Hello community, here is the log from the commit of package nodejs8 for openSUSE:Factory checked in at 2019-05-07 23:20:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nodejs8 (Old) and /work/SRC/openSUSE:Factory/.nodejs8.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "nodejs8" Tue May 7 23:20:29 2019 rev:24 rq:701348 version:8.15.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nodejs8/nodejs8.changes 2019-03-13 09:05:46.119445334 +0100 +++ /work/SRC/openSUSE:Factory/.nodejs8.new.5148/nodejs8.changes 2019-05-07 23:20:34.641137098 +0200 @@ -1,0 +2,5 @@ +Tue May 7 11:13:57 UTC 2019 - Adam Majer <adam.majer@suse.de> + +- openssl_1_1_1.patch: backport fixes for OpenSSL 1.1.1 (bsc#1134209) + +------------------------------------------------------------------- New: ---- openssl_1_1_1.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nodejs8.spec ++++++ --- /var/tmp/diff_new_pack.zk6SR7/_old 2019-05-07 23:20:36.721142083 +0200 +++ /var/tmp/diff_new_pack.zk6SR7/_new 2019-05-07 23:20:36.725142093 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -31,11 +31,15 @@ %define node_version_number 8 +%if %node_version_number >= 12 +%define openssl_req_ver 1.1.1 +%else %if %node_version_number >= 10 %define openssl_req_ver 1.1.0 %else # node8 or older %define openssl_req_ver 1.0.2 %endif +%endif %bcond_with valgrind_tests @@ -115,6 +119,7 @@ ## Patches not distribution specific Patch3: fix_ci_tests.patch Patch7: manual_configure.patch +Patch12: openssl_1_1_1.patch ## Patches specific to SUSE and openSUSE # PATCH-FIX-OPENSUSE -- set correct path for dtrace if it is built @@ -271,6 +276,10 @@ Provides: npm = %{version} Provides: npm(npm) = 6.4.1 %if 0%{?suse_version} >= 1500 +%if %{node_version_number} >= 10 +Requires: group(nobody) +Requires: user(nobody) +%endif Recommends: python2 %else Recommends: python @@ -309,6 +318,7 @@ %patch7 -p1 %if 0%{with valgrind_tests} %endif +%patch12 -p1 %patch101 -p1 %patch102 -p1 # Add check_output to configure script (not part of Python 2.6 in SLE11). ++++++ openssl_1_1_1.patch ++++++ Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033519658bba2d7b776ec166f889a56bce31 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: https://github.com/nodejs/node/pull/26270 PR-URL: https://github.com/nodejs/node/pull/25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> commit 161dca72cb06e36614fdc75184383c8f456e97a4 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: https://github.com/nodejs/node/issues/24658 PR-URL: https://github.com/nodejs/node/pull/25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Partial port, remain compatible with 1.0.2: commit 970ce14f61a44504520581c5af5dc9c3bddc0f40 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: https://github.com/nodejs/node/issues/4270 PR-URL: https://github.com/nodejs/node/pull/19794 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Index: node-v8.15.1/src/node_constants.cc =================================================================== --- node-v8.15.1.orig/src/node_constants.cc +++ node-v8.15.1/src/node_constants.cc @@ -921,6 +921,10 @@ void DefineOpenSSLConstants(Local<Object NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_ECDSA); # endif +# ifdef ENGINE_METHOD_EC + NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_EC); +# endif + # ifdef ENGINE_METHOD_CIPHERS NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_CIPHERS); # endif Index: node-v8.15.1/src/node_crypto.cc =================================================================== --- node-v8.15.1.orig/src/node_crypto.cc +++ node-v8.15.1/src/node_crypto.cc @@ -509,6 +509,8 @@ void SecureContext::Init(const FunctionC ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); + int min_version = 0; + int max_version = 0; const SSL_METHOD* method = TLS_method(); if (args.Length() == 1 && args[0]->IsString()) { @@ -531,29 +533,95 @@ void SecureContext::Init(const FunctionC } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) { return env->ThrowError("SSLv3 methods disabled"); } else if (strcmp(*sslmethod, "SSLv23_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + method = TLS_method(); + #else method = SSLv23_method(); + #endif } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + method = TLS_server_method(); + #else method = SSLv23_server_method(); + #endif } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + method = TLS_client_method(); + #else method = SSLv23_client_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + method = TLS_method(); + #else method = TLSv1_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + method = TLS_server_method(); + #else method = TLSv1_server_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + method = TLS_client_method(); + #else method = TLSv1_client_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_1_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_method(); + #else method = TLSv1_1_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_1_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_server_method(); + #else method = TLSv1_1_server_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_client_method(); + #else method = TLSv1_1_client_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + method = TLS_method(); + #else method = TLSv1_2_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + method = TLS_server_method(); + #else method = TLSv1_2_server_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_2_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + method = TLS_client_method(); + #else method = TLSv1_2_client_method(); + #endif } else { return env->ThrowError("Unknown method"); } @@ -578,6 +646,13 @@ void SecureContext::Init(const FunctionC SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback); #if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_CTX_set_min_proto_version(sc->ctx_, min_version); + if (max_version == 0) { + // Selecting some secureProtocol methods allows the TLS version to be "any + // supported", but we don't support TLSv1.3, even if OpenSSL does. + max_version = TLS1_2_VERSION; + } + SSL_CTX_set_max_proto_version(sc->ctx_, max_version); // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was // exposed in the public API. To retain compatibility, install a callback // which restores the old algorithm. Index: node-v8.15.1/src/tls_wrap.cc =================================================================== --- node-v8.15.1.orig/src/tls_wrap.cc +++ node-v8.15.1/src/tls_wrap.cc @@ -277,7 +277,10 @@ void TLSWrap::SSLInfoCallback(const SSL* } } - if (where & SSL_CB_HANDSHAKE_DONE) { + // SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called + // sending HelloRequest in OpenSSL-1.1.1. + // We need to check whether this is in a renegotiation state or not. + if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) { c->established_ = true; Local<Value> callback = object->Get(env->onhandshakedone_string()); if (callback->IsFunction()) {