diff --git a/.gitignore b/.gitignore index a69187d..1e77ba2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/node-ssl-shim-6fc0b05.tar.gz -SOURCES/node-v14.16.0-stripped.tar.gz +SOURCES/node-ssl-shim-70e39fd.tar.gz +SOURCES/node-v14.17.2-stripped.tar.gz diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata index 3380149..92f4234 100644 --- a/.rh-nodejs14-nodejs.metadata +++ b/.rh-nodejs14-nodejs.metadata @@ -1,2 +1,2 @@ -9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz -f29df6df94e384907adc5c6353eeb6261ad4833e SOURCES/node-v14.16.0-stripped.tar.gz +a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz +2153195b43725df008e9edf540c5acb3405c00ae SOURCES/node-v14.17.2-stripped.tar.gz diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch index 44aeb62..b026050 100644 --- a/SOURCES/0001-Link-with-ssl-shim.patch +++ b/SOURCES/0001-Link-with-ssl-shim.patch @@ -1,4 +1,4 @@ -From 464d38829f78ac9858ce691af34ae04623865aeb Mon Sep 17 00:00:00 2001 +From 17d303f0b77132f0676c259515abef8e83a688e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= Date: Tue, 28 Apr 2020 11:15:24 +0200 Subject: [PATCH] Link with ssl-shim @@ -35,10 +35,10 @@ index 43dbda7bbf..070f212d96 100644 }], diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index ed886abd74..6118829b43 100644 +index bd40705e6b..dbef9d42f0 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -1155,7 +1155,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { +@@ -1158,7 +1158,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { void SecureContext::SetCipherSuites(const FunctionCallbackInfo& args) { // BoringSSL doesn't allow API config of TLS1.3 cipher suites. @@ -61,5 +61,5 @@ index bef98b3e24..d46730c9ba 100644 namespace crypto { -- -2.29.2 +2.31.1 diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch index 33535c7..bbdc0af 100644 --- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch +++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch @@ -1,6 +1,6 @@ -From 79ea1491a221b2c87384f47f125df1544b11c97a Mon Sep 17 00:00:00 2001 +From ea610f38a05ca2b256e1f8b1d0dd8b33abc521ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Tue, 5 Jan 2021 11:33:47 +0100 +Date: Wed, 7 Jul 2021 13:37:46 +0200 Subject: [PATCH] Use OpenSSL 1.0 API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -36,10 +36,10 @@ Signed-off-by: Jan Staněk 4 files changed, 41 insertions(+), 3 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 6118829b43..77940f0dea 100644 +index dbef9d42f0..c9de7d8a19 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -124,7 +124,11 @@ template int SSLWrap::SetCACerts(SecureContext* sc); +@@ -127,7 +127,11 @@ template int SSLWrap::SetCACerts(SecureContext* sc); template void SSLWrap::MemoryInfo(MemoryTracker* tracker) const; template SSL_SESSION* SSLWrap::GetSessionCallback( SSL* s, @@ -51,7 +51,7 @@ index 6118829b43..77940f0dea 100644 int len, int* copy); template int SSLWrap::NewSessionCallback(SSL* s, -@@ -1766,7 +1770,11 @@ void SSLWrap::ConfigureSecureContext(SecureContext* sc) { +@@ -1769,7 +1773,11 @@ void SSLWrap::ConfigureSecureContext(SecureContext* sc) { template SSL_SESSION* SSLWrap::GetSessionCallback(SSL* s, @@ -63,7 +63,7 @@ index 6118829b43..77940f0dea 100644 int len, int* copy) { Base* w = static_cast(SSL_get_app_data(s)); -@@ -5895,9 +5903,23 @@ struct PBKDF2Job : public CryptoJob { +@@ -5898,9 +5906,23 @@ struct PBKDF2Job : public CryptoJob { } inline void DoThreadPoolWork() override { @@ -143,5 +143,5 @@ index 6473b652ac..da1033fdef 100644 StackOfX509 CloneSSLCerts(X509Pointer&& cert, -- -2.29.2 +2.31.1 diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch index f505435..fd3dc6b 100644 --- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch +++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch @@ -1,6 +1,6 @@ -From 4f4ff18447ce5a4114d328d2e6175aae0b35b0fc Mon Sep 17 00:00:00 2001 +From 68c182525ba6d8289fcc58536373c51f9d20f07e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Tue, 5 Jan 2021 11:35:07 +0100 +Date: Wed, 7 Jul 2021 13:37:47 +0200 Subject: [PATCH] Backport necessary OpenSSL features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -36,17 +36,26 @@ Content-Transfer-Encoding: 8bit This commit is probably a good candidate for inclusion in the shim, although probably as some sort of extras – it is not trivial! +- Setup ECDHE curve negotiation + + - SSL_OP_SINGLE_ECDH_USE is no-op and default in OpenSSL 1.1, + but should be specified in OpenSSL 1.0 + - SSL_CTX_set_ecdh_auto() is presumably the same case; + does not even exist in OpenSSL 1.1 + + Without this setup, ECDHE curve negotiation is broken: rhbz#1910749 + Signed-off-by: Jan Staněk --- - src/node_crypto.cc | 192 +++++++++++++++++++++++++++++++++++++++------ + src/node_crypto.cc | 196 +++++++++++++++++++++++++++++++++++++++------ src/node_crypto.h | 14 ++++ - 2 files changed, 180 insertions(+), 26 deletions(-) + 2 files changed, 184 insertions(+), 26 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 77940f0dea..ff562e3563 100644 +index c9de7d8a19..31e8276e97 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -538,6 +538,11 @@ inline void SecureContext::Reset() { +@@ -541,6 +541,11 @@ inline void SecureContext::Reset() { ctx_.reset(); cert_.reset(); issuer_.reset(); @@ -58,7 +67,7 @@ index 77940f0dea..ff562e3563 100644 } SecureContext::~SecureContext() { -@@ -551,7 +556,11 @@ void SecureContext::New(const FunctionCallbackInfo& args) { +@@ -554,7 +559,11 @@ void SecureContext::New(const FunctionCallbackInfo& args) { // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that // Node.js doesn't, so pin the max to what we do support. @@ -70,7 +79,7 @@ index 77940f0dea..ff562e3563 100644 void SecureContext::Init(const FunctionCallbackInfo& args) { SecureContext* sc; -@@ -606,38 +615,23 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { +@@ -609,38 +618,23 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { max_version = MAX_SUPPORTED_VERSION; method = TLS_client_method(); } else if (sslmethod == "TLSv1_method") { @@ -118,7 +127,7 @@ index 77940f0dea..ff562e3563 100644 } else { const std::string msg("Unknown method: "); THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, (msg + * sslmethod).c_str()); -@@ -667,8 +661,14 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { +@@ -670,8 +664,14 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR); @@ -133,7 +142,18 @@ index 77940f0dea..ff562e3563 100644 // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was // exposed in the public API. To retain compatibility, install a callback -@@ -1264,6 +1264,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { +@@ -1216,6 +1216,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { + THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "ECDH curve name"); + + node::Utf8Value curve(env->isolate(), args[0]); ++#if OPENSSL_IS_LEGACY ++ SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_ecdh_auto(sc->ctx_.get(), 1); ++#endif + + if (strcmp(*curve, "auto") == 0) + return; +@@ -1267,6 +1271,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { return env->ThrowTypeError("Error setting temp DH parameter"); } @@ -199,7 +219,7 @@ index 77940f0dea..ff562e3563 100644 void SecureContext::SetMinProto(const FunctionCallbackInfo& args) { SecureContext* sc; -@@ -1274,7 +1333,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo& args) { +@@ -1277,7 +1340,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo& args) { int version = args[0].As()->Value(); @@ -212,7 +232,7 @@ index 77940f0dea..ff562e3563 100644 } -@@ -1287,7 +1351,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo& args) { +@@ -1290,7 +1358,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo& args) { int version = args[0].As()->Value(); @@ -225,7 +245,7 @@ index 77940f0dea..ff562e3563 100644 } -@@ -1298,7 +1367,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo& args) { +@@ -1301,7 +1374,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo& args) { CHECK_EQ(args.Length(), 0); long version = // NOLINT(runtime/int) @@ -237,7 +257,7 @@ index 77940f0dea..ff562e3563 100644 args.GetReturnValue().Set(static_cast(version)); } -@@ -1310,11 +1383,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo& args) { +@@ -1313,11 +1390,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo& args) { CHECK_EQ(args.Length(), 0); long version = // NOLINT(runtime/int) @@ -253,7 +273,7 @@ index 77940f0dea..ff562e3563 100644 void SecureContext::SetOptions(const FunctionCallbackInfo& args) { SecureContext* sc; ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); -@@ -6870,8 +6946,72 @@ void TimingSafeEqual(const FunctionCallbackInfo& args) { +@@ -6873,8 +6953,72 @@ void TimingSafeEqual(const FunctionCallbackInfo& args) { CRYPTO_memcmp(buf1.data(), buf2.data(), buf1.length()) == 0); } @@ -353,5 +373,5 @@ index dbc46fbec8..d27125042b 100644 // SSLWrap implicitly depends on the inheriting class' handle having an -- -2.29.2 +2.31.1 diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch index 749dc53..11588db 100644 --- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch +++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch @@ -1,6 +1,6 @@ -From f572d6ca73ec03c232fe0d4273ba5dc2e4329bd7 Mon Sep 17 00:00:00 2001 +From e7e0a4fc073b3d17fcdee6cebea74f1aae4e6f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= -Date: Tue, 5 Jan 2021 11:35:51 +0100 +Date: Wed, 7 Jul 2021 13:37:48 +0200 Subject: [PATCH] Disable unsupported OpenSSL features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -41,10 +41,10 @@ Signed-off-by: Jan Staněk rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%) diff --git a/doc/api/cli.md b/doc/api/cli.md -index 3c39689c62..a337ce69a1 100644 +index 6e0702498a..a8ef339430 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md -@@ -806,14 +806,6 @@ added: +@@ -813,14 +813,6 @@ added: Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for TLSv1.3. @@ -59,7 +59,7 @@ index 3c39689c62..a337ce69a1 100644 ### `--tls-min-v1.0` + +-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with +-`./configure --openssl-fips`.) ++Enable FIPS-compliant crypto at startup. (Requires Node.js to be built ++against FIPS-compatible OpenSSL.) + + ### `--enable-source-maps` + + + Load an OpenSSL configuration file on startup. Among other uses, this can be +-used to enable FIPS-compliant crypto if Node.js is built with +-`./configure --openssl-fips`. ++used to enable FIPS-compliant crypto if Node.js is built ++against FIPS-enabled OpenSSL. + + ### `--pending-deprecation` +