diff --git a/srcpkgs/nodejs/patches/fix-libressl.patch b/srcpkgs/nodejs/patches/fix-libressl.patch index 00d3ae95f82..f1320f20070 100644 --- a/srcpkgs/nodejs/patches/fix-libressl.patch +++ b/srcpkgs/nodejs/patches/fix-libressl.patch @@ -1,8 +1,7 @@ -diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js -index 35d5ba3..37081d9 100644 ---- a/lib/_tls_wrap.js -+++ b/lib/_tls_wrap.js -@@ -165,26 +165,31 @@ function onclienthello(hello) { +diff -Naur node-v5.7.1.orig/lib/_tls_wrap.js node-v5.7.1/lib/_tls_wrap.js +--- node-v5.7.1.orig/lib/_tls_wrap.js 2016-03-02 14:20:54.000000000 -0800 ++++ node-v5.7.1/lib/_tls_wrap.js 2016-03-09 12:41:27.567542510 -0800 +@@ -165,26 +165,31 @@ if (err) return self.destroy(err); @@ -52,12 +51,12 @@ index 35d5ba3..37081d9 100644 }); }); } -@@ -409,18 +414,15 @@ TLSSocket.prototype._init = function(socket, wrap) { - ssl.onhandshakestart = onhandshakestart.bind(this); - ssl.onhandshakedone = onhandshakedone.bind(this); - ssl.onclienthello = onclienthello.bind(this); -- ssl.oncertcb = oncertcb.bind(this); - ssl.onnewsession = onnewsession.bind(this); +@@ -407,18 +412,15 @@ + ssl.onhandshakestart = () => onhandshakestart.call(this); + ssl.onhandshakedone = () => onhandshakedone.call(this); + ssl.onclienthello = (hello) => onclienthello.call(this, hello); +- ssl.oncertcb = (info) => oncertcb.call(this, info); + ssl.onnewsession = (key, session) => onnewsession.call(this, key, session); ssl.lastHandshakeTime = 0; ssl.handshakes = 0; @@ -69,14 +68,14 @@ index 35d5ba3..37081d9 100644 - if (this.server.listenerCount('OCSPRequest') > 0) - ssl.enableCertCb(); + if (this.server && -+ (this.server.listenerCount('resumeSession') > 0 || -+ this.server.listenerCount('newSession') > 0 || -+ this.server.listenerCount('OCSPRequest') > 0)) { ++ (this.server.listenerCount('resumeSession') > 0 || ++ this.server.listenerCount('newSession') > 0 || ++ this.server.listenerCount('OCSPRequest') > 0)) { + ssl.enableSessionCallbacks(); } } else { ssl.onhandshakestart = function() {}; -@@ -462,7 +464,7 @@ TLSSocket.prototype._init = function(socket, wrap) { +@@ -460,7 +462,7 @@ options.server._contexts.length)) { assert(typeof options.SNICallback === 'function'); this._SNICallback = options.SNICallback; @@ -85,286 +84,72 @@ index 35d5ba3..37081d9 100644 } if (process.features.tls_npn && options.NPNProtocols) -diff --git a/src/env.h b/src/env.h -index ea5e8fe..995f151 100644 ---- a/src/env.h -+++ b/src/env.h -@@ -56,7 +56,6 @@ namespace node { - V(bytes_parsed_string, "bytesParsed") \ +@@ -654,13 +656,6 @@ + } + }; + +-TLSSocket.prototype.getEphemeralKeyInfo = function() { +- if (this._handle) +- return this._handle.getEphemeralKeyInfo(); +- +- return null; +-}; +- + TLSSocket.prototype.getProtocol = function() { + if (this._handle) + return this._handle.getProtocol(); +@@ -1047,17 +1042,6 @@ + socket._start(); + + socket.on('secure', function() { +- // Check the size of DHE parameter above minimum requirement +- // specified in options. +- var ekeyinfo = socket.getEphemeralKeyInfo(); +- if (ekeyinfo.type === 'DH' && ekeyinfo.size < options.minDHSize) { +- var err = new Error('DH parameter size ' + ekeyinfo.size + +- ' is less than ' + options.minDHSize); +- socket.emit('error', err); +- socket.destroy(); +- return; +- } +- + var verifyError = socket._handle.verifyError(); + + // Verify that server's identity matches it's certificate's names +diff -Naur node-v5.7.1.orig/src/env.h node-v5.7.1/src/env.h +--- node-v5.7.1.orig/src/env.h 2016-03-02 14:20:54.000000000 -0800 ++++ node-v5.7.1/src/env.h 2016-03-09 12:38:59.042899553 -0800 +@@ -66,7 +66,6 @@ + V(cached_data_rejected_string, "cachedDataRejected") \ V(callback_string, "callback") \ V(change_string, "change") \ - V(oncertcb_string, "oncertcb") \ V(onclose_string, "_onclose") \ V(code_string, "code") \ V(compare_string, "compare") \ -diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index f0d353f..fcaf77d 100644 ---- a/src/node_crypto.cc -+++ b/src/node_crypto.cc -@@ -129,8 +129,6 @@ template class SSLWrap; - template void SSLWrap::AddMethods(Environment* env, - Local t); - template void SSLWrap::InitNPN(SecureContext* sc); --template void SSLWrap::SetSNIContext(SecureContext* sc); --template int SSLWrap::SetCACerts(SecureContext* sc); - template SSL_SESSION* SSLWrap::GetSessionCallback( - SSL* s, - unsigned char* key, -@@ -158,8 +156,6 @@ template int SSLWrap::SelectNextProtoCallback( +diff -Naur node-v5.7.1.orig/src/node_crypto.cc node-v5.7.1/src/node_crypto.cc +--- node-v5.7.1.orig/src/node_crypto.cc 2016-03-02 14:20:54.000000000 -0800 ++++ node-v5.7.1/src/node_crypto.cc 2016-03-09 12:44:13.609732921 -0800 +@@ -164,8 +164,6 @@ #endif - template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg); + template void SSLWrap::DestroySSL(); -template int SSLWrap::SSLCertCallback(SSL* s, void* arg); -template void SSLWrap::WaitForCertCb(CertCb cb, void* arg); + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + template int SSLWrap::SelectALPNCallback( +@@ -518,8 +516,7 @@ + for (int i = 0; i < sk_X509_num(extra_certs); i++) { + X509* ca = sk_X509_value(extra_certs, i); - static void crypto_threadid_cb(CRYPTO_THREADID* tid) { -@@ -513,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) { - } - - -+// Read a file that contains our certificate in "PEM" format, -+// possibly followed by a sequence of CA certificates that should be -+// sent to the peer in the Certificate message. -+// -+// Taken from OpenSSL - editted for style. - int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, -- X509* x, -- STACK_OF(X509)* extra_certs, -+ BIO* in, - X509** cert, - X509** issuer) { -- CHECK_EQ(*issuer, nullptr); -- CHECK_EQ(*cert, nullptr); -+ int ret = 0; -+ X509* x = nullptr; - -- int ret = SSL_CTX_use_certificate(ctx, x); -+ x = PEM_read_bio_X509_AUX(in, nullptr, CryptoPemCallback, nullptr); -+ -+ if (x == nullptr) { -+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); -+ goto end; -+ } -+ -+ ret = SSL_CTX_use_certificate(ctx, x); - - if (ret) { - // If we could set up our certificate, now proceed to - // the CA certificates. -+ X509 *ca; - int r; -+ unsigned long err; - - if (ctx->extra_certs != nullptr) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = nullptr; - } - -- for (int i = 0; i < sk_X509_num(extra_certs); i++) { -- X509* ca = sk_X509_value(extra_certs, i); -- - // NOTE: Increments reference count on `ca` - r = SSL_CTX_add1_chain_cert(ctx, ca); -+ while ((ca = PEM_read_bio_X509(in, nullptr, CryptoPemCallback, nullptr))) { + r = SSL_CTX_add_extra_chain_cert(ctx, ca); if (!r) { -+ X509_free(ca); ret = 0; -- *issuer = nullptr; - goto end; - } - // Note that we must not free r if it was successfully -@@ -552,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, - // Find issuer - if (*issuer != nullptr || X509_check_issued(ca, x) != X509_V_OK) - continue; -- - *issuer = ca; - } -+ -+ // When the while loop ends, it's usually just EOF. -+ err = ERR_peek_last_error(); -+ if (ERR_GET_LIB(err) == ERR_LIB_PEM && -+ ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { -+ ERR_clear_error(); -+ } else { -+ // some real error -+ ret = 0; -+ } - } - - // Try getting issuer from a cert store -@@ -566,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, - // no need to free `store` - } else { - // Increment issuer reference count -- *issuer = X509_dup(*issuer); -- if (*issuer == nullptr) { -- ret = 0; -- goto end; -- } -+ CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); - } - } - - end: -- if (ret && x != nullptr) { -- *cert = X509_dup(x); -- if (*cert == nullptr) -- ret = 0; -- } -- return ret; --} -- -- --// Read a file that contains our certificate in "PEM" format, --// possibly followed by a sequence of CA certificates that should be --// sent to the peer in the Certificate message. --// --// Taken from OpenSSL - edited for style. --int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, -- BIO* in, -- X509** cert, -- X509** issuer) { -- X509* x = nullptr; -- -- // Just to ensure that `ERR_peek_last_error` below will return only errors -- // that we are interested in -- ERR_clear_error(); -- -- x = PEM_read_bio_X509_AUX(in, nullptr, CryptoPemCallback, nullptr); -- -- if (x == nullptr) { -- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); -- return 0; -- } -- -- X509* extra = nullptr; -- int ret = 0; -- unsigned long err = 0; -- -- // Read extra certs -- STACK_OF(X509)* extra_certs = sk_X509_new_null(); -- if (extra_certs == nullptr) { -- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_MALLOC_FAILURE); -- goto done; -- } -- -- while ((extra = PEM_read_bio_X509(in, nullptr, CryptoPemCallback, nullptr))) { -- if (sk_X509_push(extra_certs, extra)) -- continue; -- -- // Failure, free all certs -- goto done; -- } -- extra = nullptr; -- -- // When the while loop ends, it's usually just EOF. -- err = ERR_peek_last_error(); -- if (ERR_GET_LIB(err) == ERR_LIB_PEM && -- ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { -- ERR_clear_error(); -- } else { -- // some real error -- goto done; -- } -- -- ret = SSL_CTX_use_certificate_chain(ctx, x, extra_certs, cert, issuer); -- if (!ret) -- goto done; -- -- done: -- if (extra_certs != nullptr) -- sk_X509_pop_free(extra_certs, X509_free); -- if (extra != nullptr) -- X509_free(extra); - if (x != nullptr) -- X509_free(x); -- -+ *cert = x; - return ret; - } - -@@ -665,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo& args) { - if (!bio) - return; - -- // Free previous certs -- if (sc->issuer_ != nullptr) { -- X509_free(sc->issuer_); -- sc->issuer_ = nullptr; -- } -- if (sc->cert_ != nullptr) { -- X509_free(sc->cert_); -- sc->cert_ = nullptr; -- } -- - int rv = SSL_CTX_use_certificate_chain(sc->ctx_, - bio, - &sc->cert_, -@@ -946,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { - PKCS12* p12 = nullptr; - EVP_PKEY* pkey = nullptr; - X509* cert = nullptr; -- STACK_OF(X509)* extra_certs = nullptr; -+ STACK_OF(X509)* extraCerts = nullptr; - char* pass = nullptr; - bool ret = false; - -@@ -971,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { - pass[passlen] = '\0'; - } - -- // Free previous certs -- if (sc->issuer_ != nullptr) { -- X509_free(sc->issuer_); -- sc->issuer_ = nullptr; -- } -- if (sc->cert_ != nullptr) { -- X509_free(sc->cert_); -- sc->cert_ = nullptr; -- } -- - if (d2i_PKCS12_bio(in, &p12) && -- PKCS12_parse(p12, pass, &pkey, &cert, &extra_certs) && -- SSL_CTX_use_certificate_chain(sc->ctx_, -- cert, -- extra_certs, -- &sc->cert_, -- &sc->issuer_) && -+ PKCS12_parse(p12, pass, &pkey, &cert, &extraCerts) && -+ SSL_CTX_use_certificate(sc->ctx_, cert) && - SSL_CTX_use_PrivateKey(sc->ctx_, pkey)) { -- ret = true; -- } -+ // set extra certs -+ while (X509* x509 = sk_X509_pop(extraCerts)) { -+ if (!sc->ca_store_) { -+ sc->ca_store_ = X509_STORE_new(); -+ SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); -+ } -+ -+ X509_STORE_add_cert(sc->ca_store_, x509); -+ SSL_CTX_add_client_CA(sc->ctx_, x509); -+ X509_free(x509); -+ } - -- if (pkey != nullptr) - EVP_PKEY_free(pkey); -- if (cert != nullptr) - X509_free(cert); -- if (extra_certs != nullptr) -- sk_X509_free(extra_certs); -+ sk_X509_free(extraCerts); -+ -+ ret = true; -+ } - - PKCS12_free(p12); - BIO_free_all(in); -@@ -1052,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo& args) { +@@ -1045,7 +1042,7 @@ void SecureContext::SetFreeListLength(const FunctionCallbackInfo& args) { SecureContext* wrap = Unwrap(args.Holder()); @@ -373,7 +158,7 @@ index f0d353f..fcaf77d 100644 } -@@ -1191,7 +1116,6 @@ void SSLWrap::AddMethods(Environment* env, Local t) { +@@ -1182,14 +1179,12 @@ env->SetProtoMethod(t, "verifyError", VerifyError); env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher); env->SetProtoMethod(t, "endParser", EndParser); @@ -381,7 +166,65 @@ index f0d353f..fcaf77d 100644 env->SetProtoMethod(t, "renegotiate", Renegotiate); env->SetProtoMethod(t, "shutdownSSL", Shutdown); env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket); -@@ -2080,124 +2004,6 @@ int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg) { + env->SetProtoMethod(t, "newSessionDone", NewSessionDone); + env->SetProtoMethod(t, "setOCSPResponse", SetOCSPResponse); + env->SetProtoMethod(t, "requestOCSP", RequestOCSP); +- env->SetProtoMethod(t, "getEphemeralKeyInfo", GetEphemeralKeyInfo); + env->SetProtoMethod(t, "getProtocol", GetProtocol); + + #ifdef SSL_set_max_send_fragment +@@ -1805,50 +1800,6 @@ + } + + +-template +-void SSLWrap::GetEphemeralKeyInfo( +- const v8::FunctionCallbackInfo& args) { +- Base* w = Unwrap(args.Holder()); +- Environment* env = Environment::GetCurrent(args); +- +- CHECK_NE(w->ssl_, nullptr); +- +- // tmp key is available on only client +- if (w->is_server()) +- return args.GetReturnValue().SetNull(); +- +- Local info = Object::New(env->isolate()); +- +- EVP_PKEY* key; +- +- if (SSL_get_server_tmp_key(w->ssl_, &key)) { +- switch (EVP_PKEY_id(key)) { +- case EVP_PKEY_DH: +- info->Set(env->type_string(), +- FIXED_ONE_BYTE_STRING(env->isolate(), "DH")); +- info->Set(env->size_string(), +- Integer::New(env->isolate(), EVP_PKEY_bits(key))); +- break; +- case EVP_PKEY_EC: +- { +- EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key); +- int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); +- EC_KEY_free(ec); +- info->Set(env->type_string(), +- FIXED_ONE_BYTE_STRING(env->isolate(), "ECDH")); +- info->Set(env->name_string(), +- OneByteString(args.GetIsolate(), OBJ_nid2sn(nid))); +- info->Set(env->size_string(), +- Integer::New(env->isolate(), EVP_PKEY_bits(key))); +- } +- } +- EVP_PKEY_free(key); +- } +- +- return args.GetReturnValue().Set(info); +-} +- +- + #ifdef SSL_set_max_send_fragment + template + void SSLWrap::SetMaxSendFragment( +@@ -2234,129 +2185,6 @@ template @@ -424,7 +267,12 @@ index f0d353f..fcaf77d 100644 - info->Set(env->tls_ticket_string(), - Boolean::New(env->isolate(), sess->tlsext_ticklen != 0)); - } -- bool ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp; +- +- bool ocsp = false; +-#ifdef NODE__HAVE_TLSEXT_STATUS_CB +- ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp; +-#endif +- - info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp)); - - Local argv[] = { info }; @@ -504,40 +352,20 @@ index f0d353f..fcaf77d 100644 - -template void SSLWrap::SSLGetter(Local property, - const PropertyCallbackInfo& info) { - HandleScope scope(info.GetIsolate()); -@@ -2219,30 +2025,6 @@ void SSLWrap::DestroySSL() { - } + const PropertyCallbackInfo& info) { + SSL* ssl = Unwrap(info.This())->ssl_; +@@ -2387,10 +2215,6 @@ - --template --void SSLWrap::SetSNIContext(SecureContext* sc) { -- InitNPN(sc); -- CHECK_EQ(SSL_set_SSL_CTX(ssl_, sc->ctx_), sc->ctx_); -- -- SetCACerts(sc); --} -- -- --template --int SSLWrap::SetCACerts(SecureContext* sc) { + template + int SSLWrap::SetCACerts(SecureContext* sc) { - int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_)); - if (err != 1) - return err; - -- STACK_OF(X509_NAME)* list = SSL_dup_CA_list( -- SSL_CTX_get_client_CA_list(sc->ctx_)); -- -- // NOTE: `SSL_set_client_CA_list` takes the ownership of `list` -- SSL_set_client_CA_list(ssl_, list); -- return 1; --} -- -- - void Connection::OnClientHelloParseEnd(void* arg) { - Connection* conn = static_cast(arg); + STACK_OF(X509_NAME)* list = SSL_dup_CA_list( + SSL_CTX_get_client_CA_list(sc->ctx_)); -@@ -2327,10 +2109,6 @@ int Connection::HandleSSLError(const char* func, +@@ -2484,10 +2308,6 @@ DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func); return 0; @@ -548,7 +376,7 @@ index f0d353f..fcaf77d 100644 } else if (err == SSL_ERROR_ZERO_RETURN) { HandleScope scope(ssl_env()->isolate()); -@@ -2511,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { +@@ -2668,7 +2488,7 @@ SSL* ssl = static_cast( X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); @@ -557,7 +385,7 @@ index f0d353f..fcaf77d 100644 return 1; // Client needs to check if the server cert is listed in the -@@ -2538,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { +@@ -2695,7 +2515,7 @@ // Call the SNI callback and use its return value as context if (!conn->sniObject_.IsEmpty()) { @@ -566,20 +394,16 @@ index f0d353f..fcaf77d 100644 Local sni_obj = PersistentToLocal(env->isolate(), conn->sniObject_); -@@ -2554,9 +2332,10 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { +@@ -2711,7 +2531,7 @@ Local secure_context_constructor_template = env->secure_context_constructor_template(); if (secure_context_constructor_template->HasInstance(ret)) { - conn->sni_context_.Reset(env->isolate(), ret); + conn->sniContext_.Reset(env->isolate(), ret); SecureContext* sc = Unwrap(ret.As()); -- conn->SetSNIContext(sc); -+ InitNPN(sc); -+ SSL_set_SSL_CTX(s, sc->ctx_); + conn->SetSNIContext(sc); } else { - return SSL_TLSEXT_ERR_NOACK; - } -@@ -2592,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo& args) { +@@ -2749,8 +2569,6 @@ InitNPN(sc); @@ -588,11 +412,10 @@ index f0d353f..fcaf77d 100644 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB if (is_server) { SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_); -diff --git a/src/node_crypto.h b/src/node_crypto.h -index cb94650..6373fc4 100644 ---- a/src/node_crypto.h -+++ b/src/node_crypto.h -@@ -179,10 +179,7 @@ class SSLWrap { +diff -Naur node-v5.7.1.orig/src/node_crypto.h node-v5.7.1/src/node_crypto.h +--- node-v5.7.1.orig/src/node_crypto.h 2016-03-02 14:20:54.000000000 -0800 ++++ node-v5.7.1/src/node_crypto.h 2016-03-09 12:45:11.683121390 -0800 +@@ -177,10 +177,7 @@ kind_(kind), next_sess_(nullptr), session_callbacks_(false), @@ -604,17 +427,18 @@ index cb94650..6373fc4 100644 ssl_ = SSL_new(sc->ctx_); env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize); CHECK_NE(ssl_, nullptr); -@@ -199,9 +196,6 @@ class SSLWrap { - npn_protos_.Reset(); - selected_npn_proto_.Reset(); - #endif +@@ -193,10 +190,6 @@ + next_sess_ = nullptr; + } + -#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - sni_context_.Reset(); -#endif +- #ifdef NODE__HAVE_TLSEXT_STATUS_CB ocsp_response_.Reset(); #endif // NODE__HAVE_TLSEXT_STATUS_CB -@@ -212,11 +206,8 @@ class SSLWrap { +@@ -207,11 +200,8 @@ inline bool is_server() const { return kind_ == kServer; } inline bool is_client() const { return kind_ == kClient; } inline bool is_waiting_new_session() const { return new_session_wait_; } @@ -626,7 +450,7 @@ index cb94650..6373fc4 100644 // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and // some for buffers. // NOTE: Actually it is much more than this -@@ -244,7 +235,6 @@ class SSLWrap { +@@ -239,15 +229,12 @@ static void VerifyError(const v8::FunctionCallbackInfo& args); static void GetCurrentCipher(const v8::FunctionCallbackInfo& args); static void EndParser(const v8::FunctionCallbackInfo& args); @@ -634,9 +458,17 @@ index cb94650..6373fc4 100644 static void Renegotiate(const v8::FunctionCallbackInfo& args); static void Shutdown(const v8::FunctionCallbackInfo& args); static void GetTLSTicket(const v8::FunctionCallbackInfo& args); -@@ -273,14 +263,10 @@ class SSLWrap { - void* arg); - #endif // OPENSSL_NPN_NEGOTIATED + static void NewSessionDone(const v8::FunctionCallbackInfo& args); + static void SetOCSPResponse(const v8::FunctionCallbackInfo& args); + static void RequestOCSP(const v8::FunctionCallbackInfo& args); +- static void GetEphemeralKeyInfo( +- const v8::FunctionCallbackInfo& args); + static void GetProtocol(const v8::FunctionCallbackInfo& args); + + #ifdef SSL_set_max_send_fragment +@@ -281,12 +268,10 @@ + unsigned int inlen, + void* arg); static int TLSExtStatusCallback(SSL* s, void* arg); - static int SSLCertCallback(SSL* s, void* arg); static void SSLGetter(v8::Local property, @@ -644,16 +476,13 @@ index cb94650..6373fc4 100644 void DestroySSL(); - void WaitForCertCb(CertCb cb, void* arg); -- void SetSNIContext(SecureContext* sc); -- int SetCACerts(SecureContext* sc); + void SetSNIContext(SecureContext* sc); + int SetCACerts(SecureContext* sc); - inline Environment* ssl_env() const { - return env_; -@@ -292,12 +278,6 @@ class SSLWrap { - SSL* ssl_; +@@ -301,21 +286,12 @@ bool session_callbacks_; bool new_session_wait_; -- + - // SSL_set_cert_cb - CertCb cert_cb_; - void* cert_cb_arg_; @@ -662,9 +491,8 @@ index cb94650..6373fc4 100644 ClientHelloParser hello_parser_; #ifdef NODE__HAVE_TLSEXT_STATUS_CB -@@ -309,10 +289,6 @@ class SSLWrap { - v8::Persistent selected_npn_proto_; - #endif // OPENSSL_NPN_NEGOTIATED + v8::Persistent ocsp_response_; + #endif // NODE__HAVE_TLSEXT_STATUS_CB -#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - v8::Persistent sni_context_; @@ -673,7 +501,7 @@ index cb94650..6373fc4 100644 friend class SecureContext; }; -@@ -324,6 +300,7 @@ class Connection : public SSLWrap, public AsyncWrap { +@@ -327,6 +303,7 @@ ~Connection() override { #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB sniObject_.Reset(); @@ -681,7 +509,7 @@ index cb94650..6373fc4 100644 servername_.Reset(); #endif } -@@ -338,6 +315,7 @@ class Connection : public SSLWrap, public AsyncWrap { +@@ -341,6 +318,7 @@ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB v8::Persistent sniObject_; @@ -689,11 +517,10 @@ index cb94650..6373fc4 100644 v8::Persistent servername_; #endif -diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc -index d7bf4ed..68c98d5 100644 ---- a/src/tls_wrap.cc -+++ b/src/tls_wrap.cc -@@ -141,8 +141,6 @@ void TLSWrap::InitSSL() { +diff -Naur node-v5.7.1.orig/src/tls_wrap.cc node-v5.7.1/src/tls_wrap.cc +--- node-v5.7.1.orig/src/tls_wrap.cc 2016-03-02 14:20:54.000000000 -0800 ++++ node-v5.7.1/src/tls_wrap.cc 2016-03-09 12:38:59.047899589 -0800 +@@ -141,8 +141,6 @@ InitNPN(sc_); @@ -702,7 +529,7 @@ index d7bf4ed..68c98d5 100644 if (is_server()) { SSL_set_accept_state(ssl_); } else if (is_client()) { -@@ -353,7 +351,6 @@ Local TLSWrap::GetSSLError(int status, int* err, const char** msg) { +@@ -353,7 +351,6 @@ case SSL_ERROR_NONE: case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: @@ -710,20 +537,19 @@ index d7bf4ed..68c98d5 100644 break; case SSL_ERROR_ZERO_RETURN: return scope.Escape(env()->zero_return_string()); -@@ -761,6 +758,12 @@ void TLSWrap::EnableSessionCallbacks( +@@ -769,6 +766,11 @@ "EnableSessionCallbacks after destroySSL"); } wrap->enable_session_callbacks(); + EnableHelloParser(args); +} + -+ +void TLSWrap::EnableHelloParser(const FunctionCallbackInfo& args) { + TLSWrap* wrap = Unwrap(args.Holder()); NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength); wrap->hello_parser_.Start(SSLWrap::OnClientHello, OnClientHelloParseEnd, -@@ -785,12 +788,6 @@ void TLSWrap::DestroySSL(const FunctionCallbackInfo& args) { +@@ -793,12 +795,6 @@ } @@ -736,17 +562,7 @@ index d7bf4ed..68c98d5 100644 void TLSWrap::OnClientHelloParseEnd(void* arg) { TLSWrap* c = static_cast(arg); c->Cycle(); -@@ -867,7 +864,8 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg) { - p->sni_context_.Reset(env->isolate(), ctx); - - SecureContext* sc = Unwrap(ctx.As()); -- p->SetSNIContext(sc); -+ InitNPN(sc); -+ SSL_set_SSL_CTX(s, sc->ctx_); - return SSL_TLSEXT_ERR_OK; - } - #endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB -@@ -888,8 +886,8 @@ void TLSWrap::Initialize(Local target, +@@ -896,8 +892,8 @@ env->SetProtoMethod(t, "start", Start); env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode); env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks); @@ -756,11 +572,10 @@ index d7bf4ed..68c98d5 100644 StreamBase::AddMethods(env, t, StreamBase::kFlagHasWritev); SSLWrap::AddMethods(env, t); -diff --git a/src/tls_wrap.h b/src/tls_wrap.h -index 31d1952..a4aa3f7 100644 ---- a/src/tls_wrap.h -+++ b/src/tls_wrap.h -@@ -132,7 +132,7 @@ class TLSWrap : public AsyncWrap, +diff -Naur node-v5.7.1.orig/src/tls_wrap.h node-v5.7.1/src/tls_wrap.h +--- node-v5.7.1.orig/src/tls_wrap.h 2016-03-02 14:20:54.000000000 -0800 ++++ node-v5.7.1/src/tls_wrap.h 2016-03-09 12:38:59.047899589 -0800 +@@ -132,7 +132,7 @@ static void SetVerifyMode(const v8::FunctionCallbackInfo& args); static void EnableSessionCallbacks( const v8::FunctionCallbackInfo& args); @@ -769,156 +584,204 @@ index 31d1952..a4aa3f7 100644 const v8::FunctionCallbackInfo& args); static void DestroySSL(const v8::FunctionCallbackInfo& args); -@@ -161,6 +161,10 @@ class TLSWrap : public AsyncWrap, +@@ -161,6 +161,10 @@ // If true - delivered EOF to the js-land, either after `close_notify`, or // after the `UV_EOF` on socket. bool eof_; + +#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + v8::Persistent sni_context_; -+#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB ++#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB }; } // namespace node -diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile -index 1148e52..1439862 100644 ---- a/test/fixtures/keys/Makefile -+++ b/test/fixtures/keys/Makefile -@@ -79,14 +79,6 @@ agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem - -CAcreateserial \ - -out agent1-cert.pem - --agent1-pfx.pem: agent1-cert.pem agent1-key.pem ca1-cert.pem -- openssl pkcs12 -export \ -- -in agent1-cert.pem \ -- -inkey agent1-key.pem \ -- -certfile ca1-cert.pem \ -- -out agent1-pfx.pem \ -- -password pass:sample +diff -Naur node-v5.7.1.orig/test/parallel/test-tls-client-getephemeralkeyinfo.js node-v5.7.1/test/parallel/test-tls-client-getephemeralkeyinfo.js +--- node-v5.7.1.orig/test/parallel/test-tls-client-getephemeralkeyinfo.js 2016-03-02 14:20:55.000000000 -0800 ++++ node-v5.7.1/test/parallel/test-tls-client-getephemeralkeyinfo.js 1969-12-31 16:00:00.000000000 -0800 +@@ -1,98 +0,0 @@ +-'use strict'; +-var common = require('../common'); +-var assert = require('assert'); - - agent1-verify: agent1-cert.pem ca1-cert.pem - openssl verify -CAfile ca1-cert.pem agent1-cert.pem - -diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js -index e9443f4..64b6a6c 100644 ---- a/test/parallel/test-tls-ocsp-callback.js -+++ b/test/parallel/test-tls-ocsp-callback.js -@@ -22,7 +22,11 @@ var constants = require('constants'); - var fs = require('fs'); - var join = require('path').join; - --var pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); -+test({ response: false }, function() { -+ test({ response: 'hello world' }, function() { -+ test({ ocsp: false }); -+ }); -+}); - - function test(testOptions, cb) { - -@@ -42,13 +46,6 @@ function test(testOptions, cb) { - var ocspCount = 0; - var ocspResponse; - -- if (testOptions.pfx) { -- delete options.key; -- delete options.cert; -- options.pfx = testOptions.pfx; -- options.passphrase = testOptions.passphrase; -- } +-if (!common.hasCrypto) { +- console.log('1..0 # Skipped: missing crypto'); +- process.exit(); +-} +-var tls = require('tls'); - - var server = tls.createServer(options, function(cleartext) { - cleartext.on('error', function(er) { - // We're ok with getting ECONNRESET in this test, but it's -@@ -108,23 +105,3 @@ function test(testOptions, cb) { - assert.equal(ocspCount, 1); - }); - } +-var fs = require('fs'); +-var key = fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'); +-var cert = fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'); - --var tests = [ -- { response: false }, -- { response: 'hello world' }, -- { ocsp: false } --]; +-var ntests = 0; +-var nsuccess = 0; - --if (!common.hasFipsCrypto) { -- tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' }); +-function loadDHParam(n) { +- var path = common.fixturesDir; +- if (n !== 'error') path += '/keys'; +- return fs.readFileSync(path + '/dh' + n + '.pem'); -} - --function runTests(i) { -- if (i === tests.length) return; +-var cipherlist = { +- 'NOT_PFS': 'AES128-SHA256', +- 'DH': 'DHE-RSA-AES128-GCM-SHA256', +- 'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256' +-}; - -- test(tests[i], common.mustCall(function() { -- runTests(i + 1); -- })); +-function test(size, type, name, next) { +- var cipher = type ? cipherlist[type] : cipherlist['NOT_PFS']; +- +- if (name) tls.DEFAULT_ECDH_CURVE = name; +- +- var options = { +- key: key, +- cert: cert, +- ciphers: cipher +- }; +- +- if (type === 'DH') options.dhparam = loadDHParam(size); +- +- var server = tls.createServer(options, function(conn) { +- assert.strictEqual(conn.getEphemeralKeyInfo(), null); +- conn.end(); +- }); +- +- server.on('close', function(err) { +- assert(!err); +- if (next) next(); +- }); +- +- server.listen(common.PORT, '127.0.0.1', function() { +- var client = tls.connect({ +- port: common.PORT, +- rejectUnauthorized: false +- }, function() { +- var ekeyinfo = client.getEphemeralKeyInfo(); +- assert.strictEqual(ekeyinfo.type, type); +- assert.strictEqual(ekeyinfo.size, size); +- assert.strictEqual(ekeyinfo.name, name); +- nsuccess++; +- server.close(); +- }); +- }); -} - --runTests(0); -diff --git a/test/parallel/test-tls-sni-option.js b/test/parallel/test-tls-sni-option.js -index 510b929..5b0bd53 100644 ---- a/test/parallel/test-tls-sni-option.js -+++ b/test/parallel/test-tls-sni-option.js -@@ -26,8 +26,6 @@ function loadPEM(n) { - var serverOptions = { - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert'), -- requestCert: true, -- rejectUnauthorized: false, - SNICallback: function(servername, callback) { - var context = SNIContexts[servername]; +-function testNOT_PFS() { +- test(undefined, undefined, undefined, testDHE1024); +- ntests++; +-} +- +-function testDHE1024() { +- test(1024, 'DH', undefined, testDHE2048); +- ntests++; +-} +- +-function testDHE2048() { +- test(2048, 'DH', undefined, testECDHE256); +- ntests++; +-} +- +-function testECDHE256() { +- test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512); +- ntests++; +-} +- +-function testECDHE512() { +- test(521, 'ECDH', 'secp521r1', null); +- ntests++; +-} +- +-testNOT_PFS(); +- +-process.on('exit', function() { +- assert.equal(ntests, nsuccess); +- assert.equal(ntests, 5); +-}); +diff -Naur node-v5.7.1.orig/test/parallel/test-tls-cnnic-whitelist.js node-v5.7.1/test/parallel/test-tls-cnnic-whitelist.js +--- node-v5.7.1.orig/test/parallel/test-tls-cnnic-whitelist.js 2016-03-02 14:20:55.000000000 -0800 ++++ node-v5.7.1/test/parallel/test-tls-cnnic-whitelist.js 2016-03-09 12:38:59.048899596 -0800 +@@ -53,7 +53,9 @@ + port: common.PORT, + rejectUnauthorized: true + }, +- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' ++ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY. ++ errorCode: 'CERT_UNTRUSTED' ++ // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' + } + ]; -@@ -48,8 +46,7 @@ var serverOptions = { - var SNIContexts = { - 'a.example.com': { - key: loadPEM('agent1-key'), -- cert: loadPEM('agent1-cert'), -- ca: [ loadPEM('ca2-cert') ] -+ cert: loadPEM('agent1-cert') - }, - 'b.example.com': { +diff -Naur node-v5.7.1.orig/test/parallel/test-tls-sni-server-client.js node-v5.7.1/test/parallel/test-tls-sni-server-client.js +--- node-v5.7.1.orig/test/parallel/test-tls-sni-server-client.js 2016-03-02 14:20:55.000000000 -0800 ++++ node-v5.7.1/test/parallel/test-tls-sni-server-client.js 2016-03-09 12:39:14.677009247 -0800 +@@ -36,11 +36,6 @@ + 'asterisk.test.com': { key: loadPEM('agent3-key'), -@@ -71,13 +68,6 @@ var clientsOptions = [{ + cert: loadPEM('agent3-cert') +- }, +- 'chain.example.com': { +- key: loadPEM('agent6-key'), +- // NOTE: Contains ca3 chain cert +- cert: loadPEM('agent6-cert') + } + }; + +@@ -48,29 +43,32 @@ + + var clientsOptions = [{ + port: serverPort, ++ key: loadPEM('agent1-key'), ++ cert: loadPEM('agent1-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'a.example.com', rejectUnauthorized: false }, { port: serverPort, -- key: loadPEM('agent4-key'), -- cert: loadPEM('agent4-cert'), -- ca: [loadPEM('ca1-cert')], -- servername: 'a.example.com', -- rejectUnauthorized: false ++ key: loadPEM('agent2-key'), ++ cert: loadPEM('agent2-cert'), + ca: [loadPEM('ca2-cert')], + servername: 'b.test.com', + rejectUnauthorized: false + }, { + port: serverPort, ++ key: loadPEM('agent2-key'), ++ cert: loadPEM('agent2-cert'), + ca: [loadPEM('ca2-cert')], + servername: 'a.b.test.com', + rejectUnauthorized: false + }, { + port: serverPort, ++ key: loadPEM('agent3-key'), ++ cert: loadPEM('agent3-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'c.wrong.com', + rejectUnauthorized: false -}, { - port: serverPort, - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert'), - ca: [loadPEM('ca2-cert')], -@@ -107,7 +97,7 @@ let serverError; - let clientError; +- ca: [loadPEM('ca1-cert')], +- servername: 'chain.example.com', +- rejectUnauthorized: false + }]; - var server = tls.createServer(serverOptions, function(c) { -- serverResults.push({ sni: c.servername, authorized: c.authorized }); -+ serverResults.push(c.servername); - }); + const serverResults = []; +@@ -82,7 +80,6 @@ - server.on('clientError', function(err) { -@@ -154,16 +144,9 @@ function startTest() { + server.addContext('a.example.com', SNIContexts['a.example.com']); + server.addContext('*.test.com', SNIContexts['asterisk.test.com']); +-server.addContext('chain.example.com', SNIContexts['chain.example.com']); + + server.listen(serverPort, startTest); + +@@ -109,9 +106,7 @@ } process.on('exit', function() { - assert.deepEqual(serverResults, [ -- { sni: 'a.example.com', authorized: false }, -- { sni: 'a.example.com', authorized: true }, -- { sni: 'b.example.com', authorized: false }, -- { sni: 'c.wrong.com', authorized: false }, -- null +- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com', +- 'chain.example.com' - ]); -- assert.deepEqual(clientResults, [true, true, true, false, false]); -- assert.deepEqual(clientErrors, [null, null, null, null, 'socket hang up']); -- assert.deepEqual(serverErrors, [ -- null, null, null, null, 'Invalid SNI context' -- ]); -+ assert.deepEqual(serverResults, ['a.example.com', 'b.example.com', -+ 'c.wrong.com', null]); +- assert.deepEqual(clientResults, [true, true, false, false, true]); ++ assert.deepEqual(serverResults, ['a.example.com', 'b.test.com', ++ 'a.b.test.com', 'c.wrong.com']); + assert.deepEqual(clientResults, [true, true, false, false]); -+ assert.deepEqual(clientErrors, [null, null, null, 'socket hang up']); -+ assert.deepEqual(serverErrors, [null, null, null, 'Invalid SNI context']); }); diff --git a/srcpkgs/nodejs/template b/srcpkgs/nodejs/template index a3f96b00908..3a0f6395f08 100644 --- a/srcpkgs/nodejs/template +++ b/srcpkgs/nodejs/template @@ -1,7 +1,7 @@ # Template file for 'nodejs' pkgname=nodejs -version=4.3.2 -revision=2 +version=5.8.0 +revision=1 patch_args="-Np1" wrksrc=node-v${version} hostmakedepends="pkg-config python" @@ -14,7 +14,7 @@ maintainer="Juan RP " license="MIT" homepage="http://nodejs.org/" distfiles="${homepage}/dist/v${version}/node-v${version}.tar.gz" -checksum=1f92f6d31f7292ce56db57d6703efccf3e6c945948f5901610cefa69e78d3498 +checksum=e8cd580cec1c62053e6357633b9e46d49df1fd5b9fc5c804ca59ba80d722b898 build_options="ssl libuv http_parser" desc_option_libuv="Enable shared libuv"