From 7aeca270f6664753c378489311e3314762fb1204 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Fri, 29 Mar 2019 12:34:49 -0700
Subject: [PATCH] tls: supported shared openssl 1.1.0

PR-URL: https://github.com/nodejs/node/pull/26951
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 lib/_tls_common.js                                |  2 +-
 src/node_constants.cc                             |  2 ++
 src/node_crypto.cc                                |  9 +++++++--
 test/parallel/test-tls-client-renegotiation-13.js |  3 +++
 test/parallel/test-tls-getcipher.js               |  3 +++
 test/parallel/test-tls-min-max-version.js         | 12 ++++++++++++
 test/parallel/test-tls-set-ciphers-error.js       |  3 +++
 test/parallel/test-tls-set-ciphers.js             |  4 ++++
 8 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index 618f40e7562b05..a0970571be3383 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -47,7 +47,7 @@ function toV(which, v, def) {
   if (v === 'TLSv1') return TLS1_VERSION;
   if (v === 'TLSv1.1') return TLS1_1_VERSION;
   if (v === 'TLSv1.2') return TLS1_2_VERSION;
-  if (v === 'TLSv1.3') return TLS1_3_VERSION;
+  if (v === 'TLSv1.3' && TLS1_3_VERSION) return TLS1_3_VERSION;
   throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);
 }
 
diff --git a/src/node_constants.cc b/src/node_constants.cc
index f08bcbcb25b6d8..4593760b2f3d94 100644
--- a/src/node_constants.cc
+++ b/src/node_constants.cc
@@ -1245,7 +1245,9 @@ void DefineCryptoConstants(Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, TLS1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_2_VERSION);
+#ifdef TLS1_3_VERSION
   NODE_DEFINE_CONSTANT(target, TLS1_3_VERSION);
+#endif
 #endif
   NODE_DEFINE_CONSTANT(target, INT_MAX);
 }
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 568b44cf26c25a..8cafc808800b0e 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -411,7 +411,12 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
 
 // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
 // Node.js doesn't, so pin the max to what we do support.
-const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
+const int MAX_SUPPORTED_VERSION =
+#ifdef TLS1_3_VERSION
+  TLS1_3_VERSION;
+#else
+  TLS1_2_VERSION;
+#endif
 
 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   SecureContext* sc;
@@ -947,7 +952,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
 
 void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
   // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
-#ifndef OPENSSL_IS_BORINGSSL
+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_IS_BORINGSSL)
   SecureContext* sc;
   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
   Environment* env = sc->env();
diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js
index bd7ab70316dc59..cce41578ba31b2 100644
--- a/test/parallel/test-tls-client-renegotiation-13.js
+++ b/test/parallel/test-tls-client-renegotiation-13.js
@@ -4,6 +4,9 @@
 const common = require('../common');
 const fixtures = require('../common/fixtures');
 
+if (!require('constants').TLS1_3_VERSION)
+  common.skip(`openssl ${process.versions.openssl} does not support TLSv1.3`);
+
 // Confirm that for TLSv1.3, renegotiate() is disallowed.
 
 const {
diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
index 03c32da03c945b..4379d74897a7dd 100644
--- a/test/parallel/test-tls-getcipher.js
+++ b/test/parallel/test-tls-getcipher.js
@@ -56,6 +56,9 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   }));
 }));
 
+if (!require('constants').TLS1_3_VERSION)
+  return console.log('cannot test TLSv1.3 against 1.3-incapable shared lib');
+
 tls.createServer({
   key: fixtures.readKey('agent2-key.pem'),
   cert: fixtures.readKey('agent2-cert.pem'),
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index f30b9b3b9897c9..cd8bccca04d612 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -9,6 +9,13 @@ const {
 } = require(fixtures.path('tls-connect'));
 const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
 const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;
+const tls13 = !!require('constants').TLS1_3_VERSION;
+
+if (!tls13 && (
+  DEFAULT_MAX_VERSION === 'TLSv1.3' ||
+  DEFAULT_MIN_VERSION === 'TLSv1.3')) {
+  return common.skip('cannot test TLSv1.3 against 1.3-incapable shared lib');
+}
 
 function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
   assert(proto || cerr || serr, 'test missing any expectations');
@@ -16,6 +23,11 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
   //     at Object.<anonymous> (file:line)
   // from the stack location, we only want the file:line part.
   const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
+  if (Array.prototype.includes.call(arguments, 'TLSv1.3')) {
+    console.log('test: skip because TLSv1.3 is not supported');
+    console.log('  ', where);
+    return;
+  }
   connect({
     client: {
       checkServerIdentity: (servername, cert) => { },
diff --git a/test/parallel/test-tls-set-ciphers-error.js b/test/parallel/test-tls-set-ciphers-error.js
index f963b414f44630..a09c12b321cba0 100644
--- a/test/parallel/test-tls-set-ciphers-error.js
+++ b/test/parallel/test-tls-set-ciphers-error.js
@@ -4,6 +4,9 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
+if (!require('constants').TLS1_3_VERSION)
+  return common.skip('openssl before TLS1.3 does not check for failure');
+
 const assert = require('assert');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index ecf9176c4020a6..254cc52ad4ef37 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -15,6 +15,10 @@ if (tls13)
   tls.DEFAULT_MAX_VERSION = 'TLSv1.3';
 
 function test(cciphers, sciphers, cipher, cerr, serr) {
+  if (!tls13 && (/TLS_/.test(cciphers) || /TLS_/.test(sciphers))) {
+    // Test relies on TLS1.3, skip it.
+    return;
+  }
   assert(cipher || cerr || serr, 'test missing any expectations');
   const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
   connect({