Merge branch 'master' into epel7
This commit is contained in:
commit
79a6267572
3
.gitignore
vendored
3
.gitignore
vendored
@ -32,8 +32,6 @@
|
||||
/node-v0.10.32-stripped.tar.gz
|
||||
/node-v0.10.33-stripped.tar.gz
|
||||
/node-v0.10.36-stripped.tar.gz
|
||||
/node-v0.10.42-stripped.tar.gz
|
||||
/node-v0.10.46-stripped.tar.gz
|
||||
/node-v4.2.2-stripped.tar.gz
|
||||
/node-v4.2.3-stripped.tar.gz
|
||||
/node-v4.2.4-stripped.tar.gz
|
||||
@ -65,3 +63,4 @@
|
||||
/node-v6.9.3-stripped.tar.gz
|
||||
/node-v6.9.4-stripped.tar.gz
|
||||
/node-v6.9.5-stripped.tar.gz
|
||||
/node-v6.10.0-stripped.tar.gz
|
||||
|
@ -1,17 +1,19 @@
|
||||
From da4ed485ddd52cd156406f939225146e8539cabb Mon Sep 17 00:00:00 2001
|
||||
From 061822759b37ab5bda659d74f9149cace5afe628 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Tue, 1 Dec 2015 16:35:29 -0500
|
||||
Subject: [PATCH 1/3] disable running gyp files for bundled deps
|
||||
Subject: [PATCH 1/4] disable running gyp files for bundled deps
|
||||
|
||||
---
|
||||
Makefile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index a8870a5..f7fc4a9 100644
|
||||
index 719b855559383a8011c8f6f073ed69a1cf21aeee..31cd25452dccb0624809c0570a738c5b49cc782c 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -70,7 +70,7 @@ $(NODE_G_EXE): config.gypi out/Makefile
|
||||
@@ -70,11 +70,11 @@ $(NODE_EXE): config.gypi out/Makefile
|
||||
|
||||
$(NODE_G_EXE): config.gypi out/Makefile
|
||||
$(MAKE) -C out BUILDTYPE=Debug V=$(V)
|
||||
ln -fs out/Debug/$(NODE_EXE) $@
|
||||
|
||||
@ -20,6 +22,8 @@ index a8870a5..f7fc4a9 100644
|
||||
$(PYTHON) tools/gyp_node.py -f make
|
||||
|
||||
config.gypi: configure
|
||||
$(error Missing or stale $@, please run ./$<)
|
||||
|
||||
--
|
||||
2.9.0
|
||||
2.12.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 6cf8243a70e26843c7770f7b29b1a33b822d1c26 Mon Sep 17 00:00:00 2001
|
||||
From 91d1a67b8cc249af59929cd1a76629a2614860bd Mon Sep 17 00:00:00 2001
|
||||
From: Haikel Guemar <hguemar@fedoraproject.org>
|
||||
Date: Tue, 26 Jul 2016 22:50:22 +0200
|
||||
Subject: [PATCH 2/3] Use openssl 1.0.1
|
||||
Subject: [PATCH 2/4] Use openssl 1.0.1
|
||||
|
||||
Based on Solaris patches from upstream #2783
|
||||
https://github.com/nodejs/node/issues/2783
|
||||
@ -14,10 +14,12 @@ https://github.com/nodejs/node/issues/2783
|
||||
5 files changed, 223 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/doc/api/tls.md b/doc/api/tls.md
|
||||
index 7feaff2..97ad7a5 100644
|
||||
index 3784210ba7b6c046b39d74b45e44538041d35ae2..3c9d72b8d5ef81d15773aed077bd00d2041c9e93 100644
|
||||
--- a/doc/api/tls.md
|
||||
+++ b/doc/api/tls.md
|
||||
@@ -114,6 +114,12 @@ handshake extensions:
|
||||
@@ -113,10 +113,16 @@ handshake extensions:
|
||||
* ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP,
|
||||
SPDY, HTTP/2)
|
||||
* SNI - Allows the use of one TLS server for multiple hostnames with different
|
||||
SSL certificates.
|
||||
|
||||
@ -30,11 +32,15 @@ index 7feaff2..97ad7a5 100644
|
||||
*Note*: Use of ALPN is recommended over NPN. The NPN extension has never been
|
||||
formally defined or documented and generally not recommended for use.
|
||||
|
||||
### Client-initiated renegotiation attack mitigation
|
||||
|
||||
diff --git a/src/node_constants.cc b/src/node_constants.cc
|
||||
index 2e6be8d..239eadb 100644
|
||||
index 2e6be8df37c345a383d8a78898daf2a147d90630..239eadbac8ea8e601745a63347a8bb301c22d1b1 100644
|
||||
--- a/src/node_constants.cc
|
||||
+++ b/src/node_constants.cc
|
||||
@@ -14,7 +14,10 @@
|
||||
@@ -12,11 +12,14 @@
|
||||
#include <signal.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
@ -45,7 +51,11 @@ index 2e6be8d..239eadb 100644
|
||||
# include <openssl/ssl.h>
|
||||
# ifndef OPENSSL_NO_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
@@ -976,12 +979,14 @@ void DefineOpenSSLConstants(Local<Object> target) {
|
||||
# endif // !OPENSSL_NO_ENGINE
|
||||
#endif
|
||||
@@ -974,16 +977,18 @@ void DefineOpenSSLConstants(Local<Object> target) {
|
||||
NODE_DEFINE_CONSTANT(target, RSA_PKCS1_PSS_PADDING);
|
||||
#endif
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
// NOTE: These are not defines
|
||||
@ -60,11 +70,15 @@ index 2e6be8d..239eadb 100644
|
||||
}
|
||||
|
||||
void DefineSystemConstants(Local<Object> target) {
|
||||
// file access modes
|
||||
NODE_DEFINE_CONSTANT(target, O_RDONLY);
|
||||
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
||||
index 9cf216f..888a0f8 100644
|
||||
index 482ec230c0f4500b63b705d705a142e63ff179e5..c5630f30d0bef75ced53b36062bb1f0324dbdb9d 100644
|
||||
--- a/src/node_crypto.cc
|
||||
+++ b/src/node_crypto.cc
|
||||
@@ -24,6 +24,82 @@
|
||||
@@ -22,10 +22,86 @@
|
||||
#include <limits.h> // INT_MAX
|
||||
#include <math.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
@ -147,7 +161,11 @@ index 9cf216f..888a0f8 100644
|
||||
#define THROW_AND_RETURN_IF_NOT_STRING_OR_BUFFER(val, prefix) \
|
||||
do { \
|
||||
if (!Buffer::HasInstance(val) && !val->IsString()) { \
|
||||
@@ -160,7 +236,11 @@ template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
|
||||
return env->ThrowTypeError(prefix " must be a string or a buffer"); \
|
||||
} \
|
||||
@@ -161,11 +237,15 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
|
||||
#endif
|
||||
|
||||
template void SSLWrap<TLSWrap>::DestroySSL();
|
||||
@ -159,7 +177,11 @@ index 9cf216f..888a0f8 100644
|
||||
template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
|
||||
|
||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||
@@ -280,8 +360,12 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
|
||||
template int SSLWrap<TLSWrap>::SelectALPNCallback(
|
||||
SSL* s,
|
||||
@@ -281,12 +361,16 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
|
||||
env->SetProtoMethod(t, "setCert", SecureContext::SetCert);
|
||||
env->SetProtoMethod(t, "addCACert", SecureContext::AddCACert);
|
||||
env->SetProtoMethod(t, "addCRL", SecureContext::AddCRL);
|
||||
env->SetProtoMethod(t, "addRootCerts", SecureContext::AddRootCerts);
|
||||
env->SetProtoMethod(t, "setCiphers", SecureContext::SetCiphers);
|
||||
@ -172,7 +194,11 @@ index 9cf216f..888a0f8 100644
|
||||
env->SetProtoMethod(t, "setOptions", SecureContext::SetOptions);
|
||||
env->SetProtoMethod(t, "setSessionIdContext",
|
||||
SecureContext::SetSessionIdContext);
|
||||
@@ -515,8 +599,20 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
||||
env->SetProtoMethod(t, "setSessionTimeout",
|
||||
SecureContext::SetSessionTimeout);
|
||||
@@ -514,12 +598,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
||||
SSL_CTX_clear_extra_chain_certs(ctx);
|
||||
|
||||
for (int i = 0; i < sk_X509_num(extra_certs); i++) {
|
||||
X509* ca = sk_X509_value(extra_certs, i);
|
||||
|
||||
@ -195,7 +221,11 @@ index 9cf216f..888a0f8 100644
|
||||
|
||||
if (!r) {
|
||||
ret = 0;
|
||||
@@ -795,6 +891,7 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
|
||||
*issuer = nullptr;
|
||||
goto end;
|
||||
@@ -868,10 +964,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
|
||||
const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
|
||||
SSL_CTX_set_cipher_list(sc->ctx_, *ciphers);
|
||||
}
|
||||
|
||||
|
||||
@ -203,7 +233,11 @@ index 9cf216f..888a0f8 100644
|
||||
void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
|
||||
SecureContext* sc;
|
||||
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
|
||||
@@ -822,8 +919,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
|
||||
Environment* env = sc->env();
|
||||
|
||||
@@ -895,12 +992,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
|
||||
SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE);
|
||||
SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh);
|
||||
|
||||
EC_KEY_free(ecdh);
|
||||
}
|
||||
@ -214,7 +248,11 @@ index 9cf216f..888a0f8 100644
|
||||
void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
|
||||
SecureContext* sc;
|
||||
ASSIGN_OR_RETURN_UNWRAP(&sc, args.This());
|
||||
@@ -862,6 +961,7 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
|
||||
Environment* env = sc->env();
|
||||
ClearErrorOnReturn clear_error_on_return;
|
||||
@@ -935,10 +1034,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
|
||||
DH_free(dh);
|
||||
|
||||
if (!r)
|
||||
return env->ThrowTypeError("Error setting temp DH parameter");
|
||||
}
|
||||
@ -222,7 +260,11 @@ index 9cf216f..888a0f8 100644
|
||||
|
||||
|
||||
void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
|
||||
@@ -1872,6 +1972,7 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
|
||||
SecureContext* sc;
|
||||
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
|
||||
@@ -1952,10 +2052,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
|
||||
info->Set(env->type_string(),
|
||||
FIXED_ONE_BYTE_STRING(env->isolate(), "DH"));
|
||||
info->Set(env->size_string(),
|
||||
Integer::New(env->isolate(), EVP_PKEY_bits(key)));
|
||||
break;
|
||||
@ -230,7 +272,11 @@ index 9cf216f..888a0f8 100644
|
||||
case EVP_PKEY_EC:
|
||||
{
|
||||
EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key);
|
||||
@@ -1884,6 +1985,7 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
|
||||
int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
|
||||
EC_KEY_free(ec);
|
||||
@@ -1964,10 +2065,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
|
||||
info->Set(env->name_string(),
|
||||
OneByteString(args.GetIsolate(), OBJ_nid2sn(nid)));
|
||||
info->Set(env->size_string(),
|
||||
Integer::New(env->isolate(), EVP_PKEY_bits(key)));
|
||||
}
|
||||
@ -238,7 +284,11 @@ index 9cf216f..888a0f8 100644
|
||||
}
|
||||
EVP_PKEY_free(key);
|
||||
}
|
||||
@@ -2301,7 +2403,12 @@ void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
|
||||
|
||||
return args.GetReturnValue().Set(info);
|
||||
@@ -2382,11 +2484,16 @@ void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
|
||||
cert_cb_arg_ = arg;
|
||||
}
|
||||
|
||||
|
||||
template <class Base>
|
||||
@ -251,7 +301,11 @@ index 9cf216f..888a0f8 100644
|
||||
Base* w = static_cast<Base*>(SSL_get_app_data(s));
|
||||
|
||||
if (!w->is_server())
|
||||
@@ -2375,19 +2482,53 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
|
||||
return 1;
|
||||
|
||||
@@ -2451,23 +2558,57 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
|
||||
ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>());
|
||||
w->sni_context_.Reset();
|
||||
w->sni_context_.Reset(env->isolate(), ctx);
|
||||
|
||||
int rv;
|
||||
@ -315,7 +369,11 @@ index 9cf216f..888a0f8 100644
|
||||
if (rv)
|
||||
rv = w->SetCACerts(sc);
|
||||
if (!rv) {
|
||||
@@ -2451,10 +2592,14 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
|
||||
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
|
||||
if (!err)
|
||||
@@ -2527,14 +2668,18 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
|
||||
}
|
||||
|
||||
|
||||
template <class Base>
|
||||
int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
|
||||
@ -331,7 +389,11 @@ index 9cf216f..888a0f8 100644
|
||||
STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
|
||||
SSL_CTX_get_client_CA_list(sc->ctx_));
|
||||
|
||||
@@ -2732,7 +2877,11 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
|
||||
// NOTE: `SSL_set_client_CA_list` takes the ownership of `list`
|
||||
SSL_set_client_CA_list(ssl_, list);
|
||||
@@ -2808,11 +2953,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
|
||||
|
||||
// Server does not need to check the whitelist.
|
||||
SSL* ssl = static_cast<SSL*>(
|
||||
X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
|
||||
|
||||
@ -343,7 +405,11 @@ index 9cf216f..888a0f8 100644
|
||||
return 1;
|
||||
|
||||
// Client needs to check if the server cert is listed in the
|
||||
@@ -2815,7 +2964,21 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
|
||||
// whitelist when it is issued by the specific rootCAs.
|
||||
CheckResult ret = CheckWhitelistedServerCert(ctx);
|
||||
@@ -2891,11 +3040,25 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
|
||||
if (is_server)
|
||||
SSL_set_info_callback(conn->ssl_, SSLInfoCallback);
|
||||
|
||||
InitNPN(sc);
|
||||
|
||||
@ -365,7 +431,11 @@ index 9cf216f..888a0f8 100644
|
||||
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
|
||||
if (is_server) {
|
||||
@@ -4404,6 +4567,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
|
||||
SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
|
||||
} else if (args[2]->IsString()) {
|
||||
@@ -4476,10 +4639,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
|
||||
args.GetReturnValue().Set(vbuf);
|
||||
delete[] out_value;
|
||||
}
|
||||
|
||||
|
||||
@ -373,7 +443,11 @@ index 9cf216f..888a0f8 100644
|
||||
void DiffieHellman::Initialize(Environment* env, Local<Object> target) {
|
||||
Local<FunctionTemplate> t = env->NewFunctionTemplate(New);
|
||||
|
||||
@@ -4805,8 +4969,10 @@ bool DiffieHellman::VerifyContext() {
|
||||
const PropertyAttribute attributes =
|
||||
static_cast<PropertyAttribute>(v8::ReadOnly | v8::DontDelete);
|
||||
@@ -4877,12 +5041,14 @@ bool DiffieHellman::VerifyContext() {
|
||||
if (!DH_check(dh, &codes))
|
||||
return false;
|
||||
verifyError_ = codes;
|
||||
return true;
|
||||
}
|
||||
@ -384,7 +458,11 @@ index 9cf216f..888a0f8 100644
|
||||
void ECDH::Initialize(Environment* env, Local<Object> target) {
|
||||
HandleScope scope(env->isolate());
|
||||
|
||||
@@ -5034,6 +5200,7 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
|
||||
Local<FunctionTemplate> t = env->NewFunctionTemplate(New);
|
||||
|
||||
@@ -5106,10 +5272,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
|
||||
return env->ThrowError("Failed to set generated public key");
|
||||
}
|
||||
|
||||
EC_POINT_free(pub);
|
||||
}
|
||||
@ -392,7 +470,11 @@ index 9cf216f..888a0f8 100644
|
||||
|
||||
|
||||
void ECDH::SetPublicKey(const FunctionCallbackInfo<Value>& args) {
|
||||
@@ -5587,6 +5754,7 @@ void GetHashes(const FunctionCallbackInfo<Value>& args) {
|
||||
Environment* env = Environment::GetCurrent(args);
|
||||
|
||||
@@ -5659,10 +5826,11 @@ void GetHashes(const FunctionCallbackInfo<Value>& args) {
|
||||
EVP_MD_do_all_sorted(array_push_back<EVP_MD>, &ctx);
|
||||
args.GetReturnValue().Set(ctx.arr);
|
||||
}
|
||||
|
||||
|
||||
@ -400,7 +482,11 @@ index 9cf216f..888a0f8 100644
|
||||
void GetCurves(const FunctionCallbackInfo<Value>& args) {
|
||||
Environment* env = Environment::GetCurrent(args);
|
||||
const size_t num_curves = EC_get_builtin_curves(nullptr, 0);
|
||||
@@ -5611,6 +5779,7 @@ void GetCurves(const FunctionCallbackInfo<Value>& args) {
|
||||
Local<Array> arr = Array::New(env->isolate(), num_curves);
|
||||
EC_builtin_curve* curves;
|
||||
@@ -5683,10 +5851,11 @@ void GetCurves(const FunctionCallbackInfo<Value>& args) {
|
||||
free(curves);
|
||||
}
|
||||
|
||||
args.GetReturnValue().Set(arr);
|
||||
}
|
||||
@ -408,7 +494,11 @@ index 9cf216f..888a0f8 100644
|
||||
|
||||
|
||||
bool VerifySpkac(const char* data, unsigned int len) {
|
||||
@@ -5886,8 +6055,12 @@ void InitCrypto(Local<Object> target,
|
||||
bool i = 0;
|
||||
EVP_PKEY* pkey = nullptr;
|
||||
@@ -5995,12 +6164,16 @@ void InitCrypto(Local<Object> target,
|
||||
|
||||
Environment* env = Environment::GetCurrent(context);
|
||||
SecureContext::Initialize(env, target);
|
||||
Connection::Initialize(env, target);
|
||||
CipherBase::Initialize(env, target);
|
||||
@ -421,7 +511,11 @@ index 9cf216f..888a0f8 100644
|
||||
Hmac::Initialize(env, target);
|
||||
Hash::Initialize(env, target);
|
||||
Sign::Initialize(env, target);
|
||||
@@ -5906,7 +6079,9 @@ void InitCrypto(Local<Object> target,
|
||||
Verify::Initialize(env, target);
|
||||
|
||||
@@ -6016,11 +6189,13 @@ void InitCrypto(Local<Object> target,
|
||||
env->SetMethod(target, "randomBytes", RandomBytes);
|
||||
env->SetMethod(target, "timingSafeEqual", TimingSafeEqual);
|
||||
env->SetMethod(target, "getSSLCiphers", GetSSLCiphers);
|
||||
env->SetMethod(target, "getCiphers", GetCiphers);
|
||||
env->SetMethod(target, "getHashes", GetHashes);
|
||||
@ -431,11 +525,15 @@ index 9cf216f..888a0f8 100644
|
||||
env->SetMethod(target, "publicEncrypt",
|
||||
PublicKeyCipher::Cipher<PublicKeyCipher::kPublic,
|
||||
EVP_PKEY_encrypt_init,
|
||||
EVP_PKEY_encrypt>);
|
||||
env->SetMethod(target, "privateDecrypt",
|
||||
diff --git a/src/node_crypto.h b/src/node_crypto.h
|
||||
index 24ac773..2b1b6ae 100644
|
||||
index 175206c40df58602b0c24d039b8b5a8bb6f56ba3..5ecc43b08d0b4d97311f09271a26f5a735a6e018 100644
|
||||
--- a/src/node_crypto.h
|
||||
+++ b/src/node_crypto.h
|
||||
@@ -18,8 +18,12 @@
|
||||
@@ -16,12 +16,16 @@
|
||||
#include "base-object-inl.h"
|
||||
|
||||
#include "v8.h"
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
@ -448,7 +546,11 @@ index 24ac773..2b1b6ae 100644
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
#endif // !OPENSSL_NO_ENGINE
|
||||
@@ -101,8 +105,12 @@ class SecureContext : public BaseObject {
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
@@ -100,12 +104,16 @@ class SecureContext : public BaseObject {
|
||||
static void SetCert(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void AddCACert(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void AddCRL(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void AddRootCerts(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void SetCiphers(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
@ -461,7 +563,11 @@ index 24ac773..2b1b6ae 100644
|
||||
static void SetOptions(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void SetSessionIdContext(
|
||||
const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
@@ -283,7 +291,11 @@ class SSLWrap {
|
||||
static void SetSessionTimeout(
|
||||
const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
@@ -273,11 +281,15 @@ class SSLWrap {
|
||||
unsigned char* outlen,
|
||||
const unsigned char* in,
|
||||
unsigned int inlen,
|
||||
void* arg);
|
||||
static int TLSExtStatusCallback(SSL* s, void* arg);
|
||||
@ -473,7 +579,11 @@ index 24ac773..2b1b6ae 100644
|
||||
static void SSLGetter(v8::Local<v8::String> property,
|
||||
const v8::PropertyCallbackInfo<v8::Value>& info);
|
||||
|
||||
@@ -645,6 +657,7 @@ class PublicKeyCipher {
|
||||
void DestroySSL();
|
||||
void WaitForCertCb(CertCb cb, void* arg);
|
||||
@@ -635,10 +647,11 @@ class PublicKeyCipher {
|
||||
EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init,
|
||||
EVP_PKEY_cipher_t EVP_PKEY_cipher>
|
||||
static void Cipher(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
};
|
||||
|
||||
@ -481,7 +591,11 @@ index 24ac773..2b1b6ae 100644
|
||||
class DiffieHellman : public BaseObject {
|
||||
public:
|
||||
~DiffieHellman() override {
|
||||
@@ -690,7 +703,9 @@ class DiffieHellman : public BaseObject {
|
||||
if (dh != nullptr) {
|
||||
DH_free(dh);
|
||||
@@ -680,11 +693,13 @@ class DiffieHellman : public BaseObject {
|
||||
|
||||
bool initialised_;
|
||||
int verifyError_;
|
||||
DH* dh;
|
||||
};
|
||||
@ -491,7 +605,11 @@ index 24ac773..2b1b6ae 100644
|
||||
class ECDH : public BaseObject {
|
||||
public:
|
||||
~ECDH() override {
|
||||
@@ -727,6 +742,7 @@ class ECDH : public BaseObject {
|
||||
if (key_ != nullptr)
|
||||
EC_KEY_free(key_);
|
||||
@@ -717,10 +732,11 @@ class ECDH : public BaseObject {
|
||||
bool IsKeyValidForCurve(const BIGNUM* private_key);
|
||||
|
||||
EC_KEY* key_;
|
||||
const EC_GROUP* group_;
|
||||
};
|
||||
@ -499,11 +617,15 @@ index 24ac773..2b1b6ae 100644
|
||||
|
||||
bool EntropySource(unsigned char* buffer, size_t length);
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
void SetEngine(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
#endif // !OPENSSL_NO_ENGINE
|
||||
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
|
||||
index 7c5df11..3e06621 100644
|
||||
index d1b1aeccdd95b00b3fd0421c08fd7816cd70d182..a6e63d7c1ccc81e6f7d782dffe833234b003de15 100644
|
||||
--- a/src/tls_wrap.cc
|
||||
+++ b/src/tls_wrap.cc
|
||||
@@ -142,7 +142,15 @@ void TLSWrap::InitSSL() {
|
||||
@@ -140,11 +140,19 @@ void TLSWrap::InitSSL() {
|
||||
}
|
||||
#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
|
||||
|
||||
InitNPN(sc_);
|
||||
|
||||
@ -519,6 +641,8 @@ index 7c5df11..3e06621 100644
|
||||
|
||||
if (is_server()) {
|
||||
SSL_set_accept_state(ssl_);
|
||||
} else if (is_client()) {
|
||||
// Enough space for server response (hello, cert)
|
||||
--
|
||||
2.9.0
|
||||
2.12.0
|
||||
|
||||
|
@ -1,82 +0,0 @@
|
||||
From 08305ba6b7fddab1f35c59dc82a3c6b11ceceae3 Mon Sep 17 00:00:00 2001
|
||||
From: Haikel Guemar <hguemar@fedoraproject.org>
|
||||
Date: Tue, 26 Jul 2016 22:00:25 +0200
|
||||
Subject: [PATCH 3/3] CA Certificates are provided by Fedora.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Forwarded: need some feedback before submitting the matter upstream
|
||||
Author: Jérémy Lal <kapouer@melix.org>
|
||||
Last-Update: 2014-03-02
|
||||
|
||||
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
|
||||
correct path for Fedora
|
||||
|
||||
Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
|
||||
Node.js 4.2
|
||||
|
||||
Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
|
||||
Node.js 5.4.1
|
||||
|
||||
Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for
|
||||
Node.js 4.4.7
|
||||
---
|
||||
src/node_crypto.cc | 30 +++++++++---------------------
|
||||
1 file changed, 9 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
||||
index 888a0f8..3feff0e 100644
|
||||
--- a/src/node_crypto.cc
|
||||
+++ b/src/node_crypto.cc
|
||||
@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name =
|
||||
|
||||
static Mutex* mutexes;
|
||||
|
||||
-const char* const root_certs[] = {
|
||||
-#include "node_root_certs.h" // NOLINT(build/include_order)
|
||||
+const char* root_certs[] = {
|
||||
+ NULL
|
||||
};
|
||||
|
||||
X509_STORE* root_cert_store;
|
||||
@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
|
||||
CHECK_EQ(sc->ca_store_, nullptr);
|
||||
|
||||
if (!root_cert_store) {
|
||||
- root_cert_store = X509_STORE_new();
|
||||
-
|
||||
- for (size_t i = 0; i < arraysize(root_certs); i++) {
|
||||
- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
|
||||
- if (bp == nullptr) {
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
|
||||
- if (x509 == nullptr) {
|
||||
- BIO_free_all(bp);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- X509_STORE_add_cert(root_cert_store, x509);
|
||||
-
|
||||
- BIO_free_all(bp);
|
||||
- X509_free(x509);
|
||||
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
|
||||
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
|
||||
+ } else {
|
||||
+ // empty store
|
||||
+ root_cert_store = X509_STORE_new();
|
||||
}
|
||||
+ } else {
|
||||
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
|
||||
}
|
||||
|
||||
sc->ca_store_ = root_cert_store;
|
||||
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.9.0
|
||||
|
@ -0,0 +1,84 @@
|
||||
From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001
|
||||
From: Adam Majer <amajer@suse.de>
|
||||
Date: Wed, 21 Dec 2016 11:16:38 +0100
|
||||
Subject: [PATCH 3/4] crypto: Use system CAs instead of using bundled ones
|
||||
|
||||
NodeJS can already use an external, shared OpenSSL library. This
|
||||
library knows where to look for OS managed certificates. Allow
|
||||
a compile-time option to use this CA store by default instead of
|
||||
using bundled certificates.
|
||||
|
||||
In case when using bundled OpenSSL, the paths are also valid for
|
||||
majority of Linux systems without additional intervention. If
|
||||
this is not set, we can use SSL_CERT_DIR to point it to correct
|
||||
location.
|
||||
|
||||
Fixes: https://github.com/nodejs/node/issues/3159
|
||||
PR-URL: https://github.com/nodejs/node/pull/8334
|
||||
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
|
||||
Reviewed-By: James M Snell <jasnell@gmail.com>
|
||||
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
|
||||
---
|
||||
configure | 7 +++++++
|
||||
src/node_crypto.cc | 4 ++++
|
||||
2 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm",
|
||||
parser.add_option('--openssl-fips',
|
||||
action='store',
|
||||
dest='openssl_fips',
|
||||
help='Build OpenSSL using FIPS canister .o file in supplied folder')
|
||||
|
||||
+parser.add_option('--openssl-use-def-ca-store',
|
||||
+ action='store_true',
|
||||
+ dest='use_openssl_ca_store',
|
||||
+ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
|
||||
+
|
||||
shared_optgroup.add_option('--shared-http-parser',
|
||||
action='store_true',
|
||||
dest='shared_http_parser',
|
||||
help='link to a shared http_parser DLL instead of static linking')
|
||||
|
||||
@@ -937,10 +942,12 @@ def configure_v8(o):
|
||||
|
||||
def configure_openssl(o):
|
||||
o['variables']['node_use_openssl'] = b(not options.without_ssl)
|
||||
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
|
||||
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
|
||||
+ if options.use_openssl_ca_store:
|
||||
+ o['defines'] += ['NODE_OPENSSL_CERT_STORE']
|
||||
if options.openssl_fips:
|
||||
o['variables']['openssl_fips'] = options.openssl_fips
|
||||
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
|
||||
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
|
||||
o['make_fips_settings'] = [
|
||||
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
||||
index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644
|
||||
--- a/src/node_crypto.cc
|
||||
+++ b/src/node_crypto.cc
|
||||
@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() {
|
||||
root_certs_vector->push_back(x509);
|
||||
}
|
||||
}
|
||||
|
||||
X509_STORE* store = X509_STORE_new();
|
||||
+#if defined(NODE_OPENSSL_CERT_STORE)
|
||||
+ X509_STORE_set_default_paths(store);
|
||||
+#else
|
||||
for (auto& cert : *root_certs_vector) {
|
||||
X509_up_ref(cert);
|
||||
X509_STORE_add_cert(store, cert);
|
||||
}
|
||||
+#endif
|
||||
|
||||
return store;
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.12.0
|
||||
|
103
0004-Fix-compatibility-with-GCC-7.patch
Normal file
103
0004-Fix-compatibility-with-GCC-7.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From fbb5821dc3d967e916a187ee009e955530d2ce8d Mon Sep 17 00:00:00 2001
|
||||
From: Ben Noordhuis <info@bnoordhuis.nl>
|
||||
Date: Tue, 28 Feb 2017 13:56:40 -0500
|
||||
Subject: [PATCH 4/4] Fix compatibility with GCC 7
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
deps/v8/src/objects-body-descriptors.h | 2 +-
|
||||
deps/v8/src/objects-inl.h | 21 +++++++++++++++++++++
|
||||
deps/v8/src/objects.h | 20 ++++----------------
|
||||
3 files changed, 26 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/deps/v8/src/objects-body-descriptors.h b/deps/v8/src/objects-body-descriptors.h
|
||||
index 91cb8883be88739eab2b10df71f6f0d08aab436e..a1c3634bd762d7e03b4c87d38aa14a9a3ce318e4 100644
|
||||
--- a/deps/v8/src/objects-body-descriptors.h
|
||||
+++ b/deps/v8/src/objects-body-descriptors.h
|
||||
@@ -97,11 +97,11 @@ class FixedBodyDescriptor final : public BodyDescriptorBase {
|
||||
IterateBodyImpl<StaticVisitor>(heap, obj, start_offset, end_offset);
|
||||
}
|
||||
|
||||
template <typename StaticVisitor>
|
||||
static inline void IterateBody(HeapObject* obj, int object_size) {
|
||||
- IterateBody(obj);
|
||||
+ IterateBody<StaticVisitor>(obj);
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
// This class describes a body of an object of a variable size
|
||||
diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h
|
||||
index 11f4d7498d7558f56037483004a3d5839154516b..72208c2f00f4a9ff47ae487fa9a42f8f82cf12ea 100644
|
||||
--- a/deps/v8/src/objects-inl.h
|
||||
+++ b/deps/v8/src/objects-inl.h
|
||||
@@ -34,10 +34,31 @@
|
||||
#include "src/v8memory.h"
|
||||
|
||||
namespace v8 {
|
||||
namespace internal {
|
||||
|
||||
+template <typename Derived, typename Shape, typename Key>
|
||||
+uint32_t HashTable<Derived, Shape, Key>::Hash(Key key) {
|
||||
+ if (Shape::UsesSeed) {
|
||||
+ return Shape::SeededHash(key, GetHeap()->HashSeed());
|
||||
+ } else {
|
||||
+ return Shape::Hash(key);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+
|
||||
+template <typename Derived, typename Shape, typename Key>
|
||||
+uint32_t HashTable<Derived, Shape, Key>::HashForObject(Key key,
|
||||
+ Object* object) {
|
||||
+ if (Shape::UsesSeed) {
|
||||
+ return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object);
|
||||
+ } else {
|
||||
+ return Shape::HashForObject(key, object);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+
|
||||
PropertyDetails::PropertyDetails(Smi* smi) {
|
||||
value_ = smi->value();
|
||||
}
|
||||
|
||||
|
||||
diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h
|
||||
index d1632c9deb298218faea31886ffdb0a8e0201cdc..47b02dadcff9658c9fcfe629e137667015e12079 100644
|
||||
--- a/deps/v8/src/objects.h
|
||||
+++ b/deps/v8/src/objects.h
|
||||
@@ -3259,26 +3259,14 @@ class HashTableBase : public FixedArray {
|
||||
|
||||
|
||||
template <typename Derived, typename Shape, typename Key>
|
||||
class HashTable : public HashTableBase {
|
||||
public:
|
||||
- // Wrapper methods
|
||||
- inline uint32_t Hash(Key key) {
|
||||
- if (Shape::UsesSeed) {
|
||||
- return Shape::SeededHash(key, GetHeap()->HashSeed());
|
||||
- } else {
|
||||
- return Shape::Hash(key);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- inline uint32_t HashForObject(Key key, Object* object) {
|
||||
- if (Shape::UsesSeed) {
|
||||
- return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object);
|
||||
- } else {
|
||||
- return Shape::HashForObject(key, object);
|
||||
- }
|
||||
- }
|
||||
+ // Wrapper methods. Defined in src/objects-inl.h
|
||||
+ // to break a cycle with src/heap/heap.h.
|
||||
+ inline uint32_t Hash(Key key);
|
||||
+ inline uint32_t HashForObject(Key key, Object* object);
|
||||
|
||||
// Returns a new HashTable object.
|
||||
MUST_USE_RESULT static Handle<Derived> New(
|
||||
Isolate* isolate, int at_least_space_for,
|
||||
MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY,
|
||||
--
|
||||
2.12.0
|
||||
|
38
nodejs.spec
38
nodejs.spec
@ -15,8 +15,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 6
|
||||
%global nodejs_minor 9
|
||||
%global nodejs_patch 5
|
||||
%global nodejs_minor 10
|
||||
%global nodejs_patch 0
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
||||
%global nodejs_release 1
|
||||
@ -26,7 +26,7 @@
|
||||
%global v8_major 5
|
||||
%global v8_minor 1
|
||||
%global v8_build 281
|
||||
%global v8_patch 89
|
||||
%global v8_patch 93
|
||||
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
|
||||
%global v8_abi %{v8_major}.%{v8_minor}
|
||||
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
|
||||
@ -98,9 +98,12 @@ Patch1: 0001-disable-running-gyp-files-for-bundled-deps.patch
|
||||
Patch2: 0002-Use-openssl-1.0.1.patch
|
||||
|
||||
# use system certificates instead of the bundled ones
|
||||
# modified version of Debian patch:
|
||||
# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch
|
||||
Patch3: 0003-CA-Certificates-are-provided-by-Fedora.patch
|
||||
# Backported from upstream 7.5.0+
|
||||
Patch3: 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch
|
||||
|
||||
# Patch to allow building with GCC 7 from
|
||||
# https://github.com/nodejs/node/issues/10388#issuecomment-283120731
|
||||
Patch4: 0004-Fix-compatibility-with-GCC-7.patch
|
||||
|
||||
BuildRequires: python-devel
|
||||
BuildRequires: libuv-devel >= 1:1.9.1
|
||||
@ -240,10 +243,12 @@ The API documentation for the Node.js JavaScript runtime.
|
||||
rm -rf deps/uv \
|
||||
deps/zlib
|
||||
|
||||
# remove bundled CA certificates
|
||||
rm -f src/node_root_certs.h
|
||||
# Use system CA certificates
|
||||
%patch3 -p1
|
||||
|
||||
# Fix GCC7 build
|
||||
%patch4 -p1
|
||||
|
||||
%if 0%{?epel}
|
||||
%patch2 -p1
|
||||
%endif
|
||||
@ -272,8 +277,9 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
|
||||
--shared-openssl \
|
||||
--shared-zlib \
|
||||
--shared-libuv \
|
||||
--with-dtrace \
|
||||
--with-intl=system-icu
|
||||
--without-dtrace \
|
||||
--with-intl=system-icu \
|
||||
--openssl-use-def-ca-store
|
||||
|
||||
%if %{?with_debug} == 1
|
||||
# Setting BUILDTYPE=Debug builds both release and debug binaries
|
||||
@ -407,6 +413,18 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node -
|
||||
%{_pkgdocdir}/npm/doc
|
||||
|
||||
%changelog
|
||||
* Thu Mar 09 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:6.10.0-1
|
||||
- Update to 6.10.0
|
||||
- https://nodejs.org/en/blog/release/v6.10.0/
|
||||
- New patch for handling system CA certificates
|
||||
|
||||
* Tue Feb 28 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:6.9.5-2
|
||||
- Fix FTBFS against GCC 7
|
||||
- Resolves: RHBZ 1423991
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:6.9.5-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Wed Feb 1 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:6.9.5-1
|
||||
- Update to v6.9.5(security)
|
||||
- Reenable debug mode (https://github.com/nodejs/node/pull/10525)
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (node-v6.9.5-stripped.tar.gz) = 1d10a60295fba32eddb5187a5986f8103f34115d2fe06895596a662c98191afc81bc9246100f8360d308a07db0bc7b8df9e37fe59d042ac136b42248582f4af2
|
||||
SHA512 (node-v6.10.0-stripped.tar.gz) = 2da288352df3113d59e882aeb7007a956c4ae7d3fa74262f9492dd789c6c299ff299a355b9a55f999ed3e4e78dd3d7ad4e55fece5e93b9e9ef82da8e670d562e
|
||||
|
Loading…
Reference in New Issue
Block a user