Merge branch 'master' into epel7

This commit is contained in:
Stephen Gallagher 2017-03-09 15:50:41 -05:00
commit 79a6267572
No known key found for this signature in database
GPG Key ID: 7A25556236BAA3A3
8 changed files with 389 additions and 139 deletions

3
.gitignore vendored
View File

@ -32,8 +32,6 @@
/node-v0.10.32-stripped.tar.gz
/node-v0.10.33-stripped.tar.gz
/node-v0.10.36-stripped.tar.gz
/node-v0.10.42-stripped.tar.gz
/node-v0.10.46-stripped.tar.gz
/node-v4.2.2-stripped.tar.gz
/node-v4.2.3-stripped.tar.gz
/node-v4.2.4-stripped.tar.gz
@ -65,3 +63,4 @@
/node-v6.9.3-stripped.tar.gz
/node-v6.9.4-stripped.tar.gz
/node-v6.9.5-stripped.tar.gz
/node-v6.10.0-stripped.tar.gz

View File

@ -1,17 +1,19 @@
From da4ed485ddd52cd156406f939225146e8539cabb Mon Sep 17 00:00:00 2001
From 061822759b37ab5bda659d74f9149cace5afe628 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 1 Dec 2015 16:35:29 -0500
Subject: [PATCH 1/3] disable running gyp files for bundled deps
Subject: [PATCH 1/4] disable running gyp files for bundled deps
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index a8870a5..f7fc4a9 100644
index 719b855559383a8011c8f6f073ed69a1cf21aeee..31cd25452dccb0624809c0570a738c5b49cc782c 100644
--- a/Makefile
+++ b/Makefile
@@ -70,7 +70,7 @@ $(NODE_G_EXE): config.gypi out/Makefile
@@ -70,11 +70,11 @@ $(NODE_EXE): config.gypi out/Makefile
$(NODE_G_EXE): config.gypi out/Makefile
$(MAKE) -C out BUILDTYPE=Debug V=$(V)
ln -fs out/Debug/$(NODE_EXE) $@
@ -20,6 +22,8 @@ index a8870a5..f7fc4a9 100644
$(PYTHON) tools/gyp_node.py -f make
config.gypi: configure
$(error Missing or stale $@, please run ./$<)
--
2.9.0
2.12.0

View File

@ -1,7 +1,7 @@
From 6cf8243a70e26843c7770f7b29b1a33b822d1c26 Mon Sep 17 00:00:00 2001
From 91d1a67b8cc249af59929cd1a76629a2614860bd Mon Sep 17 00:00:00 2001
From: Haikel Guemar <hguemar@fedoraproject.org>
Date: Tue, 26 Jul 2016 22:50:22 +0200
Subject: [PATCH 2/3] Use openssl 1.0.1
Subject: [PATCH 2/4] Use openssl 1.0.1
Based on Solaris patches from upstream #2783
https://github.com/nodejs/node/issues/2783
@ -14,10 +14,12 @@ https://github.com/nodejs/node/issues/2783
5 files changed, 223 insertions(+), 13 deletions(-)
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 7feaff2..97ad7a5 100644
index 3784210ba7b6c046b39d74b45e44538041d35ae2..3c9d72b8d5ef81d15773aed077bd00d2041c9e93 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -114,6 +114,12 @@ handshake extensions:
@@ -113,10 +113,16 @@ handshake extensions:
* ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP,
SPDY, HTTP/2)
* SNI - Allows the use of one TLS server for multiple hostnames with different
SSL certificates.
@ -30,11 +32,15 @@ index 7feaff2..97ad7a5 100644
*Note*: Use of ALPN is recommended over NPN. The NPN extension has never been
formally defined or documented and generally not recommended for use.
### Client-initiated renegotiation attack mitigation
diff --git a/src/node_constants.cc b/src/node_constants.cc
index 2e6be8d..239eadb 100644
index 2e6be8df37c345a383d8a78898daf2a147d90630..239eadbac8ea8e601745a63347a8bb301c22d1b1 100644
--- a/src/node_constants.cc
+++ b/src/node_constants.cc
@@ -14,7 +14,10 @@
@@ -12,11 +12,14 @@
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#if HAVE_OPENSSL
@ -45,7 +51,11 @@ index 2e6be8d..239eadb 100644
# include <openssl/ssl.h>
# ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
@@ -976,12 +979,14 @@ void DefineOpenSSLConstants(Local<Object> target) {
# endif // !OPENSSL_NO_ENGINE
#endif
@@ -974,16 +977,18 @@ void DefineOpenSSLConstants(Local<Object> target) {
NODE_DEFINE_CONSTANT(target, RSA_PKCS1_PSS_PADDING);
#endif
#if HAVE_OPENSSL
// NOTE: These are not defines
@ -60,11 +70,15 @@ index 2e6be8d..239eadb 100644
}
void DefineSystemConstants(Local<Object> target) {
// file access modes
NODE_DEFINE_CONSTANT(target, O_RDONLY);
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 9cf216f..888a0f8 100644
index 482ec230c0f4500b63b705d705a142e63ff179e5..c5630f30d0bef75ced53b36062bb1f0324dbdb9d 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -24,6 +24,82 @@
@@ -22,10 +22,86 @@
#include <limits.h> // INT_MAX
#include <math.h>
#include <stdlib.h>
#include <string.h>
@ -147,7 +161,11 @@ index 9cf216f..888a0f8 100644
#define THROW_AND_RETURN_IF_NOT_STRING_OR_BUFFER(val, prefix) \
do { \
if (!Buffer::HasInstance(val) && !val->IsString()) { \
@@ -160,7 +236,11 @@ template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
return env->ThrowTypeError(prefix " must be a string or a buffer"); \
} \
@@ -161,11 +237,15 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
#endif
template void SSLWrap<TLSWrap>::DestroySSL();
@ -159,7 +177,11 @@ index 9cf216f..888a0f8 100644
template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
@@ -280,8 +360,12 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
template int SSLWrap<TLSWrap>::SelectALPNCallback(
SSL* s,
@@ -281,12 +361,16 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
env->SetProtoMethod(t, "setCert", SecureContext::SetCert);
env->SetProtoMethod(t, "addCACert", SecureContext::AddCACert);
env->SetProtoMethod(t, "addCRL", SecureContext::AddCRL);
env->SetProtoMethod(t, "addRootCerts", SecureContext::AddRootCerts);
env->SetProtoMethod(t, "setCiphers", SecureContext::SetCiphers);
@ -172,7 +194,11 @@ index 9cf216f..888a0f8 100644
env->SetProtoMethod(t, "setOptions", SecureContext::SetOptions);
env->SetProtoMethod(t, "setSessionIdContext",
SecureContext::SetSessionIdContext);
@@ -515,8 +599,20 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
env->SetProtoMethod(t, "setSessionTimeout",
SecureContext::SetSessionTimeout);
@@ -514,12 +598,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
SSL_CTX_clear_extra_chain_certs(ctx);
for (int i = 0; i < sk_X509_num(extra_certs); i++) {
X509* ca = sk_X509_value(extra_certs, i);
@ -195,7 +221,11 @@ index 9cf216f..888a0f8 100644
if (!r) {
ret = 0;
@@ -795,6 +891,7 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
*issuer = nullptr;
goto end;
@@ -868,10 +964,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
SSL_CTX_set_cipher_list(sc->ctx_, *ciphers);
}
@ -203,7 +233,11 @@ index 9cf216f..888a0f8 100644
void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc;
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
@@ -822,8 +919,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
Environment* env = sc->env();
@@ -895,12 +992,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh);
EC_KEY_free(ecdh);
}
@ -214,7 +248,11 @@ index 9cf216f..888a0f8 100644
void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc;
ASSIGN_OR_RETURN_UNWRAP(&sc, args.This());
@@ -862,6 +961,7 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
Environment* env = sc->env();
ClearErrorOnReturn clear_error_on_return;
@@ -935,10 +1034,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
DH_free(dh);
if (!r)
return env->ThrowTypeError("Error setting temp DH parameter");
}
@ -222,7 +260,11 @@ index 9cf216f..888a0f8 100644
void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
@@ -1872,6 +1972,7 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
SecureContext* sc;
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
@@ -1952,10 +2052,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
info->Set(env->type_string(),
FIXED_ONE_BYTE_STRING(env->isolate(), "DH"));
info->Set(env->size_string(),
Integer::New(env->isolate(), EVP_PKEY_bits(key)));
break;
@ -230,7 +272,11 @@ index 9cf216f..888a0f8 100644
case EVP_PKEY_EC:
{
EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key);
@@ -1884,6 +1985,7 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
EC_KEY_free(ec);
@@ -1964,10 +2065,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
info->Set(env->name_string(),
OneByteString(args.GetIsolate(), OBJ_nid2sn(nid)));
info->Set(env->size_string(),
Integer::New(env->isolate(), EVP_PKEY_bits(key)));
}
@ -238,7 +284,11 @@ index 9cf216f..888a0f8 100644
}
EVP_PKEY_free(key);
}
@@ -2301,7 +2403,12 @@ void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
return args.GetReturnValue().Set(info);
@@ -2382,11 +2484,16 @@ void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
cert_cb_arg_ = arg;
}
template <class Base>
@ -251,7 +301,11 @@ index 9cf216f..888a0f8 100644
Base* w = static_cast<Base*>(SSL_get_app_data(s));
if (!w->is_server())
@@ -2375,19 +2482,53 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
return 1;
@@ -2451,23 +2558,57 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>());
w->sni_context_.Reset();
w->sni_context_.Reset(env->isolate(), ctx);
int rv;
@ -315,7 +369,11 @@ index 9cf216f..888a0f8 100644
if (rv)
rv = w->SetCACerts(sc);
if (!rv) {
@@ -2451,10 +2592,14 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
if (!err)
@@ -2527,14 +2668,18 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
}
template <class Base>
int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
@ -331,7 +389,11 @@ index 9cf216f..888a0f8 100644
STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
SSL_CTX_get_client_CA_list(sc->ctx_));
@@ -2732,7 +2877,11 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
// NOTE: `SSL_set_client_CA_list` takes the ownership of `list`
SSL_set_client_CA_list(ssl_, list);
@@ -2808,11 +2953,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
// Server does not need to check the whitelist.
SSL* ssl = static_cast<SSL*>(
X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
@ -343,7 +405,11 @@ index 9cf216f..888a0f8 100644
return 1;
// Client needs to check if the server cert is listed in the
@@ -2815,7 +2964,21 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
// whitelist when it is issued by the specific rootCAs.
CheckResult ret = CheckWhitelistedServerCert(ctx);
@@ -2891,11 +3040,25 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
if (is_server)
SSL_set_info_callback(conn->ssl_, SSLInfoCallback);
InitNPN(sc);
@ -365,7 +431,11 @@ index 9cf216f..888a0f8 100644
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
if (is_server) {
@@ -4404,6 +4567,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
} else if (args[2]->IsString()) {
@@ -4476,10 +4639,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
args.GetReturnValue().Set(vbuf);
delete[] out_value;
}
@ -373,7 +443,11 @@ index 9cf216f..888a0f8 100644
void DiffieHellman::Initialize(Environment* env, Local<Object> target) {
Local<FunctionTemplate> t = env->NewFunctionTemplate(New);
@@ -4805,8 +4969,10 @@ bool DiffieHellman::VerifyContext() {
const PropertyAttribute attributes =
static_cast<PropertyAttribute>(v8::ReadOnly | v8::DontDelete);
@@ -4877,12 +5041,14 @@ bool DiffieHellman::VerifyContext() {
if (!DH_check(dh, &codes))
return false;
verifyError_ = codes;
return true;
}
@ -384,7 +458,11 @@ index 9cf216f..888a0f8 100644
void ECDH::Initialize(Environment* env, Local<Object> target) {
HandleScope scope(env->isolate());
@@ -5034,6 +5200,7 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
Local<FunctionTemplate> t = env->NewFunctionTemplate(New);
@@ -5106,10 +5272,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
return env->ThrowError("Failed to set generated public key");
}
EC_POINT_free(pub);
}
@ -392,7 +470,11 @@ index 9cf216f..888a0f8 100644
void ECDH::SetPublicKey(const FunctionCallbackInfo<Value>& args) {
@@ -5587,6 +5754,7 @@ void GetHashes(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
@@ -5659,10 +5826,11 @@ void GetHashes(const FunctionCallbackInfo<Value>& args) {
EVP_MD_do_all_sorted(array_push_back<EVP_MD>, &ctx);
args.GetReturnValue().Set(ctx.arr);
}
@ -400,7 +482,11 @@ index 9cf216f..888a0f8 100644
void GetCurves(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
const size_t num_curves = EC_get_builtin_curves(nullptr, 0);
@@ -5611,6 +5779,7 @@ void GetCurves(const FunctionCallbackInfo<Value>& args) {
Local<Array> arr = Array::New(env->isolate(), num_curves);
EC_builtin_curve* curves;
@@ -5683,10 +5851,11 @@ void GetCurves(const FunctionCallbackInfo<Value>& args) {
free(curves);
}
args.GetReturnValue().Set(arr);
}
@ -408,7 +494,11 @@ index 9cf216f..888a0f8 100644
bool VerifySpkac(const char* data, unsigned int len) {
@@ -5886,8 +6055,12 @@ void InitCrypto(Local<Object> target,
bool i = 0;
EVP_PKEY* pkey = nullptr;
@@ -5995,12 +6164,16 @@ void InitCrypto(Local<Object> target,
Environment* env = Environment::GetCurrent(context);
SecureContext::Initialize(env, target);
Connection::Initialize(env, target);
CipherBase::Initialize(env, target);
@ -421,7 +511,11 @@ index 9cf216f..888a0f8 100644
Hmac::Initialize(env, target);
Hash::Initialize(env, target);
Sign::Initialize(env, target);
@@ -5906,7 +6079,9 @@ void InitCrypto(Local<Object> target,
Verify::Initialize(env, target);
@@ -6016,11 +6189,13 @@ void InitCrypto(Local<Object> target,
env->SetMethod(target, "randomBytes", RandomBytes);
env->SetMethod(target, "timingSafeEqual", TimingSafeEqual);
env->SetMethod(target, "getSSLCiphers", GetSSLCiphers);
env->SetMethod(target, "getCiphers", GetCiphers);
env->SetMethod(target, "getHashes", GetHashes);
@ -431,11 +525,15 @@ index 9cf216f..888a0f8 100644
env->SetMethod(target, "publicEncrypt",
PublicKeyCipher::Cipher<PublicKeyCipher::kPublic,
EVP_PKEY_encrypt_init,
EVP_PKEY_encrypt>);
env->SetMethod(target, "privateDecrypt",
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 24ac773..2b1b6ae 100644
index 175206c40df58602b0c24d039b8b5a8bb6f56ba3..5ecc43b08d0b4d97311f09271a26f5a735a6e018 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -18,8 +18,12 @@
@@ -16,12 +16,16 @@
#include "base-object-inl.h"
#include "v8.h"
#include <openssl/ssl.h>
@ -448,7 +546,11 @@ index 24ac773..2b1b6ae 100644
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#endif // !OPENSSL_NO_ENGINE
@@ -101,8 +105,12 @@ class SecureContext : public BaseObject {
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -100,12 +104,16 @@ class SecureContext : public BaseObject {
static void SetCert(const v8::FunctionCallbackInfo<v8::Value>& args);
static void AddCACert(const v8::FunctionCallbackInfo<v8::Value>& args);
static void AddCRL(const v8::FunctionCallbackInfo<v8::Value>& args);
static void AddRootCerts(const v8::FunctionCallbackInfo<v8::Value>& args);
static void SetCiphers(const v8::FunctionCallbackInfo<v8::Value>& args);
@ -461,7 +563,11 @@ index 24ac773..2b1b6ae 100644
static void SetOptions(const v8::FunctionCallbackInfo<v8::Value>& args);
static void SetSessionIdContext(
const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -283,7 +291,11 @@ class SSLWrap {
static void SetSessionTimeout(
const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -273,11 +281,15 @@ class SSLWrap {
unsigned char* outlen,
const unsigned char* in,
unsigned int inlen,
void* arg);
static int TLSExtStatusCallback(SSL* s, void* arg);
@ -473,7 +579,11 @@ index 24ac773..2b1b6ae 100644
static void SSLGetter(v8::Local<v8::String> property,
const v8::PropertyCallbackInfo<v8::Value>& info);
@@ -645,6 +657,7 @@ class PublicKeyCipher {
void DestroySSL();
void WaitForCertCb(CertCb cb, void* arg);
@@ -635,10 +647,11 @@ class PublicKeyCipher {
EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init,
EVP_PKEY_cipher_t EVP_PKEY_cipher>
static void Cipher(const v8::FunctionCallbackInfo<v8::Value>& args);
};
@ -481,7 +591,11 @@ index 24ac773..2b1b6ae 100644
class DiffieHellman : public BaseObject {
public:
~DiffieHellman() override {
@@ -690,7 +703,9 @@ class DiffieHellman : public BaseObject {
if (dh != nullptr) {
DH_free(dh);
@@ -680,11 +693,13 @@ class DiffieHellman : public BaseObject {
bool initialised_;
int verifyError_;
DH* dh;
};
@ -491,7 +605,11 @@ index 24ac773..2b1b6ae 100644
class ECDH : public BaseObject {
public:
~ECDH() override {
@@ -727,6 +742,7 @@ class ECDH : public BaseObject {
if (key_ != nullptr)
EC_KEY_free(key_);
@@ -717,10 +732,11 @@ class ECDH : public BaseObject {
bool IsKeyValidForCurve(const BIGNUM* private_key);
EC_KEY* key_;
const EC_GROUP* group_;
};
@ -499,11 +617,15 @@ index 24ac773..2b1b6ae 100644
bool EntropySource(unsigned char* buffer, size_t length);
#ifndef OPENSSL_NO_ENGINE
void SetEngine(const v8::FunctionCallbackInfo<v8::Value>& args);
#endif // !OPENSSL_NO_ENGINE
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index 7c5df11..3e06621 100644
index d1b1aeccdd95b00b3fd0421c08fd7816cd70d182..a6e63d7c1ccc81e6f7d782dffe833234b003de15 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -142,7 +142,15 @@ void TLSWrap::InitSSL() {
@@ -140,11 +140,19 @@ void TLSWrap::InitSSL() {
}
#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
InitNPN(sc_);
@ -519,6 +641,8 @@ index 7c5df11..3e06621 100644
if (is_server()) {
SSL_set_accept_state(ssl_);
} else if (is_client()) {
// Enough space for server response (hello, cert)
--
2.9.0
2.12.0

View File

@ -1,82 +0,0 @@
From 08305ba6b7fddab1f35c59dc82a3c6b11ceceae3 Mon Sep 17 00:00:00 2001
From: Haikel Guemar <hguemar@fedoraproject.org>
Date: Tue, 26 Jul 2016 22:00:25 +0200
Subject: [PATCH 3/3] CA Certificates are provided by Fedora.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
Node.js 4.2
Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
Node.js 5.4.1
Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for
Node.js 4.4.7
---
src/node_crypto.cc | 30 +++++++++---------------------
1 file changed, 9 insertions(+), 21 deletions(-)
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 888a0f8..3feff0e 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name =
static Mutex* mutexes;
-const char* const root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
+const char* root_certs[] = {
+ NULL
};
X509_STORE* root_cert_store;
@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
CHECK_EQ(sc->ca_store_, nullptr);
if (!root_cert_store) {
- root_cert_store = X509_STORE_new();
-
- for (size_t i = 0; i < arraysize(root_certs); i++) {
- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
- if (bp == nullptr) {
- return;
- }
-
- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
- if (x509 == nullptr) {
- BIO_free_all(bp);
- return;
- }
-
- X509_STORE_add_cert(root_cert_store, x509);
-
- BIO_free_all(bp);
- X509_free(x509);
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+ } else {
+ // empty store
+ root_cert_store = X509_STORE_new();
}
+ } else {
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
}
sc->ca_store_ = root_cert_store;
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
}
--
2.9.0

View File

@ -0,0 +1,84 @@
From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Wed, 21 Dec 2016 11:16:38 +0100
Subject: [PATCH 3/4] crypto: Use system CAs instead of using bundled ones
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.
In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.
Fixes: https://github.com/nodejs/node/issues/3159
PR-URL: https://github.com/nodejs/node/pull/8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
---
configure | 7 +++++++
src/node_crypto.cc | 4 ++++
2 files changed, 11 insertions(+)
diff --git a/configure b/configure
index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755
--- a/configure
+++ b/configure
@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm",
parser.add_option('--openssl-fips',
action='store',
dest='openssl_fips',
help='Build OpenSSL using FIPS canister .o file in supplied folder')
+parser.add_option('--openssl-use-def-ca-store',
+ action='store_true',
+ dest='use_openssl_ca_store',
+ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
+
shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
help='link to a shared http_parser DLL instead of static linking')
@@ -937,10 +942,12 @@ def configure_v8(o):
def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
+ if options.use_openssl_ca_store:
+ o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_fips_settings'] = [
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() {
root_certs_vector->push_back(x509);
}
}
X509_STORE* store = X509_STORE_new();
+#if defined(NODE_OPENSSL_CERT_STORE)
+ X509_STORE_set_default_paths(store);
+#else
for (auto& cert : *root_certs_vector) {
X509_up_ref(cert);
X509_STORE_add_cert(store, cert);
}
+#endif
return store;
}
--
2.12.0

View File

@ -0,0 +1,103 @@
From fbb5821dc3d967e916a187ee009e955530d2ce8d Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Tue, 28 Feb 2017 13:56:40 -0500
Subject: [PATCH 4/4] Fix compatibility with GCC 7
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
deps/v8/src/objects-body-descriptors.h | 2 +-
deps/v8/src/objects-inl.h | 21 +++++++++++++++++++++
deps/v8/src/objects.h | 20 ++++----------------
3 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/deps/v8/src/objects-body-descriptors.h b/deps/v8/src/objects-body-descriptors.h
index 91cb8883be88739eab2b10df71f6f0d08aab436e..a1c3634bd762d7e03b4c87d38aa14a9a3ce318e4 100644
--- a/deps/v8/src/objects-body-descriptors.h
+++ b/deps/v8/src/objects-body-descriptors.h
@@ -97,11 +97,11 @@ class FixedBodyDescriptor final : public BodyDescriptorBase {
IterateBodyImpl<StaticVisitor>(heap, obj, start_offset, end_offset);
}
template <typename StaticVisitor>
static inline void IterateBody(HeapObject* obj, int object_size) {
- IterateBody(obj);
+ IterateBody<StaticVisitor>(obj);
}
};
// This class describes a body of an object of a variable size
diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h
index 11f4d7498d7558f56037483004a3d5839154516b..72208c2f00f4a9ff47ae487fa9a42f8f82cf12ea 100644
--- a/deps/v8/src/objects-inl.h
+++ b/deps/v8/src/objects-inl.h
@@ -34,10 +34,31 @@
#include "src/v8memory.h"
namespace v8 {
namespace internal {
+template <typename Derived, typename Shape, typename Key>
+uint32_t HashTable<Derived, Shape, Key>::Hash(Key key) {
+ if (Shape::UsesSeed) {
+ return Shape::SeededHash(key, GetHeap()->HashSeed());
+ } else {
+ return Shape::Hash(key);
+ }
+}
+
+
+template <typename Derived, typename Shape, typename Key>
+uint32_t HashTable<Derived, Shape, Key>::HashForObject(Key key,
+ Object* object) {
+ if (Shape::UsesSeed) {
+ return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object);
+ } else {
+ return Shape::HashForObject(key, object);
+ }
+}
+
+
PropertyDetails::PropertyDetails(Smi* smi) {
value_ = smi->value();
}
diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h
index d1632c9deb298218faea31886ffdb0a8e0201cdc..47b02dadcff9658c9fcfe629e137667015e12079 100644
--- a/deps/v8/src/objects.h
+++ b/deps/v8/src/objects.h
@@ -3259,26 +3259,14 @@ class HashTableBase : public FixedArray {
template <typename Derived, typename Shape, typename Key>
class HashTable : public HashTableBase {
public:
- // Wrapper methods
- inline uint32_t Hash(Key key) {
- if (Shape::UsesSeed) {
- return Shape::SeededHash(key, GetHeap()->HashSeed());
- } else {
- return Shape::Hash(key);
- }
- }
-
- inline uint32_t HashForObject(Key key, Object* object) {
- if (Shape::UsesSeed) {
- return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object);
- } else {
- return Shape::HashForObject(key, object);
- }
- }
+ // Wrapper methods. Defined in src/objects-inl.h
+ // to break a cycle with src/heap/heap.h.
+ inline uint32_t Hash(Key key);
+ inline uint32_t HashForObject(Key key, Object* object);
// Returns a new HashTable object.
MUST_USE_RESULT static Handle<Derived> New(
Isolate* isolate, int at_least_space_for,
MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY,
--
2.12.0

View File

@ -15,8 +15,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 6
%global nodejs_minor 9
%global nodejs_patch 5
%global nodejs_minor 10
%global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release 1
@ -26,7 +26,7 @@
%global v8_major 5
%global v8_minor 1
%global v8_build 281
%global v8_patch 89
%global v8_patch 93
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
%global v8_abi %{v8_major}.%{v8_minor}
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -98,9 +98,12 @@ Patch1: 0001-disable-running-gyp-files-for-bundled-deps.patch
Patch2: 0002-Use-openssl-1.0.1.patch
# use system certificates instead of the bundled ones
# modified version of Debian patch:
# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch
Patch3: 0003-CA-Certificates-are-provided-by-Fedora.patch
# Backported from upstream 7.5.0+
Patch3: 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch
# Patch to allow building with GCC 7 from
# https://github.com/nodejs/node/issues/10388#issuecomment-283120731
Patch4: 0004-Fix-compatibility-with-GCC-7.patch
BuildRequires: python-devel
BuildRequires: libuv-devel >= 1:1.9.1
@ -240,10 +243,12 @@ The API documentation for the Node.js JavaScript runtime.
rm -rf deps/uv \
deps/zlib
# remove bundled CA certificates
rm -f src/node_root_certs.h
# Use system CA certificates
%patch3 -p1
# Fix GCC7 build
%patch4 -p1
%if 0%{?epel}
%patch2 -p1
%endif
@ -272,8 +277,9 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
--shared-openssl \
--shared-zlib \
--shared-libuv \
--with-dtrace \
--with-intl=system-icu
--without-dtrace \
--with-intl=system-icu \
--openssl-use-def-ca-store
%if %{?with_debug} == 1
# Setting BUILDTYPE=Debug builds both release and debug binaries
@ -407,6 +413,18 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node -
%{_pkgdocdir}/npm/doc
%changelog
* Thu Mar 09 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:6.10.0-1
- Update to 6.10.0
- https://nodejs.org/en/blog/release/v6.10.0/
- New patch for handling system CA certificates
* Tue Feb 28 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:6.9.5-2
- Fix FTBFS against GCC 7
- Resolves: RHBZ 1423991
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:6.9.5-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Feb 1 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:6.9.5-1
- Update to v6.9.5(security)
- Reenable debug mode (https://github.com/nodejs/node/pull/10525)

View File

@ -1 +1 @@
SHA512 (node-v6.9.5-stripped.tar.gz) = 1d10a60295fba32eddb5187a5986f8103f34115d2fe06895596a662c98191afc81bc9246100f8360d308a07db0bc7b8df9e37fe59d042ac136b42248582f4af2
SHA512 (node-v6.10.0-stripped.tar.gz) = 2da288352df3113d59e882aeb7007a956c4ae7d3fa74262f9492dd789c6c299ff299a355b9a55f999ed3e4e78dd3d7ad4e55fece5e93b9e9ef82da8e670d562e