File openssl_1_1_1.patch of Package nodejs8.15384

Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3
Upstream commits:

commit 8dd8033519658bba2d7b776ec166f889a56bce31
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date:   Wed Sep 12 17:34:24 2018 +0900

    tls: workaround handshakedone in renegotiation
    
    `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called
    sending HelloRequest in OpenSSL-1.1.1.
    We need to check whether this is in a renegotiation state or not.
    
    Backport-PR-URL: https://github.com/nodejs/node/pull/26270
    PR-URL: https://github.com/nodejs/node/pull/25381
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>

commit 161dca72cb06e36614fdc75184383c8f456e97a4
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 28 14:11:18 2018 -0800

    tls: re-define max supported version as 1.2
    
    Several secureProtocol strings allow any supported TLS version as the
    maximum, but our maximum supported protocol version is TLSv1.2 even if
    someone configures a build against an OpenSSL that supports TLSv1.3.
    
    Fixes: https://github.com/nodejs/node/issues/24658
    
    PR-URL: https://github.com/nodejs/node/pull/25024
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>


Partial port, remain compatible with 1.0.2:

commit 970ce14f61a44504520581c5af5dc9c3bddc0f40
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date:   Wed Mar 14 14:26:55 2018 +0900

    crypto: remove deperecated methods of TLS version
    
    All version-specific methods were deprecated in OpenSSL 1.1.0 and
    min/max versions explicitly need to be set.
    This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now.
    
    crypto, constants: add constant of OpenSSL-1.1.0
    
    Several constants for OpenSSL-1.1.0 engine were removed and renamed in
    OpenSSL-1.1.0. This added one renamed constant in order to have a
    compatible feature with that of OpenSSL-1.0.2.
    Other missed or new constants in OpenSSL-1.1.0 are not yet added.
    
    crypto,tls,constants: remove OpenSSL1.0.2 support
    
    This is semver-majar change so that we need not to have
    compatibilities with older versions.
    
    Fixes: https://github.com/nodejs/node/issues/4270
    PR-URL: https://github.com/nodejs/node/pull/19794
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Rod Vagg <rod@vagg.org>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

Index: node-v8.15.1/src/node_constants.cc
===================================================================
--- node-v8.15.1.orig/src/node_constants.cc
+++ node-v8.15.1/src/node_constants.cc
@@ -921,6 +921,10 @@ void DefineOpenSSLConstants(Local<Object
     NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_ECDSA);
 # endif
 
+# ifdef ENGINE_METHOD_EC
+    NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_EC);
+# endif
+
 # ifdef ENGINE_METHOD_CIPHERS
     NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_CIPHERS);
 # endif
Index: node-v8.15.1/src/node_crypto.cc
===================================================================
--- node-v8.15.1.orig/src/node_crypto.cc
+++ node-v8.15.1/src/node_crypto.cc
@@ -509,6 +509,8 @@ void SecureContext::Init(const FunctionC
   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
   Environment* env = sc->env();
 
+  int min_version = 0;
+  int max_version = 0;
   const SSL_METHOD* method = TLS_method();
 
   if (args.Length() == 1 && args[0]->IsString()) {
@@ -531,29 +533,95 @@ void SecureContext::Init(const FunctionC
     } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) {
       return env->ThrowError("SSLv3 methods disabled");
     } else if (strcmp(*sslmethod, "SSLv23_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      method = TLS_method();
+      #else
       method = SSLv23_method();
+      #endif
     } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      method = TLS_server_method();
+      #else
       method = SSLv23_server_method();
+      #endif
     } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      method = TLS_client_method();
+      #else
       method = SSLv23_client_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_VERSION;
+      max_version = TLS1_VERSION;
+      method = TLS_method();
+      #else
       method = TLSv1_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_VERSION;
+      max_version = TLS1_VERSION;
+      method = TLS_server_method();
+      #else
       method = TLSv1_server_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_client_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_VERSION;
+      max_version = TLS1_VERSION;
+      method = TLS_client_method();
+      #else
       method = TLSv1_client_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_1_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_1_VERSION;
+      max_version = TLS1_1_VERSION;
+      method = TLS_method();
+      #else
       method = TLSv1_1_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_1_server_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_1_VERSION;
+      max_version = TLS1_1_VERSION;
+      method = TLS_server_method();
+      #else
       method = TLSv1_1_server_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_1_VERSION;
+      max_version = TLS1_1_VERSION;
+      method = TLS_client_method();
+      #else
       method = TLSv1_1_client_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_2_VERSION;
+      max_version = TLS1_2_VERSION;
+      method = TLS_method();
+      #else
       method = TLSv1_2_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_2_VERSION;
+      max_version = TLS1_2_VERSION;
+      method = TLS_server_method();
+      #else
       method = TLSv1_2_server_method();
+      #endif
     } else if (strcmp(*sslmethod, "TLSv1_2_client_method") == 0) {
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      min_version = TLS1_2_VERSION;
+      max_version = TLS1_2_VERSION;
+      method = TLS_client_method();
+      #else
       method = TLSv1_2_client_method();
+      #endif
     } else {
       return env->ThrowError("Unknown method");
     }
@@ -578,6 +646,13 @@ void SecureContext::Init(const FunctionC
   SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback);
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  SSL_CTX_set_min_proto_version(sc->ctx_, min_version);
+  if (max_version == 0) {
+    // Selecting some secureProtocol methods allows the TLS version to be "any
+    // supported", but we don't support TLSv1.3, even if OpenSSL does.
+    max_version = TLS1_2_VERSION;
+  }
+  SSL_CTX_set_max_proto_version(sc->ctx_, max_version);
   // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
   // exposed in the public API. To retain compatibility, install a callback
   // which restores the old algorithm.
Index: node-v8.15.1/src/tls_wrap.cc
===================================================================
--- node-v8.15.1.orig/src/tls_wrap.cc
+++ node-v8.15.1/src/tls_wrap.cc
@@ -277,7 +277,10 @@ void TLSWrap::SSLInfoCallback(const SSL*
     }
   }
 
-  if (where & SSL_CB_HANDSHAKE_DONE) {
+  // SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called
+  // sending HelloRequest in OpenSSL-1.1.1.
+  // We need to check whether this is in a renegotiation state or not.
+  if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) {
     c->established_ = true;
     Local<Value> callback = object->Get(env->onhandshakedone_string());
     if (callback->IsFunction()) {