/npm/node_modules/y18n/index.js
-+++ b/deps/npm/node_modules/y18n/index.js
-@@ -11,7 +11,7 @@ function Y18N (opts) {
-   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
- 
-   // internal stuff.
--  this.cache = {}
-+  this.cache = Object.create(null)
-   this.writeQueue = []
- }
- 
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 8d7d4cf..46cd366 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -22,8 +22,8 @@
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_major 14
-%global nodejs_minor 16
-%global nodejs_patch 0
+%global nodejs_minor 17
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release 1
@@ -33,14 +33,14 @@
 %global v8_major 8
 %global v8_minor 4
 %global v8_build 371
-%global v8_patch 19
+%global v8_patch 23
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
 
 # c-ares - from deps/cares/include/ares_version.h
 %global c_ares_major 1
-%global c_ares_minor 16
+%global c_ares_minor 17
 %global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
@@ -52,14 +52,13 @@
 
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 40
+%global libuv_minor 41
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-
 %global nghttp2_major 1
-%global nghttp2_minor 41
+%global nghttp2_minor 42
 %global nghttp2_patch 0
 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
 
@@ -72,7 +71,7 @@
 # npm - from deps/npm/package.json
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 11
+%global npm_patch 13
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -120,7 +119,7 @@ Source0: node-v%{nodejs_version}-stripped.tar.gz
 Source100: %{pkg_name}-tarball.sh
 # Use separate shim library to smooth the rough edges of API incompatibility
 # between OpenSSL versions
-Source1: https://github.com/sclorg/node-ssl-shim/archive/6fc0b05d38215f1ea8b9b22c0131c9476628aef1/node-ssl-shim-6fc0b05.tar.gz
+Source1: https://github.com/sclorg/node-ssl-shim/archive/70e39fdc1db4525191acc765f9d524ddb58a1756/node-ssl-shim-70e39fd.tar.gz
 
 # Patches for making nodejs compatible with older openssl
 # Squashed and exported from https://gitlab.cee.redhat.com/nodejs/node
@@ -138,7 +137,8 @@ Patch10: deps-Remove-statx-from-libuv.patch
 # Make icutrim work with python 2
 Patch11: Make-icutrim.py-Python-2-compatible.patch
 
-Patch12: deps-y18n-CVE-2020-7774.patch
+# Always defer to OS when it comes to FIPS
+Patch13: always-available-fips-options.patch
 
 
 %{?scl:Requires: %{scl}-runtime}
@@ -215,7 +215,7 @@ Provides: bundled(%{?scl_prefix}zlib) = %{zlib_version}
 # Bundle uvwasi, since it is not available on RHEL7
 Provides: bundled(%{?scl_prefix}uvwasi) = %{uvwasi_version}
 
-Provides: bundled(%{?scl_prefix}histogram} = %{histogram_version}
+Provides: bundled(%{?scl_prefix}histogram) = %{histogram_version}
 
 # Make sure we keep NPM up to date when we update Node.js
 Requires: %{?scl_prefix}npm = %{npm_version}-%{npm_release}%{?dist}
@@ -466,6 +466,10 @@ python2 tools/test.py "${RUN_SUITES[@]}" || :  # FIXME – disable all failing t
 
 
 %changelog
+* Wed Jul 07 2021 Jan Staněk <jstanek@redhat.com> - 14.17.2-1
+- Rebase to 14.17.2
+- Remove upstreamed deps-y18n-CVE-2020-7774.patch
+
 * Tue Feb 23 2021 Jan Staněk <jstanek@redhat.com> - 14.16.0-1
 - Rebase to 14.16.0
 - Resolves: CVE-2021-22883 CVE-2021-22884