main/nodejs: upgrade to 9.10.0

2 files changed, 81 insertions, 73 deletions

diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index 3327a9c212..e5c47b8258 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -7,8 +7,8 @@
 pkgname=nodejs
 # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
 # Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=6.9.5
-pkgrel=1
+pkgver=6.10.0
+pkgrel=0
 pkgdesc="JavaScript runtime built on V8 engine - LTS version"
 url="http://nodejs.org/"
 arch="all"
@@ -29,9 +29,6 @@ builddir="$srcdir/node-v$pkgver"
 prepare() {
 	default_prepare || return 1
 
-	# Remove bundled CA certificates.
-	rm -f src/node_root_certs.h
-
 	# Remove bundled dependencies that we're not using.
 	rm -rf deps/http_parser deps/openssl deps/uv deps/zlib
 }
@@ -44,6 +41,7 @@ build() {
 		--shared-libuv \
 		--shared-openssl \
 		--shared-http-parser \
+		--openssl-use-def-ca-store \
 		|| return 1
 
 	# we need run mksnapshot at build time so paxmark it early
@@ -67,7 +65,12 @@ package() {
 
 dev() {
 	provides="nodejs-lts-dev=$pkgver"  # for backward compatibility
-	default_dev
+
+	default_dev || return 1
+
+	# Remove some junk.
+	rm -r "$subpkgdir"/usr/lib/node_modules
+	rmdir -p "$subpkgdir"/usr/lib || :
 }
 
 npm() {
@@ -82,12 +85,6 @@ npm() {
 	mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
 }
 
-md5sums="a2a820b797fb69ffb259b479c7f5df32  node-v6.9.5.tar.gz
-14ce8e0fb44d5bf75974026900e0d8c2  use-system-ca-certs.patch
-5d99a53ef07e15fe882d449ed995bd91  dont-run-gyp-files-for-bundled-deps.patch"
-sha256sums="f7e9ab702c5d1f5a3521199c04cc670fda3cf4b0e48548b09ac7ac874ccb504a  node-v6.9.5.tar.gz
-fcd2becd2cb9a62537ae11f51f448fd1061aaae17835bb0f2d2aa71bdf9652c0  use-system-ca-certs.patch
-c20a62b9dd64591b91a0c1dae649ac04cf7aec402672b349f8daa04f2a08a77b  dont-run-gyp-files-for-bundled-deps.patch"
-sha512sums="59e544909742d2b3e88b11bbdad6bf713b55e82f32f993b17b7eff83cd1cbac3c10fb2445304245d44ce1c2c219f439acd51f872ecb285535d8ae471bf4c8410  node-v6.9.5.tar.gz
-c540878495761f4c38f3cccd61da75fa5619637ba9887b7946964a7cef790178e26678fe0aabe400e32c8f0f65e97a519ceee1534bbf18a1a14bc6e9fe067637  use-system-ca-certs.patch
+sha512sums="79d3d0854dea1a733175eaa9c5ba0d697d0c57cbcaf2920457eca2d77cc5edadcff8b9eef047156183d05b933582af1b7ef0e64071a9be1c79903af3e7437a92  node-v6.10.0.tar.gz
+316a09f697e244c48d4dcf26ca2bb7e2441fc01ed61ad6b987e24741f93cfcf29f2e6de736ab9e4c014355cd14dd63ae7de1f8c28b5274e3225b1b3412db11d4  use-system-ca-certs.patch
 a8be538158b7c96341a407acba30450ddc5c3ad764e7efe728d1ceff64efc3067b177855b9ef91b54400be6a02600d83da4c21a07ae9d7dc0774f92b2006ea8b  dont-run-gyp-files-for-bundled-deps.patch"
diff --git a/main/nodejs/use-system-ca-certs.patch b/main/nodejs/use-system-ca-certs.patch
index 014b1cedf1..7bcde3bbdd 100644
--- a/main/nodejs/use-system-ca-certs.patch
+++ b/main/nodejs/use-system-ca-certs.patch
@@ -1,75 +1,86 @@
-From: Jakub Jirutka <jakub@jirutka.cz>
-Date: Sat, 26 Nov 2016 01:32:00 +0200
-Subject: Use system-provided CA certificates instead of bundled ones
+From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001
+From: Adam Majer <amajer@suse.de>
+Date: Wed, 21 Dec 2016 11:16:38 +0100
+Subject: [PATCH] crypto: Use system CAs instead of using bundled ones
 
-Forwarded: need some feedback before submitting the matter upstream
-Author: Jérémy Lal <kapouer@melix.org>
-Last-Update: 2014-03-02
+NodeJS can already use an external, shared OpenSSL library. This
+library knows where to look for OS managed certificates. Allow
+a compile-time option to use this CA store by default instead of
+using bundled certificates.
 
-Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
-correct path for Fedora
+In case when using bundled OpenSSL, the paths are also valid for
+majority of Linux systems without additional intervention. If
+this is not set, we can use SSL_CERT_DIR to point it to correct
+location.
 
-Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
-Node.js 4.2
+Fixes: https://github.com/nodejs/node/issues/3159
+PR-URL: https://github.com/nodejs/node/pull/8334
+Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
 
-Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
-Node.js 5.4.1
+Source: http://pkgs.fedoraproject.org/cgit/rpms/nodejs.git/tree/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch
+---
+ configure          | 7 +++++++
+ src/node_crypto.cc | 4 ++++
+ 2 files changed, 11 insertions(+)
 
-Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for
-Node.js 4.4.7
-
-Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> for Alpine Linux
-
---- a/src/node_crypto.cc
-+++ b/src/node_crypto.cc
-@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name =
- 
- static Mutex* mutexes;
+diff --git a/configure b/configure
+index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755
+--- a/configure
++++ b/configure
+@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm",
+ parser.add_option('--openssl-fips',
+     action='store',
+     dest='openssl_fips',
+     help='Build OpenSSL using FIPS canister .o file in supplied folder')
  
--const char* const root_certs[] = {
--#include "node_root_certs.h"  // NOLINT(build/include_order)
-+const char* root_certs[] = {
-+  NULL
- };
++parser.add_option('--openssl-use-def-ca-store',
++    action='store_true',
++    dest='use_openssl_ca_store',
++    help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
++
+ shared_optgroup.add_option('--shared-http-parser',
+     action='store_true',
+     dest='shared_http_parser',
+     help='link to a shared http_parser DLL instead of static linking')
  
- X509_STORE* root_cert_store;
-@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
-   CHECK_EQ(sc->ca_store_, nullptr);
+@@ -937,10 +942,12 @@ def configure_v8(o):
  
-   if (!root_cert_store) {
--    root_cert_store = X509_STORE_new();
--
--    for (size_t i = 0; i < arraysize(root_certs); i++) {
--      BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
--      if (bp == nullptr) {
--        return;
--      }
--
--      X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
--      if (x509 == nullptr) {
--        BIO_free_all(bp);
--        return;
--      }
--
--      X509_STORE_add_cert(root_cert_store, x509);
--
--      BIO_free_all(bp);
--      X509_free(x509);
-+    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) {
-+      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
-+    } else {
-+      // empty store
-+      root_cert_store = X509_STORE_new();
+ def configure_openssl(o):
+   o['variables']['node_use_openssl'] = b(not options.without_ssl)
+   o['variables']['node_shared_openssl'] = b(options.shared_openssl)
+   o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
++  if options.use_openssl_ca_store:
++    o['defines'] += ['NODE_OPENSSL_CERT_STORE']
+   if options.openssl_fips:
+     o['variables']['openssl_fips'] = options.openssl_fips
+     fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
+     fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
+     o['make_fips_settings'] = [
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() {
+       root_certs_vector->push_back(x509);
      }
-+  } else {
-+    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
    }
  
-   sc->ca_store_ = root_cert_store;
--  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
+   X509_STORE* store = X509_STORE_new();
++#if defined(NODE_OPENSSL_CERT_STORE)
++  X509_STORE_set_default_paths(store);
++#else
+   for (auto& cert : *root_certs_vector) {
+     X509_up_ref(cert);
+     X509_STORE_add_cert(store, cert);
+   }
++#endif
+ 
+   return store;
  }
  
  
 -- 
-2.9.0
+2.12.0