rpms/nodejs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9

Browse Source
This commit is contained in:
CentOS Sources 2022-08-24 23:06:00 +00:00 committed by root
parent 592c0a96a5
commit 8e0f2eb3a5
5 changed files with 79 additions and 765 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/icu4c-69_1-src.tgz
SOURCES/node-v14.18.2-stripped.tar.gz
SOURCES/icu4c-70_1-src.tgz
SOURCES/node-v14.20.0-stripped.tar.gz

4
.nodejs.metadata
View File

@ -1,2 +1,2 @@
620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz
bba4efed29ee2e3e9078b955890d9b68f6750f6a SOURCES/node-v14.18.2-stripped.tar.gz
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
66dc4b75e2e416d064f12be3450fc7953d72b21b SOURCES/node-v14.20.0-stripped.tar.gz

46
SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch Normal file
View File

@ -0,0 +1,46 @@
From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 9 Dec 2021 15:48:46 +0100
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
This is the upstream fix [1] applied to all applicable bundled deps.
[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
Fixes: CVE-2021-3807
Signed-off-by: rpm-build <rpm-build>
---
.../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +-
deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
index c4aaecf..7d32201 100644
--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
@@ -2,7 +2,7 @@
module.exports = () => {
const pattern = [
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
].join('|');
diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
index c254480..9e37ec3 100644
--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
@@ -6,7 +6,7 @@ module.exports = options => {
}, options);
const pattern = [
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
].join('|');
--
2.36.1

624
SOURCES/0004-always-available-fips-options.patch
View File

@ -1,624 +0,0 @@
From 7c7f5159fcc71d915dfcc5f97ab18d5f8912f1b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
Date: Tue, 25 Aug 2020 14:04:54 +0200
Subject: [PATCH] crypto: make FIPS related options always awailable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
`FIPS_mode()` function.
This makes the user experience more consistent, because the OpenSSL
library is always queried and the `crypto.getFips()` always returns
OpenSSL settings.
Fixes #34903
PR-URL: https://github.com/nodejs/node/pull/36341
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Signed-off-by: rpm-build <rpm-build>
---
doc/api/cli.md | 8 +--
lib/crypto.js | 22 ++----
node.gypi | 3 -
src/node.cc | 6 +-
src/node_config.cc | 2 -
src/node_crypto.cc | 45 +++++++-----
src/node_options.cc | 2 -
src/node_options.h | 2 -
test/parallel/test-cli-node-print-help.js | 7 +-
test/parallel/test-crypto-fips.js | 71 +++++++++----------
...rocess-env-allowed-flags-are-documented.js | 11 +--
11 files changed, 74 insertions(+), 105 deletions(-)
diff --git a/doc/api/cli.md b/doc/api/cli.md
index a8ef339..c41bd49 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -182,8 +182,8 @@ code from strings throw an exception instead. This does not affect the Node.js
added: v6.0.0
-->
-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
-`./configure --openssl-fips`.)
+Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
+against FIPS-compatible OpenSSL.)
### `--enable-source-maps`
<!-- YAML
@@ -543,8 +543,8 @@ added: v6.9.0
-->
Load an OpenSSL configuration file on startup. Among other uses, this can be
-used to enable FIPS-compliant crypto if Node.js is built with
-`./configure --openssl-fips`.
+used to enable FIPS-compliant crypto if Node.js is built
+against FIPS-enabled OpenSSL.
### `--pending-deprecation`
<!-- YAML
diff --git a/lib/crypto.js b/lib/crypto.js
index a41b02d..5c15ab3 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -37,12 +37,10 @@ assertCrypto();
const {
ERR_CRYPTO_FIPS_FORCED,
- ERR_CRYPTO_FIPS_UNAVAILABLE
} = require('internal/errors').codes;
const constants = internalBinding('constants').crypto;
const { getOptionValue } = require('internal/options');
const pendingDeprecation = getOptionValue('--pending-deprecation');
-const { fipsMode } = internalBinding('config');
const fipsForced = getOptionValue('--force-fips');
const {
getFipsCrypto,
@@ -193,10 +191,8 @@ module.exports = {
sign: signOneShot,
setEngine,
timingSafeEqual,
- getFips: !fipsMode ? getFipsDisabled :
- fipsForced ? getFipsForced : getFipsCrypto,
- setFips: !fipsMode ? setFipsDisabled :
- fipsForced ? setFipsForced : setFipsCrypto,
+ getFips: fipsForced ? getFipsForced : getFipsCrypto,
+ setFips: fipsForced ? setFipsForced : setFipsCrypto,
verify: verifyOneShot,
// Classes
@@ -215,19 +211,11 @@ module.exports = {
Verify
};
-function setFipsDisabled() {
- throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
-}
-
function setFipsForced(val) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
}
-function getFipsDisabled() {
- return 0;
-}
-
function getFipsForced() {
return 1;
}
@@ -249,10 +237,8 @@ ObjectDefineProperties(module.exports, {
},
// crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
fips: {
- get: !fipsMode ? getFipsDisabled :
- fipsForced ? getFipsForced : getFipsCrypto,
- set: !fipsMode ? setFipsDisabled :
- fipsForced ? setFipsForced : setFipsCrypto
+ get: fipsForced ? getFipsForced : getFipsCrypto,
+ set: fipsForced ? setFipsForced : setFipsCrypto
},
DEFAULT_ENCODING: {
enumerable: false,
diff --git a/node.gypi b/node.gypi
index 070f212..45f6a9f 100644
--- a/node.gypi
+++ b/node.gypi
@@ -319,9 +319,6 @@
[ 'node_use_openssl=="true"', {
'defines': [ 'HAVE_OPENSSL=1' ],
'conditions': [
- ['openssl_fips != "" or openssl_is_fips=="true"', {
- 'defines': [ 'NODE_FIPS_MODE' ],
- }],
[ 'node_shared_openssl=="false"', {
'dependencies': [
'./deps/openssl/openssl.gyp:openssl',
diff --git a/src/node.cc b/src/node.cc
index 905afd8..c04d199 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -1035,11 +1035,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
-#ifdef NODE_FIPS_MODE
// In the case of FIPS builds we should make sure
// the random source is properly initialized first.
- OPENSSL_init();
-#endif // NODE_FIPS_MODE
+ if (FIPS_mode()) {
+ OPENSSL_init();
+ }
// V8 on Windows doesn't have a good source of entropy. Seed it from
// OpenSSL's pool.
V8::SetEntropySource(crypto::EntropySource);
diff --git a/src/node_config.cc b/src/node_config.cc
index 6ee3164..e229eee 100644
--- a/src/node_config.cc
+++ b/src/node_config.cc
@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
#endif // HAVE_OPENSSL
-#ifdef NODE_FIPS_MODE
READONLY_TRUE_PROPERTY(target, "fipsMode");
-#endif
#ifdef NODE_HAVE_I18N_SUPPORT
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 31e8276..721c9d1 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -51,6 +51,11 @@
#include <openssl/hmac.h>
#include <openssl/rand.h>
#include <openssl/pkcs12.h>
+// The FIPS-related functions are only available
+// when the OpenSSL itself was compiled with FIPS support.
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif // OPENSSL_FIPS
#include <cerrno>
#include <climits> // INT_MAX
@@ -101,6 +106,7 @@ using v8::String;
using v8::Uint32;
using v8::Uint8Array;
using v8::Undefined;
+using v8::TryCatch;
using v8::Value;
#ifdef OPENSSL_NO_OCB
@@ -3706,12 +3712,10 @@ void CipherBase::Init(const char* cipher_type,
HandleScope scope(env()->isolate());
MarkPopErrorOnReturn mark_pop_error_on_return;
-#ifdef NODE_FIPS_MODE
if (FIPS_mode()) {
return env()->ThrowError(
"crypto.createCipher() is not supported in FIPS mode.");
}
-#endif // NODE_FIPS_MODE
const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
if (cipher == nullptr)
@@ -3897,13 +3901,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
return false;
}
-#ifdef NODE_FIPS_MODE
// TODO(tniessen) Support CCM decryption in FIPS mode
if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
env()->ThrowError("CCM decryption not supported in FIPS mode");
return false;
}
-#endif
// Tell OpenSSL about the desired length.
if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
@@ -4778,7 +4780,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
}
static inline bool ValidateDSAParameters(EVP_PKEY* key) {
-#ifdef NODE_FIPS_MODE
/* Validate DSA2 parameters from FIPS 186-4 */
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
DSA* dsa = EVP_PKEY_get0_DSA(key);
@@ -4794,7 +4795,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
(L == 2048 && N == 256) ||
(L == 3072 && N == 256);
}
-#endif // NODE_FIPS_MODE
return true;
}
@@ -7032,7 +7032,6 @@ void InitCryptoOnce() {
settings = nullptr;
#endif
-#ifdef NODE_FIPS_MODE
/* Override FIPS settings in cnf file, if needed. */
unsigned long err = 0; // NOLINT(runtime/int)
if (per_process::cli_options->enable_fips_crypto ||
@@ -7042,12 +7041,10 @@ void InitCryptoOnce() {
}
}
if (0 != err) {
- fprintf(stderr,
- "openssl fips failed: %s\n",
- ERR_error_string(err, nullptr));
- UNREACHABLE();
+ auto* isolate = Isolate::GetCurrent();
+ auto* env = Environment::GetCurrent(isolate);
+ return ThrowCryptoError(env, err);
}
-#endif // NODE_FIPS_MODE
// Turn off compression. Saves memory and protects against CRIME attacks.
@@ -7093,7 +7090,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
}
#endif // !OPENSSL_NO_ENGINE
-#ifdef NODE_FIPS_MODE
void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
}
@@ -7111,7 +7107,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
return ThrowCryptoError(env, err);
}
}
-#endif /* NODE_FIPS_MODE */
+
+void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
+#ifdef OPENSSL_FIPS
+ const auto enabled = FIPS_selftest() ? 1 : 0;
+#else // OPENSSL_FIPS
+ const auto enabled = 0;
+#endif // OPENSSL_FIPS
+
+ args.GetReturnValue().Set(enabled);
+}
namespace {
// SecureBuffer uses openssl to allocate a Uint8Array using
@@ -7147,10 +7152,17 @@ void Initialize(Local<Object> target,
Local<Value> unused,
Local<Context> context,
void* priv) {
+ Environment* env = Environment::GetCurrent(context);
+
static uv_once_t init_once = UV_ONCE_INIT;
+ TryCatch try_catch{env->isolate()};
uv_once(&init_once, InitCryptoOnce);
- Environment* env = Environment::GetCurrent(context);
+ if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
+ try_catch.ReThrow();
+ return;
+ }
+
SecureContext::Initialize(env, target);
target->Set(env->context(),
FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
@@ -7179,10 +7191,9 @@ void Initialize(Local<Object> target,
env->SetMethod(target, "setEngine", SetEngine);
#endif // !OPENSSL_NO_ENGINE
-#ifdef NODE_FIPS_MODE
env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
-#endif
+ env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
env->SetMethod(target, "pbkdf2", PBKDF2);
env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
diff --git a/src/node_options.cc b/src/node_options.cc
index 0102329..1ad44f4 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -753,7 +753,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
&PerProcessOptions::ssl_openssl_cert_store);
Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
-#if NODE_FIPS_MODE
AddOption("--enable-fips",
"enable FIPS crypto at startup",
&PerProcessOptions::enable_fips_crypto,
@@ -762,7 +761,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
"force FIPS crypto (cannot be disabled)",
&PerProcessOptions::force_fips_crypto,
kAllowedInEnvironment);
-#endif
#endif
AddOption("--use-largepages",
"Map the Node.js static code to large pages. Options are "
diff --git a/src/node_options.h b/src/node_options.h
index 58a21e0..f22b254 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -243,10 +243,8 @@ class PerProcessOptions : public Options {
#endif
bool use_openssl_ca = false;
bool use_bundled_ca = false;
-#if NODE_FIPS_MODE
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
-#endif
#endif
// Per-process because reports can be triggered outside a known V8 context.
diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
index ab8cd10..7e7c77f 100644
--- a/test/parallel/test-cli-node-print-help.js
+++ b/test/parallel/test-cli-node-print-help.js
@@ -8,8 +8,6 @@ const common = require('../common');
const assert = require('assert');
const { exec } = require('child_process');
-const { internalBinding } = require('internal/test/binding');
-const { fipsMode } = internalBinding('config');
let stdOut;
@@ -28,9 +26,8 @@ function validateNodePrintHelp() {
const cliHelpOptions = [
{ compileConstant: HAVE_OPENSSL,
flags: [ '--openssl-config=...', '--tls-cipher-list=...',
- '--use-bundled-ca', '--use-openssl-ca' ] },
- { compileConstant: fipsMode,
- flags: [ '--enable-fips', '--force-fips' ] },
+ '--use-bundled-ca', '--use-openssl-ca',
+ '--enable-fips', '--force-fips' ] },
{ compileConstant: NODE_HAVE_I18N_SUPPORT,
flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
{ compileConstant: HAVE_INSPECTOR,
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
index eae3134..a1ed645 100644
--- a/test/parallel/test-crypto-fips.js
+++ b/test/parallel/test-crypto-fips.js
@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
const path = require('path');
const fixtures = require('../common/fixtures');
const { internalBinding } = require('internal/test/binding');
-const { fipsMode } = internalBinding('config');
+const { testFipsCrypto } = internalBinding('crypto');
const FIPS_ENABLED = 1;
const FIPS_DISABLED = 0;
-const FIPS_ERROR_STRING =
- 'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
- 'non-FIPS build.';
const FIPS_ERROR_STRING2 =
'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
'--force-fips at startup.';
-const OPTION_ERROR_STRING = 'bad option';
+const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
let num_children_ok = 0;
-function compiledWithFips() {
- return fipsMode ? true : false;
-}
-
function sharedOpenSSL() {
return process.config.variables.node_shared_openssl;
}
@@ -75,17 +68,17 @@ testHelper(
// --enable-fips should turn FIPS mode on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
// --force-fips should turn FIPS mode on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
testHelper(
'stdout',
[`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
'require("crypto").getFips()',
process.env);
@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
testHelper(
'stdout',
[],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
testHelper(
'stdout',
[`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
}
@@ -136,50 +129,50 @@ testHelper(
// --enable-fips should take precedence over OpenSSL config file
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
// OPENSSL_CONF should _not_ make a difference to --enable-fips
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
// --force-fips should take precedence over OpenSSL config file
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
// Using OPENSSL_CONF should not make a difference to --force-fips
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
// setFipsCrypto should be able to turn FIPS mode on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
[],
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").getFips())',
process.env);
// setFipsCrypto should be able to turn FIPS mode on and off
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
[],
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
+ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").setFips(false),' +
'require("crypto").getFips())',
@@ -187,27 +180,27 @@ testHelper(
// setFipsCrypto takes precedence over OpenSSL config file, FIPS on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
[`--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").getFips())',
process.env);
// setFipsCrypto takes precedence over OpenSSL config file, FIPS off
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ 'stdout',
[`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
+ FIPS_DISABLED,
'(require("crypto").setFips(false),' +
'require("crypto").getFips())',
process.env);
// --enable-fips does not prevent use of setFipsCrypto API
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips'],
- compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(false),' +
'require("crypto").getFips())',
process.env);
@@ -216,15 +209,15 @@ testHelper(
testHelper(
'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").setFips(false)',
process.env);
// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").getFips())',
process.env);
@@ -233,7 +226,7 @@ testHelper(
testHelper(
'stderr',
['--force-fips', '--enable-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").setFips(false)',
process.env);
@@ -241,6 +234,6 @@ testHelper(
testHelper(
'stderr',
['--enable-fips', '--force-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").setFips(false)',
process.env);
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
index 1c91444..1d1605d 100644
--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
@@ -45,17 +45,8 @@ const conditionalOpts = [
include: common.hasCrypto,
filter: (opt) => {
return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
- '--use-openssl-ca' ].includes(opt);
+ '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
}
- }, {
- // We are using openssl_is_fips from the configuration because it could be
- // the case that OpenSSL is FIPS compatible but fips has not been enabled
- // (starting node with --enable-fips). If we use common.hasFipsCrypto
- // that would only tells us if fips has been enabled, but in this case we
- // want to check options which will be available regardless of whether fips
- // is enabled at runtime or not.
- include: process.config.variables.openssl_is_fips,
- filter: (opt) => opt.includes('-fips')
}, {
include: common.hasIntl,
filter: (opt) => opt === '--icu-data-dir'
--
2.31.1

166
SPECS/nodejs.spec
View File

@ -1,5 +1,4 @@
%bcond_with debug
%bcond_with libs
# PowerPC, s390x and aarch64 segfault during Debug builds
# https://github.com/nodejs/node/issues/20642
@ -42,13 +41,9 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 14
%global nodejs_minor 18
%global nodejs_patch 2
%global nodejs_minor 20
%global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{with libs}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 83
%endif
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release %{baserelease}
@ -77,7 +72,7 @@
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_major 2
%global llhttp_minor 1
%global llhttp_patch 4
%global llhttp_patch 5
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
# libuv - from deps/uv/include/uv/version.h
@ -93,7 +88,7 @@
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
# ICU - from tools/icu/current_ver.dep
%global icu_major 69
%global icu_major 70
%global icu_minor 1
%global icu_version %{icu_major}.%{icu_minor}
@ -126,7 +121,7 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 15
%global npm_patch 17
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
@ -176,14 +171,7 @@ Source7: nodejs_native.attr
# Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
%if %{with libs}
# Patch to install both node and libnode.so, using the correct libdir
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
%endif
# Make FIPS always available
# https://github.com/nodejs/node/issues/34903
Patch3: 0004-always-available-fips-options.patch
Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
BuildRequires: make
BuildRequires: python3-devel
@ -223,10 +211,6 @@ Requires: openssl >= %{openssl_minimum}
# we need the system certificate store
Requires: ca-certificates
%if %{with libs}
Requires: nodejs-libs%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
%endif
# Pull in the full-icu data by default
Recommends: nodejs-full-i18n%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
@ -312,31 +296,6 @@ Requires: libuv-devel%{?_isa}
Development headers for the Node.js JavaScript runtime.
%if %{with libs}
%package libs
Summary: Node.js and v8 libraries
# Compatibility for obsolete v8 package
%if 0%{?__isa_bits} == 64
Provides: libv8.so.%{v8_major}()(64bit)
Provides: libv8_libbase.so.%{v8_major}()(64bit)
Provides: libv8_libplatform.so.%{v8_major}()(64bit)
%else
# 32-bits
Provides: libv8.so.%{v8_major}
Provides: libv8_libbase.so.%{v8_major}
Provides: libv8_libplatform.so.%{v8_major}
%endif
Provides: v8 = %{v8_epoch}:%{v8_version}-%{nodejs_release}%{?dist}
Provides: v8%{?_isa} = %{v8_epoch}:%{v8_version}-%{nodejs_release}%{?dist}
Obsoletes: v8 < 1:6.7.17-10
%description libs
Libraries to support Node.js and provide stable v8 interfaces.
%endif
%package full-i18n
Summary: Non-English locale data for Node.js
Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
@ -346,19 +305,6 @@ Optional data files to provide full-icu support for Node.js. Remove this
package to save space if non-English locales are not needed.
%if %{with libs}
%package -n v8-devel
Summary: v8 - development headers
Epoch: %{v8_epoch}
Version: %{v8_version}
Release: %{v8_release}%{?dist}
Requires: %{name}-devel%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%description -n v8-devel
Development headers for the v8 runtime.
%endif
%package -n npm
Summary: Node.js Package Manager
Epoch: %{npm_epoch}
@ -431,17 +377,17 @@ export CXX='g++'
# build with debugging symbols and add defines from libuv (#892601)
# Node's v8 breaks with GCC 6 because of incorrect usage of methods on
# NULL objects. We need to pass -fno-delete-null-pointer-checks
extra_cflags=(
-D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64
-DZLIB_CONST
-fno-delete-null-pointer-checks
-D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64
-DZLIB_CONST
-fno-delete-null-pointer-checks
)
export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}"
export LDFLAGS="%{build_ldflags}"
%{__python3} configure.py --prefix=%{_prefix} \
%{?with_libs:--shared --libdir=%{_lib}} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
@ -450,6 +396,7 @@ export LDFLAGS="%{build_ldflags}"
%{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
--without-corepack \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
@ -504,22 +451,6 @@ chrpath --delete %{buildroot}%{_bindir}/node
install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
%endif
%if %{with libs}
# Install library symlink
ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/libnode.so
# Install v8 compatibility symlinks
for header in %{buildroot}%{_includedir}/node/libplatform %{buildroot}%{_includedir}/node/v8*.h; do
header=$(basename ${header})
ln -s %{_includedir}/node/${header} %{buildroot}%{_includedir}/${header}
done
ln -s ./node/cppgc %{buildroot}%{_includedir}/cppgc
for soname in libv8 libv8_libbase libv8_libplatform; do
ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so
ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so.%{v8_major}
done
%endif
# own the sitelib directory
mkdir -p %{buildroot}%{_prefix}/lib/node_modules
@ -553,7 +484,7 @@ cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man
# Install Gatsby HTML documentation to %{_pkgdocdir}
# Install Gatsby HTML documentation to %%{_pkgdocdir}
cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
@ -591,18 +522,6 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
%check
%if %{with libs}
# Fail the build if the versions don't match
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
# Ensure we have punycode and that the version matches
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
# Ensure we have npm and that the version matches
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
%else
# Fail the build if the versions don't match
%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
@ -613,7 +532,6 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
# Ensure we have npm and that the version matches
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
%endif
# Make sure i18n support is working
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
@ -683,26 +601,6 @@ if st and st.type == "directory" then
end
%if %{with libs}
%pretrans -n v8-devel -p <lua>
-- Replace the v8 libplatform include directory with a symlink
-- Drop this scriptlet when F30 is EOL
path = "%{_includedir}/libplatform"
st = posix.stat(path)
if st and st.type == "directory" then
status = os.rename(path, path .. ".rpmmoved")
if not status then
suffix = 0
while not status do
suffix = suffix + 1
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
end
os.rename(path, path .. ".rpmmoved")
end
end
%endif
%files
%{_bindir}/node
%dir %{_prefix}/lib/node_modules
@ -726,7 +624,6 @@ end
%files devel
%{?with_debug:%{_bindir}/node_g}
%{_includedir}/node
%{?with_libs:%{_libdir}/libnode.so}
%{_datadir}/node/common.gypi
%{_pkgdocdir}/gdbinit
@ -736,26 +633,6 @@ end
%{icudatadir}/icudt%{icu_major}*.dat
%if %{with libs}
%files libs
%{_libdir}/libnode.so.%{nodejs_soversion}
%{_libdir}/libv8.so.%{v8_major}
%{_libdir}/libv8_libbase.so.%{v8_major}
%{_libdir}/libv8_libplatform.so.%{v8_major}
%dir %{nodejs_datadir}/
%files -n v8-devel
%{_includedir}/libplatform
%{_includedir}/v8*.h
%{_includedir}/cppgc
%{_libdir}/libv8.so
%{_libdir}/libv8_libbase.so
%{_libdir}/libv8_libplatform.so
%ghost %{_includedir}/libplatform.rpmmoved
%endif
%files -n npm
%{_bindir}/npm
%{_bindir}/npx
@ -791,11 +668,26 @@ end
%changelog
* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
* Tue Aug 02 2022 Zuzana Svetlikova <zsvetlik@redhat.com - 1:14.20.0-2
- Replace with_* macros with RPM confitionals
- Unify configure calls into single command
- Refactor bootstrap-related parts
- Decouple dependency bundling from bootstrapping
- Resolves: RHBZ#2111417
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
- Rebase to latest version
- Resolves: RHBZ#2106367
- CVE fixes for CVE-2022-32212/3/4/5
- Resolves: #2109576, #2109579, #2109582, #2109585
* Tue Jan 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-3
- Resolves: RHBZ#2029519
- Add missing BZ to changelog
* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
- Add missing fixes
- Resolves: RHBZ#2027641, RHBZ#2027634
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
- Resolves: RHBZ#2026325