Compare commits

...

No commits in common. 'i8c-stream-12' and 'c9' have entirely different histories.

8
.gitignore vendored

@ -1,2 +1,6 @@
SOURCES/icu4c-67_1-src.tgz
SOURCES/node-v12.22.12-stripped.tar.gz
SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-71_1-src.tgz
SOURCES/node-v16.20.2-stripped.tar.gz
SOURCES/undici-5.20.0.tar.gz
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

@ -1,2 +1,6 @@
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
49c907b1445701724914a0571bf6be62a25583af SOURCES/node-v12.22.12-stripped.tar.gz
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
0024086ed6090aaea422fb2bd329f898bf924df6 SOURCES/node-v16.20.2-stripped.tar.gz
0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

@ -1,6 +1,6 @@
From 641730c7d1322dacd8e1020ec0753795d01200f0 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Thu, 27 Apr 2017 14:25:42 +0200
From 6c80c1956373978489a297a630f4f50222c47775 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 30 May 2023 13:12:35 +0200
Subject: [PATCH] Disable running gyp on shared deps
Signed-off-by: rpm-build <rpm-build>
@ -9,18 +9,18 @@ Signed-off-by: rpm-build <rpm-build>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 32a8a6c..f44f88a 100644
index ef3eda2..8b52a4f 100644
--- a/Makefile
+++ b/Makefile
@@ -141,7 +141,7 @@ test-code-cache: with-code-cache
echo "'test-code-cache' target is a noop"
@@ -148,7 +148,7 @@ with-code-cache test-code-cache:
$(warning '$@' target is a noop)
out/Makefile: config.gypi common.gypi node.gyp \
- deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \
+ deps/http_parser/http_parser.gyp \
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
+ deps/llhttp/llhttp.gyp \
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
--
2.26.2
2.44.0

@ -0,0 +1,26 @@
From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Thu, 12 Oct 2023 13:52:59 +0200
Subject: [PATCH] disable fips options
Signed-off-by: rpm-build <rpm-build>
---
src/crypto/crypto_util.cc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 59ae7f8..7343396 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+ return false;
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)
--
2.44.0

File diff suppressed because it is too large Load Diff

@ -1,70 +0,0 @@
From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Tue, 2 Jun 2020 05:33:25 +0200
Subject: [PATCH 3/3] src: use getauxval in node_main.cc
This commit suggests using getauxval in node_main.cc.
The motivation for this is that getauxval was introduced in glibc 2.16
and looking at BUILDING.md, in the 'Platform list' section, it looks
like we now support glibc >= 2.17 and perhaps this change would be
alright now.
PR-URL: https://github.com/nodejs/node/pull/33693
Refs: https://github.com/nodejs/node/pull/12548
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
src/node_main.cc | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/node_main.cc b/src/node_main.cc
index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644
--- a/src/node_main.cc
+++ b/src/node_main.cc
@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) {
return node::Start(argc, argv);
}
#else
// UNIX
#ifdef __linux__
-#include <elf.h>
-#ifdef __LP64__
-#define Elf_auxv_t Elf64_auxv_t
-#else
-#define Elf_auxv_t Elf32_auxv_t
-#endif // __LP64__
-extern char** environ;
+#include <sys/auxv.h>
#endif // __linux__
#if defined(__POSIX__) && defined(NODE_SHARED_MODE)
#include <string.h>
#include <signal.h>
#endif
@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) {
sigaction(SIGPIPE, &act, nullptr);
}
#endif
#if defined(__linux__)
- char** envp = environ;
- while (*envp++ != nullptr) {}
- Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp);
- for (; auxv->a_type != AT_NULL; auxv++) {
- if (auxv->a_type == AT_SECURE) {
- node::per_process::linux_at_secure = auxv->a_un.a_val;
- break;
- }
- }
+ node::per_process::linux_at_secure = getauxval(AT_SECURE);
#endif
// Disable stdio buffering, it interacts poorly with printf()
// calls elsewhere in the program (e.g., any logging from V8.)
setvbuf(stdout, nullptr, _IONBF, 0);
setvbuf(stderr, nullptr, _IONBF, 0);
--
2.30.1

@ -0,0 +1,581 @@
From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Mon, 15 Apr 2024 15:21:35 +0200
Subject: [PATCH] Fix CVE-2024-22019
Resolves: RHEL-28064
This is a combination of the upstream commit from v18:
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
chunk features.
Original patch:
> From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
> From: Paolo Insogna <paolo@cowtech.it>
> Date: Tue, 9 Jan 2024 18:10:04 +0100
> Subject: [PATCH] http: add maximum chunk extension size
>
> Cherry-picked from v18 patch:
> https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
>
> PR-URL: https://github.com/nodejs-private/node-private/pull/520
> Refs: https://github.com/nodejs-private/node-private/pull/518
> CVE-ID: CVE-2024-22019
Signed-off-by: rpm-build <rpm-build>
---
deps/llhttp/.gitignore | 1 +
deps/llhttp/CMakeLists.txt | 2 +-
deps/llhttp/include/llhttp.h | 7 +-
deps/llhttp/src/api.c | 7 +
deps/llhttp/src/llhttp.c | 122 ++++++++++++++--
doc/api/errors.md | 12 ++
lib/_http_server.js | 9 ++
src/node_http_parser.cc | 20 ++-
.../test-http-chunk-extensions-limit.js | 131 ++++++++++++++++++
tools/update-llhttp.sh | 2 +-
10 files changed, 294 insertions(+), 19 deletions(-)
create mode 100644 deps/llhttp/.gitignore
create mode 100644 test/parallel/test-http-chunk-extensions-limit.js
diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
new file mode 100644
index 0000000..98438a2
--- /dev/null
+++ b/deps/llhttp/.gitignore
@@ -0,0 +1 @@
+libllhttp.pc
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
index d038203..747564a 100644
--- a/deps/llhttp/CMakeLists.txt
+++ b/deps/llhttp/CMakeLists.txt
@@ -1,7 +1,7 @@
cmake_minimum_required(VERSION 3.5.1)
cmake_policy(SET CMP0069 NEW)
-project(llhttp VERSION 6.0.11)
+project(llhttp VERSION 6.1.0)
include(GNUInstallDirs)
set(CMAKE_C_STANDARD 99)
diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
index 2da66f1..78f27ab 100644
--- a/deps/llhttp/include/llhttp.h
+++ b/deps/llhttp/include/llhttp.h
@@ -2,8 +2,8 @@
#define INCLUDE_LLHTTP_H_
#define LLHTTP_VERSION_MAJOR 6
-#define LLHTTP_VERSION_MINOR 0
-#define LLHTTP_VERSION_PATCH 11
+#define LLHTTP_VERSION_MINOR 1
+#define LLHTTP_VERSION_PATCH 0
#ifndef LLHTTP_STRICT_MODE
# define LLHTTP_STRICT_MODE 0
@@ -348,6 +348,9 @@ struct llhttp_settings_s {
*/
llhttp_cb on_headers_complete;
+ /* Possible return values 0, -1, HPE_USER */
+ llhttp_data_cb on_chunk_parameters;
+
/* Possible return values 0, -1, HPE_USER */
llhttp_data_cb on_body;
diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
index c4ce197..d3065b3 100644
--- a/deps/llhttp/src/api.c
+++ b/deps/llhttp/src/api.c
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
}
+int llhttp__on_chunk_parameters(llhttp_t* s, const char* p, const char* endp) {
+ int err;
+ SPAN_CALLBACK_MAYBE(s, on_chunk_parameters, p, endp - p);
+ return err;
+}
+
+
int llhttp__on_chunk_complete(llhttp_t* s, const char* p, const char* endp) {
int err;
CALLBACK_MAYBE(s, on_chunk_complete);
diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
index 5e7c5d1..46f86a0 100644
--- a/deps/llhttp/src/llhttp.c
+++ b/deps/llhttp/src/llhttp.c
@@ -340,6 +340,8 @@ enum llparse_state_e {
s_n_llhttp__internal__n_invoke_is_equal_content_length,
s_n_llhttp__internal__n_chunk_size_almost_done,
s_n_llhttp__internal__n_chunk_parameters,
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
+ s_n_llhttp__internal__n_chunk_parameters_ows,
s_n_llhttp__internal__n_chunk_size_otherwise,
s_n_llhttp__internal__n_chunk_size,
s_n_llhttp__internal__n_chunk_size_digit,
@@ -539,6 +541,10 @@ int llhttp__on_body(
llhttp__internal_t* s, const unsigned char* p,
const unsigned char* endp);
+int llhttp__on_chunk_parameters(
+ llhttp__internal_t* s, const unsigned char* p,
+ const unsigned char* endp);
+
int llhttp__on_status(
llhttp__internal_t* s, const unsigned char* p,
const unsigned char* endp);
@@ -1226,8 +1232,7 @@ static llparse_state_t llhttp__internal__run(
goto s_n_llhttp__internal__n_chunk_parameters;
}
case 2: {
- p++;
- goto s_n_llhttp__internal__n_chunk_size_almost_done;
+ goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
}
default: {
goto s_n_llhttp__internal__n_error_10;
@@ -1236,6 +1241,34 @@ static llparse_state_t llhttp__internal__run(
/* UNREACHABLE */;
abort();
}
+ case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
+ if (p == endp) {
+ return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
+ }
+ state->_span_pos0 = (void*) p;
+ state->_span_cb0 = llhttp__on_chunk_parameters;
+ goto s_n_llhttp__internal__n_chunk_parameters;
+ /* UNREACHABLE */;
+ abort();
+ }
+ case s_n_llhttp__internal__n_chunk_parameters_ows:
+ s_n_llhttp__internal__n_chunk_parameters_ows: {
+ if (p == endp) {
+ return s_n_llhttp__internal__n_chunk_parameters_ows;
+ }
+ switch (*p) {
+ case ' ': {
+ p++;
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
+ }
+ default: {
+ goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
+ }
+ }
+ /* UNREACHABLE */;
+ abort();
+ }
case s_n_llhttp__internal__n_chunk_size_otherwise:
s_n_llhttp__internal__n_chunk_size_otherwise: {
if (p == endp) {
@@ -1246,13 +1279,9 @@ static llparse_state_t llhttp__internal__run(
p++;
goto s_n_llhttp__internal__n_chunk_size_almost_done;
}
- case ' ': {
- p++;
- goto s_n_llhttp__internal__n_chunk_parameters;
- }
case ';': {
p++;
- goto s_n_llhttp__internal__n_chunk_parameters;
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
}
default: {
goto s_n_llhttp__internal__n_error_11;
@@ -6074,6 +6103,24 @@ static llparse_state_t llhttp__internal__run(
/* UNREACHABLE */;
abort();
}
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
+ const unsigned char* start;
+ int err;
+
+ start = state->_span_pos0;
+ state->_span_pos0 = NULL;
+ err = llhttp__on_chunk_parameters(state, start, p);
+ if (err != 0) {
+ state->error = err;
+ state->error_pos = (const char*) (p + 1);
+ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
+ return s_error;
+ }
+ p++;
+ goto s_n_llhttp__internal__n_chunk_size_almost_done;
+ /* UNREACHABLE */;
+ abort();
+ }
s_n_llhttp__internal__n_error_10: {
state->error = 0x2;
state->reason = "Invalid character in chunk parameters";
@@ -8441,6 +8488,8 @@ enum llparse_state_e {
s_n_llhttp__internal__n_invoke_is_equal_content_length,
s_n_llhttp__internal__n_chunk_size_almost_done,
s_n_llhttp__internal__n_chunk_parameters,
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
+ s_n_llhttp__internal__n_chunk_parameters_ows,
s_n_llhttp__internal__n_chunk_size_otherwise,
s_n_llhttp__internal__n_chunk_size,
s_n_llhttp__internal__n_chunk_size_digit,
@@ -8635,6 +8684,10 @@ int llhttp__on_body(
llhttp__internal_t* s, const unsigned char* p,
const unsigned char* endp);
+int llhttp__on_chunk_parameters(
+ llhttp__internal_t* s, const unsigned char* p,
+ const unsigned char* endp);
+
int llhttp__on_status(
llhttp__internal_t* s, const unsigned char* p,
const unsigned char* endp);
@@ -9299,8 +9352,7 @@ static llparse_state_t llhttp__internal__run(
goto s_n_llhttp__internal__n_chunk_parameters;
}
case 2: {
- p++;
- goto s_n_llhttp__internal__n_chunk_size_almost_done;
+ goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
}
default: {
goto s_n_llhttp__internal__n_error_6;
@@ -9309,6 +9361,34 @@ static llparse_state_t llhttp__internal__run(
/* UNREACHABLE */;
abort();
}
+ case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
+ s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
+ if (p == endp) {
+ return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
+ }
+ state->_span_pos0 = (void*) p;
+ state->_span_cb0 = llhttp__on_chunk_parameters;
+ goto s_n_llhttp__internal__n_chunk_parameters;
+ /* UNREACHABLE */;
+ abort();
+ }
+ case s_n_llhttp__internal__n_chunk_parameters_ows:
+ s_n_llhttp__internal__n_chunk_parameters_ows: {
+ if (p == endp) {
+ return s_n_llhttp__internal__n_chunk_parameters_ows;
+ }
+ switch (*p) {
+ case ' ': {
+ p++;
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
+ }
+ default: {
+ goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
+ }
+ }
+ /* UNREACHABLE */;
+ abort();
+ }
case s_n_llhttp__internal__n_chunk_size_otherwise:
s_n_llhttp__internal__n_chunk_size_otherwise: {
if (p == endp) {
@@ -9319,13 +9399,9 @@ static llparse_state_t llhttp__internal__run(
p++;
goto s_n_llhttp__internal__n_chunk_size_almost_done;
}
- case ' ': {
- p++;
- goto s_n_llhttp__internal__n_chunk_parameters;
- }
case ';': {
p++;
- goto s_n_llhttp__internal__n_chunk_parameters;
+ goto s_n_llhttp__internal__n_chunk_parameters_ows;
}
default: {
goto s_n_llhttp__internal__n_error_7;
@@ -13951,6 +14027,24 @@ static llparse_state_t llhttp__internal__run(
/* UNREACHABLE */;
abort();
}
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
+ const unsigned char* start;
+ int err;
+
+ start = state->_span_pos0;
+ state->_span_pos0 = NULL;
+ err = llhttp__on_chunk_parameters(state, start, p);
+ if (err != 0) {
+ state->error = err;
+ state->error_pos = (const char*) (p + 1);
+ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
+ return s_error;
+ }
+ p++;
+ goto s_n_llhttp__internal__n_chunk_size_almost_done;
+ /* UNREACHABLE */;
+ abort();
+ }
s_n_llhttp__internal__n_error_6: {
state->error = 0x2;
state->reason = "Invalid character in chunk parameters";
diff --git a/doc/api/errors.md b/doc/api/errors.md
index dcf8744..a76bfe5 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
HTTP parsing will abort without a request or response object being created, and
an `Error` with this code will be emitted.
+<a id="HPE_CHUNK_EXTENSIONS_OVERFLOW"></a>
+
+### `HPE_CHUNK_EXTENSIONS_OVERFLOW`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Too much data was received for a chunk extensions. In order to protect against
+malicious or malconfigured clients, if more than 16 KiB of data is received
+then an `Error` with this code will be emitted.
+
<a id="HPE_UNEXPECTED_CONTENT_LENGTH"></a>
### `HPE_UNEXPECTED_CONTENT_LENGTH`
diff --git a/lib/_http_server.js b/lib/_http_server.js
index 4e23266..325bce6 100644
--- a/lib/_http_server.js
+++ b/lib/_http_server.js
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
`HTTP/1.1 431 ${STATUS_CODES[431]}\r\n` +
'Connection: close\r\n\r\n', 'ascii'
);
+
+const requestChunkExtensionsTooLargeResponse = Buffer.from(
+ `HTTP/1.1 413 ${STATUS_CODES[413]}\r\n` +
+ 'Connection: close\r\n\r\n', 'ascii',
+);
+
function socketOnError(e) {
// Ignore further errors
this.removeListener('error', socketOnError);
@@ -719,6 +725,9 @@ function socketOnError(e) {
case 'HPE_HEADER_OVERFLOW':
response = requestHeaderFieldsTooLargeResponse;
break;
+ case 'HPE_CHUNK_EXTENSIONS_OVERFLOW':
+ response = requestChunkExtensionsTooLargeResponse;
+ break;
case 'ERR_HTTP_REQUEST_TIMEOUT':
response = requestTimeoutResponse;
break;
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
index 74f3248..b92e848 100644
--- a/src/node_http_parser.cc
+++ b/src/node_http_parser.cc
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
const uint32_t kOnTimeout = 6;
// Any more fields than this will be flushed into JS
const size_t kMaxHeaderFieldsCount = 32;
+// Maximum size of chunk extensions
+const size_t kMaxChunkExtensionsSize = 16384;
const uint32_t kLenientNone = 0;
const uint32_t kLenientHeaders = 1 << 0;
@@ -206,6 +208,7 @@ class Parser : public AsyncWrap, public StreamListener {
int on_message_begin() {
num_fields_ = num_values_ = 0;
+ chunk_extensions_nread_ = 0;
url_.Reset();
status_message_.Reset();
header_parsing_start_time_ = uv_hrtime();
@@ -443,9 +446,22 @@ class Parser : public AsyncWrap, public StreamListener {
return 0;
}
- // Reset nread for the next chunk
+ int on_chunk_extension(const char* at, size_t length) {
+ chunk_extensions_nread_ += length;
+
+ if (chunk_extensions_nread_ > kMaxChunkExtensionsSize) {
+ llhttp_set_error_reason(&parser_,
+ "HPE_CHUNK_EXTENSIONS_OVERFLOW:Chunk extensions overflow");
+ return HPE_USER;
+ }
+
+ return 0;
+ }
+
+ // Reset nread for the next chunk and also reset the extensions counter
int on_chunk_header() {
header_nread_ = 0;
+ chunk_extensions_nread_ = 0;
return 0;
}
@@ -887,6 +903,7 @@ class Parser : public AsyncWrap, public StreamListener {
const char* current_buffer_data_;
bool pending_pause_ = false;
uint64_t header_nread_ = 0;
+ uint64_t chunk_extensions_nread_ = 0;
uint64_t max_http_header_size_;
uint64_t headers_timeout_;
uint64_t header_parsing_start_time_ = 0;
@@ -921,6 +938,7 @@ const llhttp_settings_t Parser::settings = {
Proxy<DataCall, &Parser::on_header_field>::Raw,
Proxy<DataCall, &Parser::on_header_value>::Raw,
Proxy<Call, &Parser::on_headers_complete>::Raw,
+ Proxy<DataCall, &Parser::on_chunk_extension>::Raw,
Proxy<DataCall, &Parser::on_body>::Raw,
Proxy<Call, &Parser::on_message_complete>::Raw,
Proxy<Call, &Parser::on_chunk_header>::Raw,
diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
new file mode 100644
index 0000000..6868b3d
--- /dev/null
+++ b/test/parallel/test-http-chunk-extensions-limit.js
@@ -0,0 +1,131 @@
+'use strict';
+
+const common = require('../common');
+const http = require('http');
+const net = require('net');
+const assert = require('assert');
+
+// Verify that chunk extensions are limited in size when sent all together.
+{
+ const server = http.createServer((req, res) => {
+ req.on('end', () => {
+ res.writeHead(200, { 'Content-Type': 'text/plain' });
+ res.end('bye');
+ });
+
+ req.resume();
+ });
+
+ server.listen(0, () => {
+ const sock = net.connect(server.address().port);
+ let data = '';
+
+ sock.on('data', (chunk) => data += chunk.toString('utf-8'));
+
+ sock.on('end', common.mustCall(function() {
+ assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
+ server.close();
+ }));
+
+ sock.end('' +
+ 'GET / HTTP/1.1\r\n' +
+ 'Host: localhost:8080\r\n' +
+ 'Transfer-Encoding: chunked\r\n\r\n' +
+ '2;' + 'A'.repeat(20000) + '=bar\r\nAA\r\n' +
+ '0\r\n\r\n'
+ );
+ });
+}
+
+// Verify that chunk extensions are limited in size when sent in intervals.
+{
+ const server = http.createServer((req, res) => {
+ req.on('end', () => {
+ res.writeHead(200, { 'Content-Type': 'text/plain' });
+ res.end('bye');
+ });
+
+ req.resume();
+ });
+
+ server.listen(0, () => {
+ const sock = net.connect(server.address().port);
+ let remaining = 20000;
+ let data = '';
+
+ const interval = setInterval(
+ () => {
+ if (remaining > 0) {
+ sock.write('A'.repeat(1000));
+ } else {
+ sock.write('=bar\r\nAA\r\n0\r\n\r\n');
+ clearInterval(interval);
+ }
+
+ remaining -= 1000;
+ },
+ common.platformTimeout(20),
+ ).unref();
+
+ sock.on('data', (chunk) => data += chunk.toString('utf-8'));
+
+ sock.on('end', common.mustCall(function() {
+ assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
+ server.close();
+ }));
+
+ sock.write('' +
+ 'GET / HTTP/1.1\r\n' +
+ 'Host: localhost:8080\r\n' +
+ 'Transfer-Encoding: chunked\r\n\r\n' +
+ '2;'
+ );
+ });
+}
+
+// Verify the chunk extensions is correctly reset after a chunk
+{
+ const server = http.createServer((req, res) => {
+ req.on('end', () => {
+ res.writeHead(200, { 'content-type': 'text/plain', 'connection': 'close', 'date': 'now' });
+ res.end('bye');
+ });
+
+ req.resume();
+ });
+
+ server.listen(0, () => {
+ const sock = net.connect(server.address().port);
+ let data = '';
+
+ sock.on('data', (chunk) => data += chunk.toString('utf-8'));
+
+ sock.on('end', common.mustCall(function() {
+ assert.strictEqual(
+ data,
+ 'HTTP/1.1 200 OK\r\n' +
+ 'content-type: text/plain\r\n' +
+ 'connection: close\r\n' +
+ 'date: now\r\n' +
+ 'Transfer-Encoding: chunked\r\n' +
+ '\r\n' +
+ '3\r\n' +
+ 'bye\r\n' +
+ '0\r\n' +
+ '\r\n',
+ );
+
+ server.close();
+ }));
+
+ sock.end('' +
+ 'GET / HTTP/1.1\r\n' +
+ 'Host: localhost:8080\r\n' +
+ 'Transfer-Encoding: chunked\r\n\r\n' +
+ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
+ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
+ '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
+ '0\r\n\r\n'
+ );
+ });
+}
diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
index 12e2f46..a95eef1 100755
--- a/tools/update-llhttp.sh
+++ b/tools/update-llhttp.sh
@@ -59,5 +59,5 @@ echo ""
echo "Please git add llhttp, commit the new version:"
echo ""
echo "$ git add -A deps/llhttp"
-echo "$ git commit -m \"deps: update nghttp2 to $LLHTTP_VERSION\""
+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
echo ""
--
2.44.0

@ -1,622 +0,0 @@
From 7bc4111b770ada25cdd6e1b938ca7a914617ea53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
Date: Tue, 25 Aug 2020 14:04:54 +0200
Subject: [PATCH] crypto: make FIPS related options always awailable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
`FIPS_mode()` function.
This makes the user experience more consistent, because the OpenSSL
library is always queried and the `crypto.getFips()` always returns
OpenSSL settings.
Fixes #34903
PR-URL: https://github.com/nodejs/node/pull/36341
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Signed-off-by: Jan Staněk <jstanek@redhat.com>
---
doc/api/cli.md | 8 +--
lib/crypto.js | 22 ++----
node.gypi | 3 -
src/node.cc | 6 +-
src/node_config.cc | 2 -
src/node_crypto.cc | 45 +++++++-----
src/node_options.cc | 2 -
src/node_options.h | 2 -
test/parallel/test-cli-node-print-help.js | 7 +-
test/parallel/test-crypto-fips.js | 71 +++++++++----------
...rocess-env-allowed-flags-are-documented.js | 11 +--
11 files changed, 74 insertions(+), 105 deletions(-)
diff --git a/doc/api/cli.md b/doc/api/cli.md
index 86635f267b..6f14fa6810 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -183,8 +183,8 @@ code from strings throw an exception instead. This does not affect the Node.js
added: v6.0.0
-->
-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
-`./configure --openssl-fips`.)
+Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
+against FIPS-compatible OpenSSL.)
### `--enable-source-maps`
<!-- YAML
@@ -550,8 +550,8 @@ added: v6.9.0
-->
Load an OpenSSL configuration file on startup. Among other uses, this can be
-used to enable FIPS-compliant crypto if Node.js is built with
-`./configure --openssl-fips`.
+used to enable FIPS-compliant crypto if Node.js is built
+against FIPS-enabled OpenSSL.
### `--pending-deprecation`
<!-- YAML
diff --git a/lib/crypto.js b/lib/crypto.js
index b2bcc4d0a4..93d5e21fa0 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -37,12 +37,10 @@ assertCrypto();
const {
ERR_CRYPTO_FIPS_FORCED,
- ERR_CRYPTO_FIPS_UNAVAILABLE
} = require('internal/errors').codes;
const constants = internalBinding('constants').crypto;
const { getOptionValue } = require('internal/options');
const pendingDeprecation = getOptionValue('--pending-deprecation');
-const { fipsMode } = internalBinding('config');
const fipsForced = getOptionValue('--force-fips');
const {
getFipsCrypto,
@@ -191,10 +189,8 @@ module.exports = {
sign: signOneShot,
setEngine,
timingSafeEqual,
- getFips: !fipsMode ? getFipsDisabled :
- fipsForced ? getFipsForced : getFipsCrypto,
- setFips: !fipsMode ? setFipsDisabled :
- fipsForced ? setFipsForced : setFipsCrypto,
+ getFips: fipsForced ? getFipsForced : getFipsCrypto,
+ setFips: fipsForced ? setFipsForced : setFipsCrypto,
verify: verifyOneShot,
// Classes
@@ -213,19 +209,11 @@ module.exports = {
Verify
};
-function setFipsDisabled() {
- throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
-}
-
function setFipsForced(val) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
}
-function getFipsDisabled() {
- return 0;
-}
-
function getFipsForced() {
return 1;
}
@@ -247,10 +235,8 @@ ObjectDefineProperties(module.exports, {
},
// crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
fips: {
- get: !fipsMode ? getFipsDisabled :
- fipsForced ? getFipsForced : getFipsCrypto,
- set: !fipsMode ? setFipsDisabled :
- fipsForced ? setFipsForced : setFipsCrypto
+ get: fipsForced ? getFipsForced : getFipsCrypto,
+ set: fipsForced ? setFipsForced : setFipsCrypto
},
DEFAULT_ENCODING: {
enumerable: false,
diff --git a/node.gypi b/node.gypi
index 116c1c7149..34f385f652 100644
--- a/node.gypi
+++ b/node.gypi
@@ -320,9 +320,6 @@
[ 'node_use_openssl=="true"', {
'defines': [ 'HAVE_OPENSSL=1' ],
'conditions': [
- ['openssl_fips != "" or openssl_is_fips=="true"', {
- 'defines': [ 'NODE_FIPS_MODE' ],
- }],
[ 'node_shared_openssl=="false"', {
'dependencies': [
'./deps/openssl/openssl.gyp:openssl',
diff --git a/src/node.cc b/src/node.cc
index 46e8f74cc2..0a5c3ee8ee 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -964,11 +964,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
crypto::UseExtraCaCerts(extra_ca_certs);
}
-#ifdef NODE_FIPS_MODE
// In the case of FIPS builds we should make sure
// the random source is properly initialized first.
- OPENSSL_init();
-#endif // NODE_FIPS_MODE
+ if (FIPS_mode()) {
+ OPENSSL_init();
+ }
// V8 on Windows doesn't have a good source of entropy. Seed it from
// OpenSSL's pool.
V8::SetEntropySource(crypto::EntropySource);
diff --git a/src/node_config.cc b/src/node_config.cc
index 6ee3164a13..e229eee765 100644
--- a/src/node_config.cc
+++ b/src/node_config.cc
@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
#endif // HAVE_OPENSSL
-#ifdef NODE_FIPS_MODE
READONLY_TRUE_PROPERTY(target, "fipsMode");
-#endif
#ifdef NODE_HAVE_I18N_SUPPORT
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 764dcb8720..f142e625ef 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -50,6 +50,11 @@
#include <openssl/hmac.h>
#include <openssl/rand.h>
#include <openssl/pkcs12.h>
+// The FIPS-related functions are only available
+// when the OpenSSL itself was compiled with FIPS support.
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif // OPENSSL_FIPS
#include <cerrno>
#include <climits> // INT_MAX
@@ -97,6 +102,7 @@ using v8::Signature;
using v8::String;
using v8::Uint32;
using v8::Undefined;
+using v8::TryCatch;
using v8::Value;
#ifdef OPENSSL_NO_OCB
@@ -3595,12 +3601,10 @@ void CipherBase::Init(const char* cipher_type,
HandleScope scope(env()->isolate());
MarkPopErrorOnReturn mark_pop_error_on_return;
-#ifdef NODE_FIPS_MODE
if (FIPS_mode()) {
return env()->ThrowError(
"crypto.createCipher() is not supported in FIPS mode.");
}
-#endif // NODE_FIPS_MODE
const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
if (cipher == nullptr)
@@ -3786,13 +3790,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
return false;
}
-#ifdef NODE_FIPS_MODE
// TODO(tniessen) Support CCM decryption in FIPS mode
if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
env()->ThrowError("CCM decryption not supported in FIPS mode");
return false;
}
-#endif
// Tell OpenSSL about the desired length.
if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
@@ -4712,7 +4714,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
}
static inline bool ValidateDSAParameters(EVP_PKEY* key) {
-#ifdef NODE_FIPS_MODE
/* Validate DSA2 parameters from FIPS 186-4 */
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
DSA* dsa = EVP_PKEY_get0_DSA(key);
@@ -4728,7 +4729,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
(L == 2048 && N == 256) ||
(L == 3072 && N == 256);
}
-#endif // NODE_FIPS_MODE
return true;
}
@@ -6889,7 +6889,6 @@ void InitCryptoOnce() {
settings = nullptr;
#endif
-#ifdef NODE_FIPS_MODE
/* Override FIPS settings in cnf file, if needed. */
unsigned long err = 0; // NOLINT(runtime/int)
if (per_process::cli_options->enable_fips_crypto ||
@@ -6899,12 +6898,10 @@ void InitCryptoOnce() {
}
}
if (0 != err) {
- fprintf(stderr,
- "openssl fips failed: %s\n",
- ERR_error_string(err, nullptr));
- UNREACHABLE();
+ auto* isolate = Isolate::GetCurrent();
+ auto* env = Environment::GetCurrent(isolate);
+ return ThrowCryptoError(env, err);
}
-#endif // NODE_FIPS_MODE
// Turn off compression. Saves memory and protects against CRIME attacks.
@@ -6950,7 +6947,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
}
#endif // !OPENSSL_NO_ENGINE
-#ifdef NODE_FIPS_MODE
void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
}
@@ -6968,17 +6964,33 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
return ThrowCryptoError(env, err);
}
}
-#endif /* NODE_FIPS_MODE */
+
+void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
+#ifdef OPENSSL_FIPS
+ const auto enabled = FIPS_selftest() ? 1 : 0;
+#else // OPENSSL_FIPS
+ const auto enabled = 0;
+#endif // OPENSSL_FIPS
+
+ args.GetReturnValue().Set(enabled);
+}
void Initialize(Local<Object> target,
Local<Value> unused,
Local<Context> context,
void* priv) {
+ Environment* env = Environment::GetCurrent(context);
+
static uv_once_t init_once = UV_ONCE_INIT;
+ TryCatch try_catch{env->isolate()};
uv_once(&init_once, InitCryptoOnce);
- Environment* env = Environment::GetCurrent(context);
+ if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
+ try_catch.ReThrow();
+ return;
+ }
+
SecureContext::Initialize(env, target);
target->Set(env->context(),
FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
@@ -7007,10 +7019,9 @@ void Initialize(Local<Object> target,
env->SetMethod(target, "setEngine", SetEngine);
#endif // !OPENSSL_NO_ENGINE
-#ifdef NODE_FIPS_MODE
env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
-#endif
+ env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
env->SetMethod(target, "pbkdf2", PBKDF2);
env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
diff --git a/src/node_options.cc b/src/node_options.cc
index 0240b2ef58..d1230da1ad 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -729,7 +729,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
&PerProcessOptions::ssl_openssl_cert_store);
Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
-#if NODE_FIPS_MODE
AddOption("--enable-fips",
"enable FIPS crypto at startup",
&PerProcessOptions::enable_fips_crypto,
@@ -738,7 +737,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
"force FIPS crypto (cannot be disabled)",
&PerProcessOptions::force_fips_crypto,
kAllowedInEnvironment);
-#endif
#endif
AddOption("--use-largepages",
"Map the Node.js static code to large pages. Options are "
diff --git a/src/node_options.h b/src/node_options.h
index aa138c6970..f5e1e7da57 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -236,10 +236,8 @@ class PerProcessOptions : public Options {
#endif
bool use_openssl_ca = false;
bool use_bundled_ca = false;
-#if NODE_FIPS_MODE
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
-#endif
#endif
// Per-process because reports can be triggered outside a known V8 context.
diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
index e115124b04..ed58bf085c 100644
--- a/test/parallel/test-cli-node-print-help.js
+++ b/test/parallel/test-cli-node-print-help.js
@@ -8,8 +8,6 @@ const common = require('../common');
const assert = require('assert');
const { exec } = require('child_process');
-const { internalBinding } = require('internal/test/binding');
-const { fipsMode } = internalBinding('config');
let stdOut;
@@ -29,9 +27,8 @@ function validateNodePrintHelp() {
const cliHelpOptions = [
{ compileConstant: HAVE_OPENSSL,
flags: [ '--openssl-config=...', '--tls-cipher-list=...',
- '--use-bundled-ca', '--use-openssl-ca' ] },
- { compileConstant: fipsMode,
- flags: [ '--enable-fips', '--force-fips' ] },
+ '--use-bundled-ca', '--use-openssl-ca',
+ '--enable-fips', '--force-fips' ] },
{ compileConstant: NODE_HAVE_I18N_SUPPORT,
flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
{ compileConstant: HAVE_INSPECTOR,
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
index eae3134402..a1ed645184 100644
--- a/test/parallel/test-crypto-fips.js
+++ b/test/parallel/test-crypto-fips.js
@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
const path = require('path');
const fixtures = require('../common/fixtures');
const { internalBinding } = require('internal/test/binding');
-const { fipsMode } = internalBinding('config');
+const { testFipsCrypto } = internalBinding('crypto');
const FIPS_ENABLED = 1;
const FIPS_DISABLED = 0;
-const FIPS_ERROR_STRING =
- 'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
- 'non-FIPS build.';
const FIPS_ERROR_STRING2 =
'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
'--force-fips at startup.';
-const OPTION_ERROR_STRING = 'bad option';
+const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
let num_children_ok = 0;
-function compiledWithFips() {
- return fipsMode ? true : false;
-}
-
function sharedOpenSSL() {
return process.config.variables.node_shared_openssl;
}
@@ -75,17 +68,17 @@ testHelper(
// --enable-fips should turn FIPS mode on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
// --force-fips should turn FIPS mode on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
testHelper(
'stdout',
[`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
'require("crypto").getFips()',
process.env);
@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
testHelper(
'stdout',
[],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
testHelper(
'stdout',
[`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
}
@@ -136,50 +129,50 @@ testHelper(
// --enable-fips should take precedence over OpenSSL config file
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
// OPENSSL_CONF should _not_ make a difference to --enable-fips
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
// --force-fips should take precedence over OpenSSL config file
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
process.env);
// Using OPENSSL_CONF should not make a difference to --force-fips
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").getFips()',
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
// setFipsCrypto should be able to turn FIPS mode on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
[],
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").getFips())',
process.env);
// setFipsCrypto should be able to turn FIPS mode on and off
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
[],
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
+ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").setFips(false),' +
'require("crypto").getFips())',
@@ -187,27 +180,27 @@ testHelper(
// setFipsCrypto takes precedence over OpenSSL config file, FIPS on
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
[`--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").getFips())',
process.env);
// setFipsCrypto takes precedence over OpenSSL config file, FIPS off
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ 'stdout',
[`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
+ FIPS_DISABLED,
'(require("crypto").setFips(false),' +
'require("crypto").getFips())',
process.env);
// --enable-fips does not prevent use of setFipsCrypto API
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--enable-fips'],
- compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(false),' +
'require("crypto").getFips())',
process.env);
@@ -216,15 +209,15 @@ testHelper(
testHelper(
'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").setFips(false)',
process.env);
// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
+ testFipsCrypto() ? 'stdout' : 'stderr',
['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
'(require("crypto").setFips(true),' +
'require("crypto").getFips())',
process.env);
@@ -233,7 +226,7 @@ testHelper(
testHelper(
'stderr',
['--force-fips', '--enable-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").setFips(false)',
process.env);
@@ -241,6 +234,6 @@ testHelper(
testHelper(
'stderr',
['--enable-fips', '--force-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
'require("crypto").setFips(false)',
process.env);
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
index 0e0af9471c..af10809634 100644
--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
@@ -44,17 +44,8 @@ const conditionalOpts = [
{ include: common.hasCrypto,
filter: (opt) => {
return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
- '--use-openssl-ca' ].includes(opt);
+ '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
} },
- {
- // We are using openssl_is_fips from the configuration because it could be
- // the case that OpenSSL is FIPS compatible but fips has not been enabled
- // (starting node with --enable-fips). If we use common.hasFipsCrypto
- // that would only tells us if fips has been enabled, but in this case we
- // want to check options which will be available regardless of whether fips
- // is enabled at runtime or not.
- include: process.config.variables.openssl_is_fips,
- filter: (opt) => opt.includes('-fips') },
{ include: common.hasIntl,
filter: (opt) => opt === '--icu-data-dir' },
{ include: process.features.inspector,
--
2.31.1

@ -0,0 +1,42 @@
From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Tue, 26 Mar 2024 15:55:13 -0300
Subject: [PATCH] src: ensure to close stream when destroying session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Anna Henningsen <anna@addaleax.net>
PR-URL: https://github.com/nodejs-private/node-private/pull/561
Fixes: https://hackerone.com/reports/2319584
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
CVE-ID: CVE-2024-27983
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Signed-off-by: rpm-build <rpm-build>
---
src/node_http2.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/node_http2.cc b/src/node_http2.cc
index 53216dc..9a6d63d 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
Http2Session::~Http2Session() {
CHECK(!is_in_scope());
Debug(this, "freeing nghttp2 session");
+ // Ensure that all `Http2Stream` instances and the memory they hold
+ // on to are destroyed before the nghttp2 session is.
+ for (const auto& [id, stream] : streams_) {
+ stream->Detach();
+ }
+ streams_.clear();
// Explicitly reset session_ so the subsequent
// current_nghttp2_memory_ check passes.
session_.reset();
--
2.44.0

@ -0,0 +1,112 @@
From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
deps/nghttp2/lib/nghttp2_helper.c | 2 ++
deps/nghttp2/lib/nghttp2_session.c | 7 +++++++
deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++
4 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index fa22081..b394bde 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
index 93dd475..b3563d9 100644
--- a/deps/nghttp2/lib/nghttp2_helper.c
+++ b/deps/nghttp2/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index ec5024d..8e4d2e7 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
index b119329..ef8f7b2 100644
--- a/deps/nghttp2/lib/nghttp2_session.h
+++ b/deps/nghttp2/lib/nghttp2_session.h
@@ -110,6 +110,10 @@ typedef struct {
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -290,6 +294,12 @@ struct nghttp2_session {
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
--
2.44.0

@ -0,0 +1,94 @@
From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:48:10 +0900
Subject: [PATCH] Add nghttp2_option_set_max_continuations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Related: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
deps/nghttp2/lib/nghttp2_option.c | 5 +++++
deps/nghttp2/lib/nghttp2_option.h | 5 +++++
deps/nghttp2/lib/nghttp2_session.c | 4 ++++
4 files changed, 25 insertions(+)
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index b394bde..4d3339b 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
uint64_t burst, uint64_t rate);
+/**
+ * @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
index 43d4e95..53144b9 100644
--- a/deps/nghttp2/lib/nghttp2_option.c
+++ b/deps/nghttp2/lib/nghttp2_option.c
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
option->stream_reset_burst = burst;
option->stream_reset_rate = rate;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
index 2259e18..c89cb97 100644
--- a/deps/nghttp2/lib/nghttp2_option.h
+++ b/deps/nghttp2/lib/nghttp2_option.h
@@ -71,6 +71,7 @@ typedef enum {
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -98,6 +99,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_SETTINGS
*/
size_t max_settings;
+ /**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index 8e4d2e7..ced7517 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
option->stream_reset_burst,
option->stream_reset_rate);
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
--
2.44.0

File diff suppressed because one or more lines are too long

@ -0,0 +1,39 @@
From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Thu, 22 Feb 2024 16:23:33 -0500
Subject: [PATCH] Address CVE-2024-25629
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-25629
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares__read_line.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
index c62ad2a..16627e4 100644
--- a/deps/cares/src/lib/ares__read_line.c
+++ b/deps/cares/src/lib/ares__read_line.c
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
if (!fgets(*buf + offset, bytestoread, fp))
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
len = offset + strlen(*buf + offset);
+
+ /* Probably means there was an embedded NULL as the first character in
+ * the line, throw away line */
+ if (len == 0) {
+ offset = 0;
+ continue;
+ }
+
if ((*buf)[len - 1] == '\n')
{
(*buf)[len - 1] = 0;
--
2.44.0

@ -128,7 +128,7 @@ echo "$ICUMD5 $ICUTARBALL" > icu.md5
md5sum -c icu.md5
rm -f icu.md5 SHASUMS256.txt
rhpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
rm -f node-v${version}.tar.gz
@ -155,12 +155,6 @@ grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_versio
grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h
grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
echo
echo "http-parser"
echo "========================="
grep "define HTTP_PARSER_VERSION_MAJOR" node-v${version}/deps/http_parser/http_parser.h
grep "define HTTP_PARSER_VERSION_MINOR" node-v${version}/deps/http_parser/http_parser.h
grep "define HTTP_PARSER_VERSION_PATCH" node-v${version}/deps/http_parser/http_parser.h
echo
echo "llhttp"
echo "========================="
grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h
@ -177,6 +171,14 @@ echo "nghttp2"
echo "========================="
grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
echo
echo "nghttp3"
echo "========================="
grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
echo
echo "ngtcp2"
echo "========================="
grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
echo
echo "ICU"
echo "========================="
grep "url" node-v${version}/tools/icu/current_ver.dep
@ -185,19 +187,15 @@ echo "punycode"
echo "========================="
grep "'version'" node-v${version}/lib/punycode.js
echo
echo "npm"
echo "========================="
grep "\"version\":" node-v${version}/deps/npm/package.json
echo
echo "uvwasi"
echo "========================="
grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
echo
echo "brotli"
echo "npm"
echo "========================="
grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h
grep "\"version\":" node-v${version}/deps/npm/package.json
echo
echo "Make sure these versions match what is in the RPM spec file"

@ -0,0 +1,5 @@
# This is the distibution-level configuration file for npm.
# To configure NPM on a system level, use the globalconfig below (defaults to @SYSCONFDIR@/npmrc).
# vim:set filetype=dosini:
globalconfig=@SYSCONFDIR@/npmrc

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save