Ubuntu
nodejs package

Merge ~adrien/ubuntu/+source/nodejs:plucky-test-failures-openssl-3.4 into ubuntu/+source/nodejs:ubuntu/devel

  1. Git
  2. lp:~adrien/ubuntu/+source/nodejs
  3. plucky-test-failures-openssl-3.4
  4. Merge into ubuntu/devel
Proposed by Adrien Nader
Status: Merged
Merge reported by: Adrien Nader
Merged at revision: 8353d81f16566fc6516c355773872a199c2a8d72
Proposed branch: ~adrien/ubuntu/+source/nodejs:plucky-test-failures-openssl-3.4
Merge into: ubuntu/+source/nodejs:ubuntu/devel
Diff against target: 238 lines (+192/-1)
6 files modified
debian/changelog (+11/-0)
debian/control (+2/-1)
debian/patches/build/test-openssl-3.4-returns-decrypt_error-upon-PSK-bind.patch (+41/-0)
debian/patches/build/test-skip-sha128-256-createHash-hash-on-openssl-3.4.patch (+55/-0)
debian/patches/build/test_make_test-crypto-hash_compatible_with_OpenSSL_3.4.0.patch (+80/-0)
debian/patches/series (+3/-0)
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Pending
Review via email: mp+478606@code.launchpad.net

Description of the change

Please review this merge request.

# 📊 PPA
A PPA is available at:
 https://launchpad.net/~adrien/+archive/ubuntu/plucky-openssl-merge-3.4

# 🧪 Autopkgtest results
- ✅ nodejs on plucky for amd64 @ 18.12.24 14:38:33
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-adrien-plucky-openssl-merge-3.4/plucky/amd64/n/nodejs/20241218_143833_df8c5@/log.gz
- ❌ nodejs on plucky for arm64 @ 18.12.24 14:55:29
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-adrien-plucky-openssl-merge-3.4/plucky/arm64/n/nodejs/20241218_145529_bee57@/log.gz
      • Status: FAIL
      • command1 FAIL 🟥
- ✅ nodejs on plucky for armhf @ 18.12.24 15:20:30
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-adrien-plucky-openssl-merge-3.4/plucky/armhf/n/nodejs/20241218_152030_e77e5@/log.gz
- ❌ nodejs on plucky for i386 @ 18.12.24 14:28:43
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-adrien-plucky-openssl-merge-3.4/plucky/i386/n/nodejs/20241218_142843_809ae@/log.gz
      • Status: FAIL
      • command1 FAIL 🟥
- ❌ nodejs on plucky for s390x @ 18.12.24 14:44:46
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-adrien-plucky-openssl-merge-3.4/plucky/s390x/n/nodejs/20241218_144446_82d2e@/log.gz
      • Status: FAIL
      • command1 FAIL 🟥

Tests already fail on i386 and s390x so these failure won't have an
impact.

As for arm64, I've seen the error occur in tests unrelated to openssl
3.4 and I suspect it might have recently gotten flacky on s390x (note
that it's the same failure as on s390x so it may be interesting by
itself but it's best handled separately).

# 🔍 Lintian diff from most recent published package
No relevant lintian change

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index bdbd16b..c7437bc 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+nodejs (20.18.1+dfsg-1ubuntu1) plucky; urgency=medium
7+
8+ * build/test_make_test-crypto-hash_compatible_with_OpenSSL_3.4.0.patch:
9+ Skip shake128/shake256 tests that use outputLength: 0 with openssl 3.4
10+ * test-skip-sha128-256-createHash-hash-on-openssl-3.4.patch:
11+ Skip tests createHash() = hash() for shake128/shake256 on openssl 3.4
12+ * test-openssl-3.4-returns-decrypt_error-upon-PSK-bind.patch:
13+ Follow openssl 3.4 fixing a TLS 1.3 error code
14+
15+ -- Adrien Nader <adrien.nader@canonical.com> Wed, 18 Dec 2024 10:52:41 +0100
16+
17 nodejs (20.18.1+dfsg-1) unstable; urgency=medium
18
19 * New upstream version 20.18.1+dfsg
20diff --git a/debian/control b/debian/control
21index adfd668..ac1d6b0 100644
22--- a/debian/control
23+++ b/debian/control
24@@ -1,7 +1,8 @@
25 Source: nodejs
26 Section: javascript
27 Priority: optional
28-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
29+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
30+XSBC-Original-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
31 Uploaders: Jérémy Lal <kapouer@melix.org>,
32 Jonas Smedegaard <dr@jones.dk>
33 Build-Depends:
34diff --git a/debian/patches/build/test-openssl-3.4-returns-decrypt_error-upon-PSK-bind.patch b/debian/patches/build/test-openssl-3.4-returns-decrypt_error-upon-PSK-bind.patch
35new file mode 100644
36index 0000000..9760383
37--- /dev/null
38+++ b/debian/patches/build/test-openssl-3.4-returns-decrypt_error-upon-PSK-bind.patch
39@@ -0,0 +1,41 @@
40+From cc182417a12cfa72747f2f78b3a378dd60191691 Mon Sep 17 00:00:00 2001
41+From: Adrien Nader <adrien.nader@canonical.com>
42+Date: Tue, 17 Dec 2024 17:29:38 +0100
43+Subject: [PATCH 2/2] test: openssl 3.4 returns decrypt_error upon PSK binder
44+ validation failure
45+
46+According to RFC 8446 (TLS 1.3), a PSK binder validation failure should
47+result in decrypt_error rather than illegal_parameter which openssl had
48+been using. Update the tests to match openssl's fix.
49+
50+Refs: https://github.com/openssl/openssl/commit/02b8b7b83698d1c7ddfef274f16c039c8cca7988
51+Refs: https://www.rfc-editor.org/rfc/rfc8446
52+
53+Forwarded: https://github.com/nodejs/node/pull/56294
54+Bug: https://github.com/nodejs/node/pull/56294
55+
56+---
57+ test/parallel/test-tls-psk-circuit.js | 8 ++++++--
58+ 1 file changed, 6 insertions(+), 2 deletions(-)
59+
60+diff --git a/test/parallel/test-tls-psk-circuit.js b/test/parallel/test-tls-psk-circuit.js
61+index e93db3eb1b..690628758f 100644
62+--- a/test/parallel/test-tls-psk-circuit.js
63++++ b/test/parallel/test-tls-psk-circuit.js
64+@@ -66,7 +66,11 @@ const expectedHandshakeErr = common.hasOpenSSL(3, 2) ?
65+ 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE';
66+ test({ psk: USERS.UserB, identity: 'UserC' }, {}, expectedHandshakeErr);
67+ // Recognized user but incorrect secret should fail handshake
68+-const expectedIllegalParameterErr = common.hasOpenSSL32 ?
69+- 'ERR_SSL_SSL/TLS_ALERT_ILLEGAL_PARAMETER' : 'ERR_SSL_SSLV3_ALERT_ILLEGAL_PARAMETER';
70++const expectedIllegalParameterErr =
71++ common.hasOpenSSL(3, 4)
72++ ? 'ERR_SSL_TLSV1_ALERT_DECRYPT_ERROR'
73++ : (common.hasOpenSSL(3, 2)
74++ ? 'ERR_SSL_SSL/TLS_ALERT_ILLEGAL_PARAMETER'
75++ : 'ERR_SSL_SSLV3_ALERT_ILLEGAL_PARAMETER');
76+ test({ psk: USERS.UserA, identity: 'UserB' }, {}, expectedIllegalParameterErr);
77+ test({ psk: USERS.UserB, identity: 'UserB' });
78+--
79+2.45.2
80+
81diff --git a/debian/patches/build/test-skip-sha128-256-createHash-hash-on-openssl-3.4.patch b/debian/patches/build/test-skip-sha128-256-createHash-hash-on-openssl-3.4.patch
82new file mode 100644
83index 0000000..a689852
84--- /dev/null
85+++ b/debian/patches/build/test-skip-sha128-256-createHash-hash-on-openssl-3.4.patch
86@@ -0,0 +1,55 @@
87+From 6372fca9467c39522f40c748ee136fe5d7fb3697 Mon Sep 17 00:00:00 2001
88+From: Adrien Nader <adrien.nader@canonical.com>
89+Date: Tue, 17 Dec 2024 17:18:14 +0100
90+Subject: [PATCH 1/2] test: skip sha128/256 createHash()/hash() on openssl 3.4.
91+
92+OpenSSL 3.4 has intentionally broken EVP_DigestFinal for SHAKE128 and
93+SHAKE256 when OSSL_DIGEST_PARAM_XOFLEN is not set because a) the default
94+length used weakened them from their maximum strength and b) a static
95+length does not fully make sense for XOFs (which SHAKE* are).
96+
97+Unfortunately, while crypto.createHash accepts an option argument that can
98+be something like `{ outputLength: 128 }`, crypto.hash doesn't offer a
99+similar API. Therefore there is little choice but to skip the test
100+completely for shake128 and shake256 on openssl >= 3.4.
101+
102+Fixes: https://github.com/nodejs/node/issues/56159
103+Refs: https://github.com/openssl/openssl/commit/b911fef216d1386210ec24e201d54d709528abb4
104+Refs: https://github.com/openssl/openssl/commit/ad3f28c5fbd5dcbc763a650313fd666b0e339cca
105+
106+Forwarded: https://github.com/nodejs/node/pull/56294
107+Bug: https://github.com/nodejs/node/pull/56294
108+
109+---
110+ test/parallel/test-crypto-oneshot-hash.js | 16 +++++++++-------
111+ 1 file changed, 9 insertions(+), 7 deletions(-)
112+
113+diff --git a/test/parallel/test-crypto-oneshot-hash.js b/test/parallel/test-crypto-oneshot-hash.js
114+index 56b4c04a65..ba8db85635 100644
115+--- a/test/parallel/test-crypto-oneshot-hash.js
116++++ b/test/parallel/test-crypto-oneshot-hash.js
117+@@ -32,12 +32,14 @@ const input = fs.readFileSync(fixtures.path('utf8_test_text.txt'));
118+
119+ for (const method of methods) {
120+ for (const outputEncoding of ['buffer', 'hex', 'base64', undefined]) {
121+- const oldDigest = crypto.createHash(method).update(input).digest(outputEncoding || 'hex');
122+- const digestFromBuffer = crypto.hash(method, input, outputEncoding);
123+- assert.deepStrictEqual(digestFromBuffer, oldDigest,
124+- `different result from ${method} with encoding ${outputEncoding}`);
125+- const digestFromString = crypto.hash(method, input.toString(), outputEncoding);
126+- assert.deepStrictEqual(digestFromString, oldDigest,
127+- `different result from ${method} with encoding ${outputEncoding}`);
128++ if (method !== 'shake128' && method !== 'shake256' || !common.hasOpenSSL(3, 4)) {
129++ const oldDigest = crypto.createHash(method).update(input).digest(outputEncoding || 'hex');
130++ const digestFromBuffer = crypto.hash(method, input, outputEncoding);
131++ assert.deepStrictEqual(digestFromBuffer, oldDigest,
132++ `different result from ${method} with encoding ${outputEncoding}`);
133++ const digestFromString = crypto.hash(method, input.toString(), outputEncoding);
134++ assert.deepStrictEqual(digestFromString, oldDigest,
135++ `different result from ${method} with encoding ${outputEncoding}`);
136++ }
137+ }
138+ }
139+--
140+2.45.2
141+
142diff --git a/debian/patches/build/test_make_test-crypto-hash_compatible_with_OpenSSL_3.4.0.patch b/debian/patches/build/test_make_test-crypto-hash_compatible_with_OpenSSL_3.4.0.patch
143new file mode 100644
144index 0000000..996e59f
145--- /dev/null
146+++ b/debian/patches/build/test_make_test-crypto-hash_compatible_with_OpenSSL_3.4.0.patch
147@@ -0,0 +1,80 @@
148+From 93eabf6a91d30e7bb852d20ade1e5b542dee6b35 Mon Sep 17 00:00:00 2001
149+From: Jelle van der Waa <jelle@archlinux.org>
150+Date: Fri, 6 Dec 2024 18:24:41 +0100
151+Subject: [PATCH] test: make test-crypto-hash compatible with OpenSSL > 3.4.0
152+
153+OpenSSL 3.4 has a breaking change where the outputLength is now
154+mandatory for shake* hash algorithms.
155+
156+Forwarded: https://github.com/nodejs/node/pull/56160/
157+Bug: https://github.com/nodejs/node/pull/56160/
158+
159+---
160+ test/common/index.js | 4 ++++
161+ test/parallel/test-crypto-hash.js | 29 ++++++++++++++++-------------
162+ 2 files changed, 20 insertions(+), 13 deletions(-)
163+
164+https://github.com/nodejs/node/pull/56160
165+
166+diff --git a/test/common/index.js b/test/common/index.js
167+index 50595945b193f4..df5784068e0566 100644
168+--- a/test/common/index.js
169++++ b/test/common/index.js
170+@@ -1059,6 +1059,10 @@ const common = {
171+ return hasOpenSSL(3, 2);
172+ },
173+
174++ get hasOpenSSL34() {
175++ return hasOpenSSL(3, 4);
176++ },
177++
178+ get inFreeBSDJail() {
179+ if (inFreeBSDJail !== null) return inFreeBSDJail;
180+
181+diff --git a/test/parallel/test-crypto-hash.js b/test/parallel/test-crypto-hash.js
182+index 83218c105a4596..a386de866f7120 100644
183+--- a/test/parallel/test-crypto-hash.js
184++++ b/test/parallel/test-crypto-hash.js
185+@@ -7,6 +7,7 @@ const assert = require('assert');
186+ const crypto = require('crypto');
187+ const fs = require('fs');
188+
189++const { hasOpenSSL34 } = common;
190+ const fixtures = require('../common/fixtures');
191+
192+ let cryptoType;
193+@@ -182,19 +183,21 @@ assert.throws(
194+
195+ // Test XOF hash functions and the outputLength option.
196+ {
197+- // Default outputLengths.
198+- assert.strictEqual(crypto.createHash('shake128').digest('hex'),
199+- '7f9c2ba4e88f827d616045507605853e');
200+- assert.strictEqual(crypto.createHash('shake128', null).digest('hex'),
201+- '7f9c2ba4e88f827d616045507605853e');
202+- assert.strictEqual(crypto.createHash('shake256').digest('hex'),
203+- '46b9dd2b0ba88d13233b3feb743eeb24' +
204+- '3fcd52ea62b81b82b50c27646ed5762f');
205+- assert.strictEqual(crypto.createHash('shake256', { outputLength: 0 })
206+- .copy() // Default outputLength.
207+- .digest('hex'),
208+- '46b9dd2b0ba88d13233b3feb743eeb24' +
209+- '3fcd52ea62b81b82b50c27646ed5762f');
210++ // Default outputLengths. Since OpenSSL 3.4 an outputLength is mandatory
211++ if (!hasOpenSSL34) {
212++ assert.strictEqual(crypto.createHash('shake128').digest('hex'),
213++ '7f9c2ba4e88f827d616045507605853e');
214++ assert.strictEqual(crypto.createHash('shake128', null).digest('hex'),
215++ '7f9c2ba4e88f827d616045507605853e');
216++ assert.strictEqual(crypto.createHash('shake256').digest('hex'),
217++ '46b9dd2b0ba88d13233b3feb743eeb24' +
218++ '3fcd52ea62b81b82b50c27646ed5762f');
219++ assert.strictEqual(crypto.createHash('shake256', { outputLength: 0 })
220++ .copy() // Default outputLength.
221++ .digest('hex'),
222++ '46b9dd2b0ba88d13233b3feb743eeb24' +
223++ '3fcd52ea62b81b82b50c27646ed5762f');
224++ }
225+
226+ // Short outputLengths.
227+ assert.strictEqual(crypto.createHash('shake128', { outputLength: 0 })
228diff --git a/debian/patches/series b/debian/patches/series
229index e35a79f..c90f6bd 100644
230--- a/debian/patches/series
231+++ b/debian/patches/series
232@@ -22,3 +22,6 @@ build/ada.patch
233 loong64/tests.patch
234 deps/v8-no-static-zlib.patch
235 build/no-deps.patch
236+build/test_make_test-crypto-hash_compatible_with_OpenSSL_3.4.0.patch
237+build/test-skip-sha128-256-createHash-hash-on-openssl-3.4.patch
238+build/test-openssl-3.4-returns-decrypt_error-upon-PSK-bind.patch

Subscribers

People subscribed via source and target branches