Update to 6.10.0

https://nodejs.org/en/blog/release/v6.10.0/
New patch for handling system CA certificates
This commit is contained in:
Stephen Gallagher 2017-03-09 14:08:08 -05:00
parent b22fc35f9a
commit 1b7255bc99
No known key found for this signature in database
GPG key ID: 7A25556236BAA3A3
8 changed files with 139 additions and 140 deletions

1
.gitignore vendored
View file

@ -63,3 +63,4 @@
/node-v6.9.3-stripped.tar.gz
/node-v6.9.4-stripped.tar.gz
/node-v6.9.5-stripped.tar.gz
/node-v6.10.0-stripped.tar.gz

View file

@ -1,4 +1,4 @@
From 71a2912f95f287519a3c695417655a0cae4e1bc0 Mon Sep 17 00:00:00 2001
From 061822759b37ab5bda659d74f9149cace5afe628 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 1 Dec 2015 16:35:29 -0500
Subject: [PATCH 1/4] disable running gyp files for bundled deps
@ -25,5 +25,5 @@ index 719b855559383a8011c8f6f073ed69a1cf21aeee..31cd25452dccb0624809c0570a738c5b
$(error Missing or stale $@, please run ./$<)
--
2.11.1
2.12.0

View file

@ -1,4 +1,4 @@
From f614552e1698387dd4d245e07de6b75d9c023e65 Mon Sep 17 00:00:00 2001
From 91d1a67b8cc249af59929cd1a76629a2614860bd Mon Sep 17 00:00:00 2001
From: Haikel Guemar <hguemar@fedoraproject.org>
Date: Tue, 26 Jul 2016 22:50:22 +0200
Subject: [PATCH 2/4] Use openssl 1.0.1
@ -14,10 +14,10 @@ https://github.com/nodejs/node/issues/2783
5 files changed, 223 insertions(+), 13 deletions(-)
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 488337a0764e4cc5e7c27bb8075c1b907696908b..292bbf26ddf5a8dd373cb15e97d220229b4cdcc1 100644
index 3784210ba7b6c046b39d74b45e44538041d35ae2..3c9d72b8d5ef81d15773aed077bd00d2041c9e93 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -112,10 +112,16 @@ handshake extensions:
@@ -113,10 +113,16 @@ handshake extensions:
* ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP,
SPDY, HTTP/2)
* SNI - Allows the use of one TLS server for multiple hostnames with different
@ -73,7 +73,7 @@ index 2e6be8df37c345a383d8a78898daf2a147d90630..239eadbac8ea8e601745a63347a8bb30
// file access modes
NODE_DEFINE_CONSTANT(target, O_RDONLY);
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66e6f49bf4 100644
index 482ec230c0f4500b63b705d705a142e63ff179e5..c5630f30d0bef75ced53b36062bb1f0324dbdb9d 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -22,10 +22,86 @@
@ -163,7 +163,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
if (!Buffer::HasInstance(val) && !val->IsString()) { \
return env->ThrowTypeError(prefix " must be a string or a buffer"); \
} \
@@ -158,11 +234,15 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
@@ -161,11 +237,15 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
#endif
@ -179,7 +179,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
template int SSLWrap<TLSWrap>::SelectALPNCallback(
SSL* s,
@@ -278,12 +358,16 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
@@ -281,12 +361,16 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
env->SetProtoMethod(t, "setCert", SecureContext::SetCert);
env->SetProtoMethod(t, "addCACert", SecureContext::AddCACert);
env->SetProtoMethod(t, "addCRL", SecureContext::AddCRL);
@ -196,7 +196,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
SecureContext::SetSessionIdContext);
env->SetProtoMethod(t, "setSessionTimeout",
SecureContext::SetSessionTimeout);
@@ -513,12 +597,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
@@ -514,12 +598,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
SSL_CTX_clear_extra_chain_certs(ctx);
for (int i = 0; i < sk_X509_num(extra_certs); i++) {
@ -223,7 +223,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
ret = 0;
*issuer = nullptr;
goto end;
@@ -793,10 +889,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
@@ -868,10 +964,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
SSL_CTX_set_cipher_list(sc->ctx_, *ciphers);
}
@ -235,7 +235,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
Environment* env = sc->env();
@@ -820,12 +917,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
@@ -895,12 +992,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh);
@ -250,7 +250,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
ASSIGN_OR_RETURN_UNWRAP(&sc, args.This());
Environment* env = sc->env();
ClearErrorOnReturn clear_error_on_return;
@@ -860,10 +959,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
@@ -935,10 +1034,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
DH_free(dh);
if (!r)
@ -262,7 +262,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc;
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
@@ -1870,10 +1970,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
@@ -1952,10 +2052,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
info->Set(env->type_string(),
FIXED_ONE_BYTE_STRING(env->isolate(), "DH"));
info->Set(env->size_string(),
@ -274,7 +274,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key);
int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
EC_KEY_free(ec);
@@ -1882,10 +1983,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
@@ -1964,10 +2065,11 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
info->Set(env->name_string(),
OneByteString(args.GetIsolate(), OBJ_nid2sn(nid)));
info->Set(env->size_string(),
@ -286,7 +286,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
}
return args.GetReturnValue().Set(info);
@@ -2300,11 +2402,16 @@ void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
@@ -2382,11 +2484,16 @@ void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
cert_cb_arg_ = arg;
}
@ -303,7 +303,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
if (!w->is_server())
return 1;
@@ -2369,23 +2476,57 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
@@ -2451,23 +2558,57 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>());
w->sni_context_.Reset();
w->sni_context_.Reset(env->isolate(), ctx);
@ -371,7 +371,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
if (!rv) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
if (!err)
@@ -2445,14 +2586,18 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
@@ -2527,14 +2668,18 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
}
@ -391,7 +391,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
// NOTE: `SSL_set_client_CA_list` takes the ownership of `list`
SSL_set_client_CA_list(ssl_, list);
@@ -2726,11 +2871,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
@@ -2808,11 +2953,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
// Server does not need to check the whitelist.
SSL* ssl = static_cast<SSL*>(
@ -407,7 +407,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
// Client needs to check if the server cert is listed in the
// whitelist when it is issued by the specific rootCAs.
CheckResult ret = CheckWhitelistedServerCert(ctx);
@@ -2809,11 +2958,25 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
@@ -2891,11 +3040,25 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
if (is_server)
SSL_set_info_callback(conn->ssl_, SSLInfoCallback);
@ -433,7 +433,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
if (is_server) {
SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
} else if (args[2]->IsString()) {
@@ -4394,10 +4557,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
@@ -4476,10 +4639,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
args.GetReturnValue().Set(vbuf);
delete[] out_value;
}
@ -445,7 +445,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
const PropertyAttribute attributes =
static_cast<PropertyAttribute>(v8::ReadOnly | v8::DontDelete);
@@ -4795,12 +4959,14 @@ bool DiffieHellman::VerifyContext() {
@@ -4877,12 +5041,14 @@ bool DiffieHellman::VerifyContext() {
if (!DH_check(dh, &codes))
return false;
verifyError_ = codes;
@ -460,7 +460,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
Local<FunctionTemplate> t = env->NewFunctionTemplate(New);
@@ -5024,10 +5190,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
@@ -5106,10 +5272,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
return env->ThrowError("Failed to set generated public key");
}
@ -472,7 +472,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
void ECDH::SetPublicKey(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
@@ -5577,10 +5744,11 @@ void GetHashes(const FunctionCallbackInfo<Value>& args) {
@@ -5659,10 +5826,11 @@ void GetHashes(const FunctionCallbackInfo<Value>& args) {
EVP_MD_do_all_sorted(array_push_back<EVP_MD>, &ctx);
args.GetReturnValue().Set(ctx.arr);
}
@ -484,7 +484,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
const size_t num_curves = EC_get_builtin_curves(nullptr, 0);
Local<Array> arr = Array::New(env->isolate(), num_curves);
EC_builtin_curve* curves;
@@ -5601,10 +5769,11 @@ void GetCurves(const FunctionCallbackInfo<Value>& args) {
@@ -5683,10 +5851,11 @@ void GetCurves(const FunctionCallbackInfo<Value>& args) {
free(curves);
}
@ -496,7 +496,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
bool VerifySpkac(const char* data, unsigned int len) {
bool i = 0;
EVP_PKEY* pkey = nullptr;
@@ -5913,12 +6082,16 @@ void InitCrypto(Local<Object> target,
@@ -5995,12 +6164,16 @@ void InitCrypto(Local<Object> target,
Environment* env = Environment::GetCurrent(context);
SecureContext::Initialize(env, target);
@ -513,7 +513,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
Sign::Initialize(env, target);
Verify::Initialize(env, target);
@@ -5934,11 +6107,13 @@ void InitCrypto(Local<Object> target,
@@ -6016,11 +6189,13 @@ void InitCrypto(Local<Object> target,
env->SetMethod(target, "randomBytes", RandomBytes);
env->SetMethod(target, "timingSafeEqual", TimingSafeEqual);
env->SetMethod(target, "getSSLCiphers", GetSSLCiphers);
@ -528,7 +528,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66
EVP_PKEY_encrypt>);
env->SetMethod(target, "privateDecrypt",
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f21a82b8e 100644
index 175206c40df58602b0c24d039b8b5a8bb6f56ba3..5ecc43b08d0b4d97311f09271a26f5a735a6e018 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -16,12 +16,16 @@
@ -548,7 +548,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f
#endif // !OPENSSL_NO_ENGINE
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -99,12 +103,16 @@ class SecureContext : public BaseObject {
@@ -100,12 +104,16 @@ class SecureContext : public BaseObject {
static void SetCert(const v8::FunctionCallbackInfo<v8::Value>& args);
static void AddCACert(const v8::FunctionCallbackInfo<v8::Value>& args);
static void AddCRL(const v8::FunctionCallbackInfo<v8::Value>& args);
@ -565,7 +565,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f
const v8::FunctionCallbackInfo<v8::Value>& args);
static void SetSessionTimeout(
const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -281,11 +289,15 @@ class SSLWrap {
@@ -273,11 +281,15 @@ class SSLWrap {
unsigned char* outlen,
const unsigned char* in,
unsigned int inlen,
@ -581,7 +581,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f
void DestroySSL();
void WaitForCertCb(CertCb cb, void* arg);
@@ -643,10 +655,11 @@ class PublicKeyCipher {
@@ -635,10 +647,11 @@ class PublicKeyCipher {
EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init,
EVP_PKEY_cipher_t EVP_PKEY_cipher>
static void Cipher(const v8::FunctionCallbackInfo<v8::Value>& args);
@ -593,7 +593,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f
~DiffieHellman() override {
if (dh != nullptr) {
DH_free(dh);
@@ -688,11 +701,13 @@ class DiffieHellman : public BaseObject {
@@ -680,11 +693,13 @@ class DiffieHellman : public BaseObject {
bool initialised_;
int verifyError_;
@ -607,7 +607,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f
~ECDH() override {
if (key_ != nullptr)
EC_KEY_free(key_);
@@ -725,10 +740,11 @@ class ECDH : public BaseObject {
@@ -717,10 +732,11 @@ class ECDH : public BaseObject {
bool IsKeyValidForCurve(const BIGNUM* private_key);
EC_KEY* key_;
@ -644,5 +644,5 @@ index d1b1aeccdd95b00b3fd0421c08fd7816cd70d182..a6e63d7c1ccc81e6f7d782dffe833234
} else if (is_client()) {
// Enough space for server response (hello, cert)
--
2.11.1
2.12.0

View file

@ -1,90 +0,0 @@
From 4ea8ba0dcc7fe20c8fff7f574304e749bd37ecea Mon Sep 17 00:00:00 2001
From: Haikel Guemar <hguemar@fedoraproject.org>
Date: Tue, 26 Jul 2016 22:00:25 +0200
Subject: [PATCH 3/4] CA Certificates are provided by Fedora.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
Node.js 4.2
Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
Node.js 5.4.1
Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for
Node.js 4.4.7
---
src/node_crypto.cc | 30 +++++++++---------------------
1 file changed, 9 insertions(+), 21 deletions(-)
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 89cd651248361d4fff3c442d5e36cc66e6f49bf4..4fadc0a001422dea3aeade330f8f596c0dab36ee 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -190,12 +190,12 @@ static X509_NAME *cnnic_ev_name =
d2i_X509_NAME(nullptr, &cnnic_ev_p,
sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1);
static Mutex* mutexes;
-const char* const root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
+const char* root_certs[] = {
+ NULL
};
X509_STORE* root_cert_store;
// Just to generate static methods
@@ -845,33 +845,21 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
(void) &clear_error_on_return; // Silence compiler warning.
CHECK_EQ(sc->ca_store_, nullptr);
if (!root_cert_store) {
- root_cert_store = X509_STORE_new();
-
- for (size_t i = 0; i < arraysize(root_certs); i++) {
- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
- if (bp == nullptr) {
- return;
- }
-
- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
- if (x509 == nullptr) {
- BIO_free_all(bp);
- return;
- }
-
- X509_STORE_add_cert(root_cert_store, x509);
-
- BIO_free_all(bp);
- X509_free(x509);
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+ } else {
+ // empty store
+ root_cert_store = X509_STORE_new();
}
+ } else {
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
}
sc->ca_store_ = root_cert_store;
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
}
void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc;
--
2.11.1

View file

@ -0,0 +1,84 @@
From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Wed, 21 Dec 2016 11:16:38 +0100
Subject: [PATCH 3/4] crypto: Use system CAs instead of using bundled ones
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.
In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.
Fixes: https://github.com/nodejs/node/issues/3159
PR-URL: https://github.com/nodejs/node/pull/8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
---
configure | 7 +++++++
src/node_crypto.cc | 4 ++++
2 files changed, 11 insertions(+)
diff --git a/configure b/configure
index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755
--- a/configure
+++ b/configure
@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm",
parser.add_option('--openssl-fips',
action='store',
dest='openssl_fips',
help='Build OpenSSL using FIPS canister .o file in supplied folder')
+parser.add_option('--openssl-use-def-ca-store',
+ action='store_true',
+ dest='use_openssl_ca_store',
+ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
+
shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
help='link to a shared http_parser DLL instead of static linking')
@@ -937,10 +942,12 @@ def configure_v8(o):
def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
+ if options.use_openssl_ca_store:
+ o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_fips_settings'] = [
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() {
root_certs_vector->push_back(x509);
}
}
X509_STORE* store = X509_STORE_new();
+#if defined(NODE_OPENSSL_CERT_STORE)
+ X509_STORE_set_default_paths(store);
+#else
for (auto& cert : *root_certs_vector) {
X509_up_ref(cert);
X509_STORE_add_cert(store, cert);
}
+#endif
return store;
}
--
2.12.0

View file

@ -1,4 +1,4 @@
From c5a932e20110008273acbde5066c4231293d3a54 Mon Sep 17 00:00:00 2001
From fbb5821dc3d967e916a187ee009e955530d2ce8d Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Tue, 28 Feb 2017 13:56:40 -0500
Subject: [PATCH 4/4] Fix compatibility with GCC 7
@ -28,7 +28,7 @@ index 91cb8883be88739eab2b10df71f6f0d08aab436e..a1c3634bd762d7e03b4c87d38aa14a9a
// This class describes a body of an object of a variable size
diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h
index b75dd1c969a498d66584143adf0f03140a69bbd6..690a338a023c25646863715466f777850bc7f437 100644
index 11f4d7498d7558f56037483004a3d5839154516b..72208c2f00f4a9ff47ae487fa9a42f8f82cf12ea 100644
--- a/deps/v8/src/objects-inl.h
+++ b/deps/v8/src/objects-inl.h
@@ -34,10 +34,31 @@
@ -64,7 +64,7 @@ index b75dd1c969a498d66584143adf0f03140a69bbd6..690a338a023c25646863715466f77785
diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h
index abced2d4bad50ca2e01373ac5ad3330cdbbdd682..e507dba665bfbd64f5ee5851b08a507de0a2519a 100644
index d1632c9deb298218faea31886ffdb0a8e0201cdc..47b02dadcff9658c9fcfe629e137667015e12079 100644
--- a/deps/v8/src/objects.h
+++ b/deps/v8/src/objects.h
@@ -3259,26 +3259,14 @@ class HashTableBase : public FixedArray {
@ -99,5 +99,5 @@ index abced2d4bad50ca2e01373ac5ad3330cdbbdd682..e507dba665bfbd64f5ee5851b08a507d
Isolate* isolate, int at_least_space_for,
MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY,
--
2.11.1
2.12.0

View file

@ -15,18 +15,18 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 6
%global nodejs_minor 9
%global nodejs_patch 5
%global nodejs_minor 10
%global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release 2
%global nodejs_release 1
# == Bundled Dependency Versions ==
# v8 - from deps/v8/include/v8-version.h
%global v8_major 5
%global v8_minor 1
%global v8_build 281
%global v8_patch 89
%global v8_patch 93
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
%global v8_abi %{v8_major}.%{v8_minor}
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -98,9 +98,8 @@ Patch1: 0001-disable-running-gyp-files-for-bundled-deps.patch
Patch2: 0002-Use-openssl-1.0.1.patch
# use system certificates instead of the bundled ones
# modified version of Debian patch:
# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch
Patch3: 0003-CA-Certificates-are-provided-by-Fedora.patch
# Backported from upstream 7.5.0+
Patch3: 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch
# Patch to allow building with GCC 7 from
# https://github.com/nodejs/node/issues/10388#issuecomment-283120731
@ -204,7 +203,7 @@ Development headers for the Node.js JavaScript runtime.
Summary: Node.js Package Manager
Epoch: %{npm_epoch}
Version: %{npm_version}
Release: %{npm_release}%{?dist}.1
Release: %{npm_release}%{?dist}
# We used to ship npm separately, but it is so tightly integrated with Node.js
# (and expected to be present on all Node.js systems) that we ship it bundled
@ -244,8 +243,7 @@ The API documentation for the Node.js JavaScript runtime.
rm -rf deps/uv \
deps/zlib
# remove bundled CA certificates
rm -f src/node_root_certs.h
# Use system CA certificates
%patch3 -p1
# Fix GCC7 build
@ -280,7 +278,8 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
--shared-zlib \
--shared-libuv \
--with-dtrace \
--with-intl=system-icu
--with-intl=system-icu \
--openssl-use-def-ca-store
%if %{?with_debug} == 1
# Setting BUILDTYPE=Debug builds both release and debug binaries
@ -414,7 +413,12 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node -
%{_pkgdocdir}/npm/doc
%changelog
* Tue Feb 28 2017 Stephen Gallagher <sgallagh@redhat.com> - -
* Thu Mar 09 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:6.10.0-1
- Update to 6.10.0
- https://nodejs.org/en/blog/release/v6.10.0/
- New patch for handling system CA certificates
* Tue Feb 28 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:6.9.5-2
- Fix FTBFS against GCC 7
- Resolves: RHBZ 1423991

View file

@ -1 +1 @@
SHA512 (node-v6.9.5-stripped.tar.gz) = 1d10a60295fba32eddb5187a5986f8103f34115d2fe06895596a662c98191afc81bc9246100f8360d308a07db0bc7b8df9e37fe59d042ac136b42248582f4af2
SHA512 (node-v6.10.0-stripped.tar.gz) = 2da288352df3113d59e882aeb7007a956c4ae7d3fa74262f9492dd789c6c299ff299a355b9a55f999ed3e4e78dd3d7ad4e55fece5e93b9e9ef82da8e670d562e