From e8c199def7a0db81a7151711f6683d20670679f4 Mon Sep 17 00:00:00 2001
From: Mateusz Krawczuk <krawczukmat@gmail.com>
Date: Wed, 17 Jun 2020 17:29:06 +0200
Subject: [PATCH 1/2] crypto: add OP flag constants added in OpenSSL v1.1.1

---
 doc/api/crypto.md     | 24 ++++++++++++++++++++++++
 src/node_constants.cc | 20 ++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 5d32ea41e6e208..57ab91d43af14d 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -3182,6 +3182,11 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html">https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html</a>
     for detail.</td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_ALLOW_NO_DHE_KEX</code></td>
+    <td>Instructs OpenSSL to allow a non-[EC]DHE-based key exchane mode
+    for TLS v1.3</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION</code></td>
     <td>Allows legacy insecure renegotiation between OpenSSL and unpatched
@@ -3254,10 +3259,18 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <td><code>SSL_OP_NO_COMPRESSION</code></td>
     <td>Instructs OpenSSL to disable support for SSL/TLS compression.</td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_NO_ENCRYPT_THEN_MAC</code></td>
+    <td>Instructs OpenSSL to disable encrypt-then-MAC.</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_NO_QUERY_MTU</code></td>
     <td></td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_NO_RENEGOTIATION</code></td>
+    <td>Instructs OpenSSL to disable renegotiation.</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION</code></td>
     <td>Instructs OpenSSL to always start a new session when performing
@@ -3286,6 +3299,10 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
   <tr>
     <td><code>SSL_OP_NO_TLSv1_2</code></td>
     <td>Instructs OpenSSL to turn off TLS v1.2</td>
+  </tr>
+  <tr>
+    <td><code>SSL_OP_NO_TLSv1_3</code></td>
+    <td>Instructs OpenSSL to turn off TLS v1.3</td>
   </tr>
     <td><code>SSL_OP_PKCS1_CHECK_1</code></td>
     <td></td>
@@ -3294,6 +3311,13 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <td><code>SSL_OP_PKCS1_CHECK_2</code></td>
     <td></td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_PRIORITIZE_CHACHA</code></td>
+    <td>Instructs OpenSSL server to prioritize ChaCha20Poly1305
+    when client does.
+    This option has no effect if SSL_OP_CIPHER_SERVER_PREFERENCE
+    is not enabled.</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_SINGLE_DH_USE</code></td>
     <td>Instructs OpenSSL to always create a new key when using
diff --git a/src/node_constants.cc b/src/node_constants.cc
index 5d99fa181a0472..38c8f2738b4bad 100644
--- a/src/node_constants.cc
+++ b/src/node_constants.cc
@@ -806,6 +806,10 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_ALL);
 #endif
 
+#ifdef SSL_OP_ALLOW_NO_DHE_KEX
+    NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_NO_DHE_KEX);
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
 #endif
@@ -870,10 +874,18 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_COMPRESSION);
 #endif
 
+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
+    NODE_DEFINE_CONSTANT(target, SSL_OP_NO_ENCRYPT_THEN_MAC);
+#endif
+
 #ifdef SSL_OP_NO_QUERY_MTU
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_QUERY_MTU);
 #endif
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+    NODE_DEFINE_CONSTANT(target, SSL_OP_NO_RENEGOTIATION);
+#endif
+
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #endif
@@ -902,6 +914,10 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_2);
 #endif
 
+#ifdef SSL_OP_NO_TLSv1_3
+    NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_3);
+#endif
+
 #ifdef SSL_OP_PKCS1_CHECK_1
     NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_1);
 #endif
@@ -910,6 +926,10 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_2);
 #endif
 
+#ifdef SSL_OP_PRIORITIZE_CHACHA
+    NODE_DEFINE_CONSTANT(target, SSL_OP_PRIORITIZE_CHACHA);
+#endif
+
 #ifdef SSL_OP_SINGLE_DH_USE
     NODE_DEFINE_CONSTANT(target, SSL_OP_SINGLE_DH_USE);
 #endif

From d92b03a22a9efe74f002516f59ede5445b02743d Mon Sep 17 00:00:00 2001
From: Mateusz Krawczuk <krawczukmat@gmail.com>
Date: Thu, 18 Jun 2020 18:01:00 +0200
Subject: [PATCH 2/2] fixup!

---
 doc/api/crypto.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 57ab91d43af14d..21fde944efac9b 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -3184,7 +3184,7 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
   </tr>
   <tr>
     <td><code>SSL_OP_ALLOW_NO_DHE_KEX</code></td>
-    <td>Instructs OpenSSL to allow a non-[EC]DHE-based key exchane mode
+    <td>Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode
     for TLS v1.3</td>
   </tr>
   <tr>
@@ -3315,7 +3315,8 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <td><code>SSL_OP_PRIORITIZE_CHACHA</code></td>
     <td>Instructs OpenSSL server to prioritize ChaCha20Poly1305
     when client does.
-    This option has no effect if SSL_OP_CIPHER_SERVER_PREFERENCE
+    This option has no effect if
+    <code>SSL_OP_CIPHER_SERVER_PREFERENCE</code>
     is not enabled.</td>
   </tr>
   <tr>