From dec027544b4bed6515ed061086d29bc2ee8b6593 Mon Sep 17 00:00:00 2001 From: Enno Boland Date: Sun, 6 Mar 2016 00:29:34 +0100 Subject: [PATCH] nodejs: add updated libressl patch. --- srcpkgs/nodejs/patches/fix-libressl.patch | 196 +++++++++++++++++----- 1 file changed, 153 insertions(+), 43 deletions(-) diff --git a/srcpkgs/nodejs/patches/fix-libressl.patch b/srcpkgs/nodejs/patches/fix-libressl.patch index a83bae627d5..00d3ae95f82 100644 --- a/srcpkgs/nodejs/patches/fix-libressl.patch +++ b/srcpkgs/nodejs/patches/fix-libressl.patch @@ -1,5 +1,5 @@ diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js -index 5b36906..8128a46 100644 +index 35d5ba3..37081d9 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -165,26 +165,31 @@ function onclienthello(hello) { @@ -98,10 +98,19 @@ index ea5e8fe..995f151 100644 V(code_string, "code") \ V(compare_string, "compare") \ diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 7911ce9..5cab263 100644 +index f0d353f..fcaf77d 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -156,8 +156,6 @@ template int SSLWrap::SelectNextProtoCallback( +@@ -129,8 +129,6 @@ template class SSLWrap; + template void SSLWrap::AddMethods(Environment* env, + Local t); + template void SSLWrap::InitNPN(SecureContext* sc); +-template void SSLWrap::SetSNIContext(SecureContext* sc); +-template int SSLWrap::SetCACerts(SecureContext* sc); + template SSL_SESSION* SSLWrap::GetSessionCallback( + SSL* s, + unsigned char* key, +@@ -158,8 +156,6 @@ template int SSLWrap::SelectNextProtoCallback( #endif template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg); template void SSLWrap::DestroySSL(); @@ -110,7 +119,7 @@ index 7911ce9..5cab263 100644 static void crypto_threadid_cb(CRYPTO_THREADID* tid) { -@@ -511,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) { +@@ -513,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) { } @@ -167,7 +176,7 @@ index 7911ce9..5cab263 100644 goto end; } // Note that we must not free r if it was successfully -@@ -550,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, +@@ -552,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, // Find issuer if (*issuer != nullptr || X509_check_issued(ca, x) != X509_V_OK) continue; @@ -187,7 +196,7 @@ index 7911ce9..5cab263 100644 } // Try getting issuer from a cert store -@@ -564,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, +@@ -566,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, // no need to free `store` } else { // Increment issuer reference count @@ -278,7 +287,7 @@ index 7911ce9..5cab263 100644 return ret; } -@@ -663,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo& args) { +@@ -665,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo& args) { if (!bio) return; @@ -295,7 +304,7 @@ index 7911ce9..5cab263 100644 int rv = SSL_CTX_use_certificate_chain(sc->ctx_, bio, &sc->cert_, -@@ -944,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { +@@ -946,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { PKCS12* p12 = nullptr; EVP_PKEY* pkey = nullptr; X509* cert = nullptr; @@ -304,7 +313,7 @@ index 7911ce9..5cab263 100644 char* pass = nullptr; bool ret = false; -@@ -969,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { +@@ -971,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { pass[passlen] = '\0'; } @@ -355,7 +364,7 @@ index 7911ce9..5cab263 100644 PKCS12_free(p12); BIO_free_all(in); -@@ -1050,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo& args) { +@@ -1052,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo& args) { void SecureContext::SetFreeListLength(const FunctionCallbackInfo& args) { SecureContext* wrap = Unwrap(args.Holder()); @@ -364,7 +373,7 @@ index 7911ce9..5cab263 100644 } -@@ -1189,7 +1116,6 @@ void SSLWrap::AddMethods(Environment* env, Local t) { +@@ -1191,7 +1116,6 @@ void SSLWrap::AddMethods(Environment* env, Local t) { env->SetProtoMethod(t, "verifyError", VerifyError); env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher); env->SetProtoMethod(t, "endParser", EndParser); @@ -372,7 +381,7 @@ index 7911ce9..5cab263 100644 env->SetProtoMethod(t, "renegotiate", Renegotiate); env->SetProtoMethod(t, "shutdownSSL", Shutdown); env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket); -@@ -2078,122 +2004,6 @@ int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg) { +@@ -2080,124 +2004,6 @@ int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg) { template @@ -463,6 +472,8 @@ index 7911ce9..5cab263 100644 - rv = SSL_use_PrivateKey(w->ssl_, pkey); - if (rv && chain != nullptr) - rv = SSL_set1_chain(w->ssl_, chain); +- if (rv) +- rv = w->SetCACerts(sc); - if (!rv) { - unsigned long err = ERR_get_error(); - if (!err) @@ -495,7 +506,38 @@ index 7911ce9..5cab263 100644 void SSLWrap::SSLGetter(Local property, const PropertyCallbackInfo& info) { HandleScope scope(info.GetIsolate()); -@@ -2299,10 +2109,6 @@ int Connection::HandleSSLError(const char* func, +@@ -2219,30 +2025,6 @@ void SSLWrap::DestroySSL() { + } + + +-template +-void SSLWrap::SetSNIContext(SecureContext* sc) { +- InitNPN(sc); +- CHECK_EQ(SSL_set_SSL_CTX(ssl_, sc->ctx_), sc->ctx_); +- +- SetCACerts(sc); +-} +- +- +-template +-int SSLWrap::SetCACerts(SecureContext* sc) { +- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_)); +- if (err != 1) +- return err; +- +- STACK_OF(X509_NAME)* list = SSL_dup_CA_list( +- SSL_CTX_get_client_CA_list(sc->ctx_)); +- +- // NOTE: `SSL_set_client_CA_list` takes the ownership of `list` +- SSL_set_client_CA_list(ssl_, list); +- return 1; +-} +- +- + void Connection::OnClientHelloParseEnd(void* arg) { + Connection* conn = static_cast(arg); + +@@ -2327,10 +2109,6 @@ int Connection::HandleSSLError(const char* func, DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func); return 0; @@ -506,7 +548,7 @@ index 7911ce9..5cab263 100644 } else if (err == SSL_ERROR_ZERO_RETURN) { HandleScope scope(ssl_env()->isolate()); -@@ -2483,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { +@@ -2511,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { SSL* ssl = static_cast( X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); @@ -515,7 +557,7 @@ index 7911ce9..5cab263 100644 return 1; // Client needs to check if the server cert is listed in the -@@ -2510,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { +@@ -2538,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { // Call the SNI callback and use its return value as context if (!conn->sniObject_.IsEmpty()) { @@ -524,16 +566,20 @@ index 7911ce9..5cab263 100644 Local sni_obj = PersistentToLocal(env->isolate(), conn->sniObject_); -@@ -2526,7 +2332,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { +@@ -2554,9 +2332,10 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { Local secure_context_constructor_template = env->secure_context_constructor_template(); if (secure_context_constructor_template->HasInstance(ret)) { - conn->sni_context_.Reset(env->isolate(), ret); + conn->sniContext_.Reset(env->isolate(), ret); SecureContext* sc = Unwrap(ret.As()); - InitNPN(sc); - SSL_set_SSL_CTX(s, sc->ctx_); -@@ -2565,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo& args) { +- conn->SetSNIContext(sc); ++ InitNPN(sc); ++ SSL_set_SSL_CTX(s, sc->ctx_); + } else { + return SSL_TLSEXT_ERR_NOACK; + } +@@ -2592,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo& args) { InitNPN(sc); @@ -543,7 +589,7 @@ index 7911ce9..5cab263 100644 if (is_server) { SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_); diff --git a/src/node_crypto.h b/src/node_crypto.h -index e009fc1..6373fc4 100644 +index cb94650..6373fc4 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -179,10 +179,7 @@ class SSLWrap { @@ -588,7 +634,7 @@ index e009fc1..6373fc4 100644 static void Renegotiate(const v8::FunctionCallbackInfo& args); static void Shutdown(const v8::FunctionCallbackInfo& args); static void GetTLSTicket(const v8::FunctionCallbackInfo& args); -@@ -273,12 +263,10 @@ class SSLWrap { +@@ -273,14 +263,10 @@ class SSLWrap { void* arg); #endif // OPENSSL_NPN_NEGOTIATED static int TLSExtStatusCallback(SSL* s, void* arg); @@ -598,10 +644,12 @@ index e009fc1..6373fc4 100644 void DestroySSL(); - void WaitForCertCb(CertCb cb, void* arg); +- void SetSNIContext(SecureContext* sc); +- int SetCACerts(SecureContext* sc); inline Environment* ssl_env() const { return env_; -@@ -290,12 +278,6 @@ class SSLWrap { +@@ -292,12 +278,6 @@ class SSLWrap { SSL* ssl_; bool session_callbacks_; bool new_session_wait_; @@ -614,7 +662,7 @@ index e009fc1..6373fc4 100644 ClientHelloParser hello_parser_; #ifdef NODE__HAVE_TLSEXT_STATUS_CB -@@ -307,10 +289,6 @@ class SSLWrap { +@@ -309,10 +289,6 @@ class SSLWrap { v8::Persistent selected_npn_proto_; #endif // OPENSSL_NPN_NEGOTIATED @@ -625,7 +673,7 @@ index e009fc1..6373fc4 100644 friend class SecureContext; }; -@@ -322,6 +300,7 @@ class Connection : public SSLWrap, public AsyncWrap { +@@ -324,6 +300,7 @@ class Connection : public SSLWrap, public AsyncWrap { ~Connection() override { #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB sniObject_.Reset(); @@ -633,7 +681,7 @@ index e009fc1..6373fc4 100644 servername_.Reset(); #endif } -@@ -336,6 +315,7 @@ class Connection : public SSLWrap, public AsyncWrap { +@@ -338,6 +315,7 @@ class Connection : public SSLWrap, public AsyncWrap { #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB v8::Persistent sniObject_; @@ -642,7 +690,7 @@ index e009fc1..6373fc4 100644 #endif diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc -index 1bdd4b7..68c98d5 100644 +index d7bf4ed..68c98d5 100644 --- a/src/tls_wrap.cc +++ b/src/tls_wrap.cc @@ -141,8 +141,6 @@ void TLSWrap::InitSSL() { @@ -688,7 +736,17 @@ index 1bdd4b7..68c98d5 100644 void TLSWrap::OnClientHelloParseEnd(void* arg) { TLSWrap* c = static_cast(arg); c->Cycle(); -@@ -889,8 +886,8 @@ void TLSWrap::Initialize(Local target, +@@ -867,7 +864,8 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg) { + p->sni_context_.Reset(env->isolate(), ctx); + + SecureContext* sc = Unwrap(ctx.As()); +- p->SetSNIContext(sc); ++ InitNPN(sc); ++ SSL_set_SSL_CTX(s, sc->ctx_); + return SSL_TLSEXT_ERR_OK; + } + #endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB +@@ -888,8 +886,8 @@ void TLSWrap::Initialize(Local target, env->SetProtoMethod(t, "start", Start); env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode); env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks); @@ -741,22 +799,6 @@ index 1148e52..1439862 100644 agent1-verify: agent1-cert.pem ca1-cert.pem openssl verify -CAfile ca1-cert.pem agent1-cert.pem -diff --git a/test/parallel/test-tls-cnnic-whitelist.js b/test/parallel/test-tls-cnnic-whitelist.js -index 85e1d90..d639dce 100644 ---- a/test/parallel/test-tls-cnnic-whitelist.js -+++ b/test/parallel/test-tls-cnnic-whitelist.js -@@ -53,7 +53,10 @@ var testCases = [ - port: common.PORT, - rejectUnauthorized: true - }, -- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' -+ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL -+ // returns UNABLE_TO_GET_ISSUER_CERT_LOCALLY. -+ errorCode: 'CERT_UNTRUSTED' -+ //errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' - } - ]; - diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js index e9443f4..64b6a6c 100644 --- a/test/parallel/test-tls-ocsp-callback.js @@ -812,3 +854,71 @@ index e9443f4..64b6a6c 100644 -} - -runTests(0); +diff --git a/test/parallel/test-tls-sni-option.js b/test/parallel/test-tls-sni-option.js +index 510b929..5b0bd53 100644 +--- a/test/parallel/test-tls-sni-option.js ++++ b/test/parallel/test-tls-sni-option.js +@@ -26,8 +26,6 @@ function loadPEM(n) { + var serverOptions = { + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert'), +- requestCert: true, +- rejectUnauthorized: false, + SNICallback: function(servername, callback) { + var context = SNIContexts[servername]; + +@@ -48,8 +46,7 @@ var serverOptions = { + var SNIContexts = { + 'a.example.com': { + key: loadPEM('agent1-key'), +- cert: loadPEM('agent1-cert'), +- ca: [ loadPEM('ca2-cert') ] ++ cert: loadPEM('agent1-cert') + }, + 'b.example.com': { + key: loadPEM('agent3-key'), +@@ -71,13 +68,6 @@ var clientsOptions = [{ + rejectUnauthorized: false + }, { + port: serverPort, +- key: loadPEM('agent4-key'), +- cert: loadPEM('agent4-cert'), +- ca: [loadPEM('ca1-cert')], +- servername: 'a.example.com', +- rejectUnauthorized: false +-}, { +- port: serverPort, + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert'), + ca: [loadPEM('ca2-cert')], +@@ -107,7 +97,7 @@ let serverError; + let clientError; + + var server = tls.createServer(serverOptions, function(c) { +- serverResults.push({ sni: c.servername, authorized: c.authorized }); ++ serverResults.push(c.servername); + }); + + server.on('clientError', function(err) { +@@ -154,16 +144,9 @@ function startTest() { + } + + process.on('exit', function() { +- assert.deepEqual(serverResults, [ +- { sni: 'a.example.com', authorized: false }, +- { sni: 'a.example.com', authorized: true }, +- { sni: 'b.example.com', authorized: false }, +- { sni: 'c.wrong.com', authorized: false }, +- null +- ]); +- assert.deepEqual(clientResults, [true, true, true, false, false]); +- assert.deepEqual(clientErrors, [null, null, null, null, 'socket hang up']); +- assert.deepEqual(serverErrors, [ +- null, null, null, null, 'Invalid SNI context' +- ]); ++ assert.deepEqual(serverResults, ['a.example.com', 'b.example.com', ++ 'c.wrong.com', null]); ++ assert.deepEqual(clientResults, [true, true, false, false]); ++ assert.deepEqual(clientErrors, [null, null, null, 'socket hang up']); ++ assert.deepEqual(serverErrors, [null, null, null, 'Invalid SNI context']); + });