[Pkg-javascript-devel] Bug#1052470: marked as done (nodejs: Please fix testsuite for openssl-3.1)

Wed, 22 Nov 2023 11:09:27 -0800 

Your message dated Wed, 22 Nov 2023 19:06:39 +0000
with message-id <[email protected]>
and subject line Bug#1052470: fixed in nodejs 18.13.0+dfsg1-1.1
has caused the Debian Bug report #1052470,
regarding nodejs: Please fix testsuite for openssl-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1052470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052470
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: nodejs
Version: 18.13.0+dfsg1-1
Severity: important
Tags: patch

The nodejs version in unstable FTBFS against openssl 3.1 due to the
testsuite. I had something working and then looked in the upstream git
and backported their against the packaging master-18.x branch. Hopefully
this makes less work for everyone. One patch is for upstream, one I made
myself.
Now I'm about to test this… But it looks promising ;)

Sebastian

From 85aa9556000424fcde6748bed969a01e864be266 Mon Sep 17 00:00:00 2001
From: OttoHollmann <[email protected]>
Date: Thu, 1 Jun 2023 16:52:53 +0200
Subject: [PATCH 1/2] test: adapt tests for OpenSSL 3.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/47859
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
(cherry picked from commit 5f283722072e400234d3e15f1f2caa2ca2fd8d60)
Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
---
 test/common/index.js                             |  6 +++++-
 .../test-https-agent-session-eviction.js         |  1 +
 test/parallel/test-tls-alert.js                  |  1 +
 test/parallel/test-tls-getprotocol.js            | 16 +++++++++++++---
 test/parallel/test-tls-min-max-version.js        |  3 +++
 test/parallel/test-tls-session-cache.js          |  1 +
 6 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/test/common/index.js b/test/common/index.js
index e0c6e7aa0c996..35c3eac6481b3 100644
--- a/test/common/index.js
+++ b/test/common/index.js
@@ -56,7 +56,10 @@ const hasCrypto = Boolean(process.versions.openssl) &&
                   !process.env.NODE_SKIP_CRYPTO;
 
 const hasOpenSSL3 = hasCrypto &&
-    require('crypto').constants.OPENSSL_VERSION_NUMBER >= 805306368;
+    require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000;
+
+const hasOpenSSL31 = hasCrypto &&
+    require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000;
 
 const hasQuic = hasCrypto && !!process.config.variables.openssl_quic;
 
@@ -899,6 +902,7 @@ const common = {
   hasIntl,
   hasCrypto,
   hasOpenSSL3,
+  hasOpenSSL31,
   hasQuic,
   hasMultiLocalhost,
   invalidArgTypeHelper,
diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
index 940c43cc40bf1..36c360a96503d 100644
--- a/test/parallel/test-https-agent-session-eviction.js
+++ b/test/parallel/test-https-agent-session-eviction.js
@@ -54,6 +54,7 @@ function faultyServer(port) {
 function second(server, session) {
   const req = https.request({
     port: server.address().port,
+    ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
     rejectUnauthorized: false
   }, function(res) {
     res.resume();
diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js
index 31b07104c241a..04000771aa977 100644
--- a/test/parallel/test-tls-alert.js
+++ b/test/parallel/test-tls-alert.js
@@ -42,6 +42,7 @@ const server = tls.Server({
   cert: loadPEM('agent2-cert')
 }, null).listen(0, common.mustCall(() => {
   const args = ['s_client', '-quiet', '-tls1_1',
+                '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
                 '-connect', `127.0.0.1:${server.address().port}`];
 
   execFile(common.opensslCli, args, common.mustCall((err, _, stderr) => {
diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js
index d45287d671d8a..7da2f60676d00 100644
--- a/test/parallel/test-tls-getprotocol.js
+++ b/test/parallel/test-tls-getprotocol.js
@@ -11,9 +11,18 @@ const tls = require('tls');
 const fixtures = require('../common/fixtures');
 
 const clientConfigs = [
-  { secureProtocol: 'TLSv1_method', version: 'TLSv1' },
-  { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' },
-  { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' },
+  {
+    secureProtocol: 'TLSv1_method',
+    version: 'TLSv1',
+    ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+  }, {
+    secureProtocol: 'TLSv1_1_method',
+    version: 'TLSv1.1',
+    ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+  }, {
+    secureProtocol: 'TLSv1_2_method',
+    version: 'TLSv1.2'
+  },
 ];
 
 const serverConfig = {
@@ -30,6 +39,7 @@ const server = tls.createServer(serverConfig, common.mustCall(clientConfigs.leng
     tls.connect({
       host: common.localhostIPv4,
       port: server.address().port,
+      ciphers: v.ciphers,
       rejectUnauthorized: false,
       secureProtocol: v.secureProtocol
     }, common.mustCall(function() {
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index 5cea41ca7e0bd..ab351558a4c8b 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -22,6 +22,9 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
     if (serr !== 'ERR_SSL_UNSUPPORTED_PROTOCOL')
       ciphers = 'ALL@SECLEVEL=0';
   }
+  if (common.hasOpenSSL31 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') {
+    ciphers = 'DEFAULT@SECLEVEL=0';
+  }
   // Report where test was called from. Strip leading garbage from
   //     at Object.<anonymous> (file:line)
   // from the stack location, we only want the file:line part.
diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js
index c4bebff2e3208..e4ecb53282fba 100644
--- a/test/parallel/test-tls-session-cache.js
+++ b/test/parallel/test-tls-session-cache.js
@@ -100,6 +100,7 @@ function doTest(testOptions, callback) {
     const args = [
       's_client',
       '-tls1',
+      '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
       '-connect', `localhost:${this.address().port}`,
       '-servername', 'ohgod',
       '-key', fixtures.path('keys/rsa_private.pem'),
-- 
2.40.1


>From caef2948f3f4881a25736bdfee472798ff12110e Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <[email protected]>
Date: Thu, 21 Sep 2023 22:38:32 +0200
Subject: [PATCH 2/2] test: Use seclevel=0 unconditionally on OpenSSL 3

OpenSSL 3.1 forces TLS v1.1 and less to security level 0 so the security
level was lowered in the tests to pass them.
There is no need to conditionally lower the limit on OpenSSL 3.1 since the
same can be done on 3.0. Both OpenSSL share the same ABI so it nodejs
can be compiled again 3.0 and run the tests against 3.1.

Remove 3.1 special case and use it unconditionally on the 3 series.

Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
---
 test/common/index.js                               | 4 ----
 test/parallel/test-https-agent-session-eviction.js | 2 +-
 test/parallel/test-tls-alert.js                    | 2 +-
 test/parallel/test-tls-getprotocol.js              | 4 ++--
 test/parallel/test-tls-min-max-version.js          | 4 ++--
 test/parallel/test-tls-session-cache.js            | 2 +-
 6 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/test/common/index.js b/test/common/index.js
index 35c3eac6481b3..73ae906a3f08d 100644
--- a/test/common/index.js
+++ b/test/common/index.js
@@ -58,9 +58,6 @@ const hasCrypto = Boolean(process.versions.openssl) &&
 const hasOpenSSL3 = hasCrypto &&
     require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000;
 
-const hasOpenSSL31 = hasCrypto &&
-    require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000;
-
 const hasQuic = hasCrypto && !!process.config.variables.openssl_quic;
 
 function parseTestFlags(filename = process.argv[1]) {
@@ -902,7 +899,6 @@ const common = {
   hasIntl,
   hasCrypto,
   hasOpenSSL3,
-  hasOpenSSL31,
   hasQuic,
   hasMultiLocalhost,
   invalidArgTypeHelper,
diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
index 36c360a96503d..b094403af8e07 100644
--- a/test/parallel/test-https-agent-session-eviction.js
+++ b/test/parallel/test-https-agent-session-eviction.js
@@ -54,7 +54,7 @@ function faultyServer(port) {
 function second(server, session) {
   const req = https.request({
     port: server.address().port,
-    ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
+    ciphers: 'DEFAULT:@SECLEVEL=0',
     rejectUnauthorized: false
   }, function(res) {
     res.resume();
diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js
index 04000771aa977..6a95a5db5ad7c 100644
--- a/test/parallel/test-tls-alert.js
+++ b/test/parallel/test-tls-alert.js
@@ -42,7 +42,7 @@ const server = tls.Server({
   cert: loadPEM('agent2-cert')
 }, null).listen(0, common.mustCall(() => {
   const args = ['s_client', '-quiet', '-tls1_1',
-                '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
+                '-cipher', 'DEFAULT:@SECLEVEL=0',
                 '-connect', `127.0.0.1:${server.address().port}`];
 
   execFile(common.opensslCli, args, common.mustCall((err, _, stderr) => {
diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js
index 7da2f60676d00..0873106477bd9 100644
--- a/test/parallel/test-tls-getprotocol.js
+++ b/test/parallel/test-tls-getprotocol.js
@@ -14,11 +14,11 @@ const clientConfigs = [
   {
     secureProtocol: 'TLSv1_method',
     version: 'TLSv1',
-    ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+    ciphers: 'DEFAULT:@SECLEVEL=0'
   }, {
     secureProtocol: 'TLSv1_1_method',
     version: 'TLSv1.1',
-    ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+    ciphers: 'DEFAULT:@SECLEVEL=0'
   }, {
     secureProtocol: 'TLSv1_2_method',
     version: 'TLSv1.2'
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index ab351558a4c8b..a196f1c320bd1 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -22,8 +22,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
     if (serr !== 'ERR_SSL_UNSUPPORTED_PROTOCOL')
       ciphers = 'ALL@SECLEVEL=0';
   }
-  if (common.hasOpenSSL31 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') {
-    ciphers = 'DEFAULT@SECLEVEL=0';
+  if (common.hasOpenSSL3 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') {
+    ciphers = 'DEFAULT:@SECLEVEL=0';
   }
   // Report where test was called from. Strip leading garbage from
   //     at Object.<anonymous> (file:line)
diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js
index e4ecb53282fba..94e8fc567fabc 100644
--- a/test/parallel/test-tls-session-cache.js
+++ b/test/parallel/test-tls-session-cache.js
@@ -100,7 +100,7 @@ function doTest(testOptions, callback) {
     const args = [
       's_client',
       '-tls1',
-      '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
+      '-cipher', 'DEFAULT:@SECLEVEL=0',
       '-connect', `localhost:${this.address().port}`,
       '-servername', 'ohgod',
       '-key', fixtures.path('keys/rsa_private.pem'),
-- 
2.40.1

--- End Message ---
--- Begin Message --- 
Source: nodejs
Source-Version: 18.13.0+dfsg1-1.1
Done: Sebastian Andrzej Siewior <[email protected]>

We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated nodejs 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Nov 2023 18:15:44 +0100
Source: nodejs
Architecture: source
Version: 18.13.0+dfsg1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1031834 1039990 1050739 1052470 1054892 1055416
Changes:
 nodejs (18.13.0+dfsg1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Adapt testsuite failures in test-crypto-dh since OpenSSL 3.0.12/3.1.4
     (Closes: #1055416).
   * Adapt testsuite failures due TLSv < 1.1 available only at seclevel 0
     (Closes: #1052470).
   * CVE-2023-23919 (Node.js OpenSSL error handling issues in nodejs crypto
     library). (Closes: #1031834).
   * CVE-2023-23920 (Node.js insecure loading of ICU data through ICU_DATA
     environment variable) (Closes: #1031834).
   * CVE-2023-30590 (DiffieHellman do not generate keys after setting a private
     key) (Closes: #1039990).
   * CVE-2023-30589 (HTTP Request Smuggling via Empty headers separated by CR)
    (Closes: #1039990).
   * CVE-2023-30588 (Process interuption due to invalid Public Key information
     in x509 certificates) (Closes: #1039990).
   * CVE-2023-32559 (Permissions policies can be bypassed via process.binding)
     (Closes: #1050739).
   * CVE-2023-30581 (mainModule.proto bypass experimental policy mechanism)
     (Closes: #1039990).
   * CVE-2023-32002 (Permissions policies can be bypassed via Module._load)
     (Closes: #1050739).
   * CVE-2023-32006 (Permissions policies can impersonate other modules in
     using module.constructor.createRequire()) (Closes: #1050739).
   * CVE-2023-38552 (Integrity checks according to policies can be
     circumvented) (Closes: #1054892).
   * CVE-2023-39333 (Code injection via WebAssembly export names)
     (Closes: #1054892).
Checksums-Sha1:
 dcaebed33f6dcc4676e2de5744eedd113a8b896f 3893 nodejs_18.13.0+dfsg1-1.1.dsc
 40afec3b105abf5f5103060af70a3b92c4fe3133 193396 
nodejs_18.13.0+dfsg1-1.1.debian.tar.xz
Checksums-Sha256:
 28f1b461b19098a6c8a7918fa1e233350160c429dcfd5d5859d9e510948048c2 3893 
nodejs_18.13.0+dfsg1-1.1.dsc
 3bef0de67aa1831dc43fdda99f314cdb7b13361d3d3b34a88dd5df8b6e3cf23d 193396 
nodejs_18.13.0+dfsg1-1.1.debian.tar.xz
Files:
 7e942e84e0e8b3acebaa5ea6ca48aa49 3893 javascript optional 
nodejs_18.13.0+dfsg1-1.1.dsc
 2a6f98d11292e933c2d0f2fc486ce3b1 193396 javascript optional 
nodejs_18.13.0+dfsg1-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmVeThAACgkQBWQfF1cS
+luFTAv/X+K/+6VVXsEJfu17fR8JCt2wwc55rQ/Za6rCIDpgWgIvwrxeMHdNTr0f
TmK5eEIhjZ2kL4y2CNhuBt2Hdmpa526RGdTmfgDxVop7VGFTamr9o3NQvrx6EaO3
AJhVRG6VGvVpPXBeVAdraXQWaTj+oda1idZf7Aw5/VdT3h+n4/do7XQtQJBlJFvG
TQSUq7PtGi3qJ9Pje1P0JQcIPPONsgqG18JHXlBPvWkoyah91YdGcsTyxTX1k241
l1Vb83HLSUU24xxk58oGJ7NAX82BDHGGxhgpDSm17sjlqjNtRdjPaUqAi+lyVohg
l1GppruqQYk80iG6Fgo1x5ew/XsTe+ger2kypJhcTIGwB6PlhTif/6J/ukwvln0p
F+I8Gd3ftj+U9CrfUDQfvh65k1wIJYVlb/97RQDZZNHZWQRlTc8QL++68aWImc7g
nSJ5DSSlLQHWb7z0+oQN4B4iQukAGo2iRoMlTbZYwedAEihClslofbAU2CGZCd44
eNLNnOX/
=7nMl
-----END PGP SIGNATURE-----

--- End Message ---
-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to