From e87746ff0fa41754d0bfdcc5d734098ce8f03e92 Mon Sep 17 00:00:00 2001 From: "electron-roller[bot]" <84116207+electron-roller[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 12:49:20 -0500 Subject: [PATCH] chore: bump node to v20.11.1 (main) (#41353) * chore: bump node in DEPS to v20.11.1 * chore: update patches * crypto: disable PKCS#1 padding for privateDecrypt https://github.com/nodejs-private/node-private/pull/525 --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr --- DEPS | 2 +- ...de_entrypoint_to_be_a_builtin_module.patch | 4 ++-- .../fix_crypto_tests_to_run_with_bssl.patch | 17 ++++++++++++--- ...ingssl_and_openssl_incompatibilities.patch | 21 +++++++++++++++++-- ...src_preload_function_for_environment.patch | 6 +++--- script/node-disabled-tests.json | 2 ++ 6 files changed, 41 insertions(+), 11 deletions(-) diff --git a/DEPS b/DEPS index 262ebc6f931..be8a1ba72c1 100644 --- a/DEPS +++ b/DEPS @@ -4,7 +4,7 @@ vars = { 'chromium_version': '123.0.6296.0', 'node_version': - 'v20.11.0', + 'v20.11.1', 'nan_version': 'e14bdcd1f72d62bca1d541b66da43130384ec213', 'squirrel.mac_version': diff --git a/patches/node/chore_allow_the_node_entrypoint_to_be_a_builtin_module.patch b/patches/node/chore_allow_the_node_entrypoint_to_be_a_builtin_module.patch index 4a342ab026d..6955eeada11 100644 --- a/patches/node/chore_allow_the_node_entrypoint_to_be_a_builtin_module.patch +++ b/patches/node/chore_allow_the_node_entrypoint_to_be_a_builtin_module.patch @@ -26,10 +26,10 @@ index 1f3b719048f2477de183e2856b9b8eee8502f708..21116088c101f4679b5a5f41762ce710 try { resolvedArgv = Module._resolveFilename(process.argv[1], null, false); diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js -index 9142fed75e9050fcc17c01208e82f1bc57923fcd..157a85623c7eb5338baa77aba5dc448a4614ded0 100644 +index cffffc28d3d703aab4beca6a150549f370281615..eb66f0e37b517a03be20e0829863e7572042c7ed 100644 --- a/lib/internal/process/pre_execution.js +++ b/lib/internal/process/pre_execution.js -@@ -232,12 +232,14 @@ function patchProcessObject(expandArgv1) { +@@ -233,12 +233,14 @@ function patchProcessObject(expandArgv1) { if (expandArgv1 && process.argv[1] && !StringPrototypeStartsWith(process.argv[1], '-')) { // Expand process.argv[1] into a full path. diff --git a/patches/node/fix_crypto_tests_to_run_with_bssl.patch b/patches/node/fix_crypto_tests_to_run_with_bssl.patch index 4bc2db858be..7933f5055c0 100644 --- a/patches/node/fix_crypto_tests_to_run_with_bssl.patch +++ b/patches/node/fix_crypto_tests_to_run_with_bssl.patch @@ -549,7 +549,7 @@ index 1785f5eef3d202976666081d09850ed744d83446..e88227a215ba4f7fa196f7642ae694a5 }); diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js -index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149ba4abc8c 100644 +index 438037acc867c2bd6e34ffdcd1e706f8d0ff6a57..65611c79d0e93bf7f91948b2a0105cdc3192b2f2 100644 --- a/test/parallel/test-crypto-rsa-dsa.js +++ b/test/parallel/test-crypto-rsa-dsa.js @@ -28,12 +28,11 @@ const dsaPkcs8KeyPem = fixtures.readKey('dsa_private_pkcs8.pem'); @@ -570,7 +570,18 @@ index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149 }; const decryptError = common.hasOpenSSL3 ? -@@ -397,7 +396,7 @@ assert.throws(() => { +@@ -221,8 +220,8 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) { + oaepHash: encryptOaepHash + }, bufferToEncrypt); + +- +- if (padding === constants.RSA_PKCS1_PADDING) { ++ // BoringSSL does not support RSA_PKCS1_PADDING. ++ if (false) { + assert.throws(() => { + crypto.privateDecrypt({ + key: rsaKeyPem, +@@ -415,7 +414,7 @@ assert.throws(() => { assert.strictEqual(verify2.verify(publicKey, signature, 'hex'), true); } @@ -579,7 +590,7 @@ index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149 // // Test DSA signing and verification // -@@ -472,3 +471,4 @@ const input = 'I AM THE WALRUS'; +@@ -490,3 +489,4 @@ const input = 'I AM THE WALRUS'; assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true); } diff --git a/patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch b/patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch index f10f579b90f..18c3b4822b5 100644 --- a/patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch +++ b/patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch @@ -17,10 +17,10 @@ Upstreams: - https://github.com/nodejs/node/pull/39136 diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc -index 2e6e02d229b67bc97e0d15a2704e091d5289df9c..6fd0416820998bd0ba4c4cd4fe3093f144610f18 100644 +index 99a16a667baa20138715b0901e3255e41f5f1052..a7f210031085a348f752e7e7e963d2f040bc2000 100644 --- a/src/crypto/crypto_cipher.cc +++ b/src/crypto/crypto_cipher.cc -@@ -27,7 +27,8 @@ using v8::Value; +@@ -28,7 +28,8 @@ using v8::Value; namespace crypto { namespace { bool IsSupportedAuthenticatedMode(const EVP_CIPHER* cipher) { @@ -30,6 +30,23 @@ index 2e6e02d229b67bc97e0d15a2704e091d5289df9c..6fd0416820998bd0ba4c4cd4fe3093f1 case EVP_CIPH_CCM_MODE: case EVP_CIPH_GCM_MODE: #ifndef OPENSSL_NO_OCB +@@ -1062,7 +1063,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { + if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) { + return ThrowCryptoError(env, ERR_get_error()); + } +- ++#ifndef OPENSSL_IS_BORINGSSL + int rsa_pkcs1_implicit_rejection = + EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1"); + // From the doc -2 means that the option is not supported. +@@ -1078,6 +1079,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { + "RSA_PKCS1_PADDING is no longer supported for private decryption," + " this can be reverted with --security-revert=CVE-2023-46809"); + } ++#endif + } + + const EVP_MD* digest = nullptr; diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index c6120a655ec853aef11c66ed37d7ca0ffb957dd3..a52ca15cb0ab592d4196d4bd0f1133240967d70c 100644 --- a/src/crypto/crypto_common.cc diff --git a/patches/node/src_preload_function_for_environment.patch b/patches/node/src_preload_function_for_environment.patch index 5679e1572cc..25190267de4 100644 --- a/patches/node/src_preload_function_for_environment.patch +++ b/patches/node/src_preload_function_for_environment.patch @@ -20,10 +20,10 @@ running the main script, for example: extensions. diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js -index 157a85623c7eb5338baa77aba5dc448a4614ded0..701f91f1c9603c1da03e0fe6d20c8627c8d644fb 100644 +index eb66f0e37b517a03be20e0829863e7572042c7ed..4d5646b6067a1409df5915cc744bdc38d0191bd9 100644 --- a/lib/internal/process/pre_execution.js +++ b/lib/internal/process/pre_execution.js -@@ -185,6 +185,9 @@ function setupUserModules(forceDefaultLoader = false) { +@@ -186,6 +186,9 @@ function setupUserModules(forceDefaultLoader = false) { initializeESMLoader(forceDefaultLoader); const CJSLoader = require('internal/modules/cjs/loader'); assert(!CJSLoader.hasLoadedAnyUserCJSModule); @@ -33,7 +33,7 @@ index 157a85623c7eb5338baa77aba5dc448a4614ded0..701f91f1c9603c1da03e0fe6d20c8627 // Do not enable preload modules if custom loaders are disabled. // For example, loader workers are responsible for doing this themselves. // And preload modules are not supported in ShadowRealm as well. -@@ -742,6 +745,10 @@ function initializeFrozenIntrinsics() { +@@ -745,6 +748,10 @@ function initializeFrozenIntrinsics() { } } diff --git a/script/node-disabled-tests.json b/script/node-disabled-tests.json index 4b8f9ec1975..c1ed8eeaf3c 100644 --- a/script/node-disabled-tests.json +++ b/script/node-disabled-tests.json @@ -16,6 +16,8 @@ "parallel/test-crypto-key-objects", "parallel/test-crypto-keygen", "parallel/test-crypto-keygen-deprecation", + "parallel/test-crypto-rsa-dsa-revert", + "parallel/test-crypto-rsa-dsa.js", "parallel/test-crypto-padding-aes256", "parallel/test-crypto-secure-heap", "parallel/test-dgram-send-cb-quelches-error",