Commit d2ab8972 authored by Jakub Jirutka's avatar Jakub Jirutka

main/nodejs: upgrade to 9.10.0

parent 066b35bd
......@@ -7,8 +7,8 @@
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
pkgver=6.9.5
pkgrel=1
pkgver=6.10.0
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="http://nodejs.org/"
arch="all"
......@@ -29,9 +29,6 @@ builddir="$srcdir/node-v$pkgver"
prepare() {
default_prepare || return 1
# Remove bundled CA certificates.
rm -f src/node_root_certs.h
# Remove bundled dependencies that we're not using.
rm -rf deps/http_parser deps/openssl deps/uv deps/zlib
}
......@@ -44,6 +41,7 @@ build() {
--shared-libuv \
--shared-openssl \
--shared-http-parser \
--openssl-use-def-ca-store \
|| return 1
# we need run mksnapshot at build time so paxmark it early
......@@ -67,7 +65,12 @@ package() {
dev() {
provides="nodejs-lts-dev=$pkgver" # for backward compatibility
default_dev
default_dev || return 1
# Remove some junk.
rm -r "$subpkgdir"/usr/lib/node_modules
rmdir -p "$subpkgdir"/usr/lib || :
}
npm() {
......@@ -82,12 +85,6 @@ npm() {
mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
}
md5sums="a2a820b797fb69ffb259b479c7f5df32 node-v6.9.5.tar.gz
14ce8e0fb44d5bf75974026900e0d8c2 use-system-ca-certs.patch
5d99a53ef07e15fe882d449ed995bd91 dont-run-gyp-files-for-bundled-deps.patch"
sha256sums="f7e9ab702c5d1f5a3521199c04cc670fda3cf4b0e48548b09ac7ac874ccb504a node-v6.9.5.tar.gz
fcd2becd2cb9a62537ae11f51f448fd1061aaae17835bb0f2d2aa71bdf9652c0 use-system-ca-certs.patch
c20a62b9dd64591b91a0c1dae649ac04cf7aec402672b349f8daa04f2a08a77b dont-run-gyp-files-for-bundled-deps.patch"
sha512sums="59e544909742d2b3e88b11bbdad6bf713b55e82f32f993b17b7eff83cd1cbac3c10fb2445304245d44ce1c2c219f439acd51f872ecb285535d8ae471bf4c8410 node-v6.9.5.tar.gz
c540878495761f4c38f3cccd61da75fa5619637ba9887b7946964a7cef790178e26678fe0aabe400e32c8f0f65e97a519ceee1534bbf18a1a14bc6e9fe067637 use-system-ca-certs.patch
sha512sums="79d3d0854dea1a733175eaa9c5ba0d697d0c57cbcaf2920457eca2d77cc5edadcff8b9eef047156183d05b933582af1b7ef0e64071a9be1c79903af3e7437a92 node-v6.10.0.tar.gz
316a09f697e244c48d4dcf26ca2bb7e2441fc01ed61ad6b987e24741f93cfcf29f2e6de736ab9e4c014355cd14dd63ae7de1f8c28b5274e3225b1b3412db11d4 use-system-ca-certs.patch
a8be538158b7c96341a407acba30450ddc5c3ad764e7efe728d1ceff64efc3067b177855b9ef91b54400be6a02600d83da4c21a07ae9d7dc0774f92b2006ea8b dont-run-gyp-files-for-bundled-deps.patch"
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Sat, 26 Nov 2016 01:32:00 +0200
Subject: Use system-provided CA certificates instead of bundled ones
From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Wed, 21 Dec 2016 11:16:38 +0100
Subject: [PATCH] crypto: Use system CAs instead of using bundled ones
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02
NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.
Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.
Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
Node.js 4.2
Fixes: https://github.com/nodejs/node/issues/3159
PR-URL: https://github.com/nodejs/node/pull/8334
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
Node.js 5.4.1
Source: http://pkgs.fedoraproject.org/cgit/rpms/nodejs.git/tree/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch
---
configure | 7 +++++++
src/node_crypto.cc | 4 ++++
2 files changed, 11 insertions(+)
Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for
Node.js 4.4.7
diff --git a/configure b/configure
index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755
--- a/configure
+++ b/configure
@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm",
parser.add_option('--openssl-fips',
action='store',
dest='openssl_fips',
help='Build OpenSSL using FIPS canister .o file in supplied folder')
Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> for Alpine Linux
+parser.add_option('--openssl-use-def-ca-store',
+ action='store_true',
+ dest='use_openssl_ca_store',
+ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
+
shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
help='link to a shared http_parser DLL instead of static linking')
@@ -937,10 +942,12 @@ def configure_v8(o):
def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
+ if options.use_openssl_ca_store:
+ o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_fips_settings'] = [
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name =
static Mutex* mutexes;
-const char* const root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
+const char* root_certs[] = {
+ NULL
};
X509_STORE* root_cert_store;
@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
CHECK_EQ(sc->ca_store_, nullptr);
if (!root_cert_store) {
- root_cert_store = X509_STORE_new();
-
- for (size_t i = 0; i < arraysize(root_certs); i++) {
- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
- if (bp == nullptr) {
- return;
- }
-
- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
- if (x509 == nullptr) {
- BIO_free_all(bp);
- return;
- }
-
- X509_STORE_add_cert(root_cert_store, x509);
-
- BIO_free_all(bp);
- X509_free(x509);
+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) {
+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+ } else {
+ // empty store
+ root_cert_store = X509_STORE_new();
@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() {
root_certs_vector->push_back(x509);
}
}
+ } else {
+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
X509_STORE* store = X509_STORE_new();
+#if defined(NODE_OPENSSL_CERT_STORE)
+ X509_STORE_set_default_paths(store);
+#else
for (auto& cert : *root_certs_vector) {
X509_up_ref(cert);
X509_STORE_add_cert(store, cert);
}
+#endif
sc->ca_store_ = root_cert_store;
- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
return store;
}
--
2.9.0
2.12.0
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment