From d2ab8972ad5d3bd53385c5201f0a4ff6b85b7ed4 Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Fri, 10 Mar 2017 01:50:05 +0100 Subject: main/nodejs: upgrade to 9.10.0 --- main/nodejs/APKBUILD | 25 +++---- main/nodejs/use-system-ca-certs.patch | 129 ++++++++++++++++++---------------- 2 files changed, 81 insertions(+), 73 deletions(-) diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD index 3327a9c212..e5c47b8258 100644 --- a/main/nodejs/APKBUILD +++ b/main/nodejs/APKBUILD @@ -7,8 +7,8 @@ pkgname=nodejs # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)! # Odd-numbered versions are supported only for 9 months by upstream. -pkgver=6.9.5 -pkgrel=1 +pkgver=6.10.0 +pkgrel=0 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="http://nodejs.org/" arch="all" @@ -29,9 +29,6 @@ builddir="$srcdir/node-v$pkgver" prepare() { default_prepare || return 1 - # Remove bundled CA certificates. - rm -f src/node_root_certs.h - # Remove bundled dependencies that we're not using. rm -rf deps/http_parser deps/openssl deps/uv deps/zlib } @@ -44,6 +41,7 @@ build() { --shared-libuv \ --shared-openssl \ --shared-http-parser \ + --openssl-use-def-ca-store \ || return 1 # we need run mksnapshot at build time so paxmark it early @@ -67,7 +65,12 @@ package() { dev() { provides="nodejs-lts-dev=$pkgver" # for backward compatibility - default_dev + + default_dev || return 1 + + # Remove some junk. + rm -r "$subpkgdir"/usr/lib/node_modules + rmdir -p "$subpkgdir"/usr/lib || : } npm() { @@ -82,12 +85,6 @@ npm() { mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/ } -md5sums="a2a820b797fb69ffb259b479c7f5df32 node-v6.9.5.tar.gz -14ce8e0fb44d5bf75974026900e0d8c2 use-system-ca-certs.patch -5d99a53ef07e15fe882d449ed995bd91 dont-run-gyp-files-for-bundled-deps.patch" -sha256sums="f7e9ab702c5d1f5a3521199c04cc670fda3cf4b0e48548b09ac7ac874ccb504a node-v6.9.5.tar.gz -fcd2becd2cb9a62537ae11f51f448fd1061aaae17835bb0f2d2aa71bdf9652c0 use-system-ca-certs.patch -c20a62b9dd64591b91a0c1dae649ac04cf7aec402672b349f8daa04f2a08a77b dont-run-gyp-files-for-bundled-deps.patch" -sha512sums="59e544909742d2b3e88b11bbdad6bf713b55e82f32f993b17b7eff83cd1cbac3c10fb2445304245d44ce1c2c219f439acd51f872ecb285535d8ae471bf4c8410 node-v6.9.5.tar.gz -c540878495761f4c38f3cccd61da75fa5619637ba9887b7946964a7cef790178e26678fe0aabe400e32c8f0f65e97a519ceee1534bbf18a1a14bc6e9fe067637 use-system-ca-certs.patch +sha512sums="79d3d0854dea1a733175eaa9c5ba0d697d0c57cbcaf2920457eca2d77cc5edadcff8b9eef047156183d05b933582af1b7ef0e64071a9be1c79903af3e7437a92 node-v6.10.0.tar.gz +316a09f697e244c48d4dcf26ca2bb7e2441fc01ed61ad6b987e24741f93cfcf29f2e6de736ab9e4c014355cd14dd63ae7de1f8c28b5274e3225b1b3412db11d4 use-system-ca-certs.patch a8be538158b7c96341a407acba30450ddc5c3ad764e7efe728d1ceff64efc3067b177855b9ef91b54400be6a02600d83da4c21a07ae9d7dc0774f92b2006ea8b dont-run-gyp-files-for-bundled-deps.patch" diff --git a/main/nodejs/use-system-ca-certs.patch b/main/nodejs/use-system-ca-certs.patch index 014b1cedf1..7bcde3bbdd 100644 --- a/main/nodejs/use-system-ca-certs.patch +++ b/main/nodejs/use-system-ca-certs.patch @@ -1,75 +1,86 @@ -From: Jakub Jirutka -Date: Sat, 26 Nov 2016 01:32:00 +0200 -Subject: Use system-provided CA certificates instead of bundled ones +From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001 +From: Adam Majer +Date: Wed, 21 Dec 2016 11:16:38 +0100 +Subject: [PATCH] crypto: Use system CAs instead of using bundled ones -Forwarded: need some feedback before submitting the matter upstream -Author: Jérémy Lal -Last-Update: 2014-03-02 +NodeJS can already use an external, shared OpenSSL library. This +library knows where to look for OS managed certificates. Allow +a compile-time option to use this CA store by default instead of +using bundled certificates. -Modified 2014-05-02 by T.C. Hollingsworth with the -correct path for Fedora +In case when using bundled OpenSSL, the paths are also valid for +majority of Linux systems without additional intervention. If +this is not set, we can use SSL_CERT_DIR to point it to correct +location. -Modified 2015-12-01 by Stephen Gallagher to update for -Node.js 4.2 +Fixes: https://github.com/nodejs/node/issues/3159 +PR-URL: https://github.com/nodejs/node/pull/8334 +Reviewed-By: Sam Roberts +Reviewed-By: James M Snell +Reviewed-By: Fedor Indutny -Modified 2016-03-04 by Stephen Gallagher to update for -Node.js 5.4.1 +Source: http://pkgs.fedoraproject.org/cgit/rpms/nodejs.git/tree/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch +--- + configure | 7 +++++++ + src/node_crypto.cc | 4 ++++ + 2 files changed, 11 insertions(+) -Modified 2016-07-26 by Haikel Guemar to update for -Node.js 4.4.7 - -Modified 2016-11-26 by Jakub Jirutka for Alpine Linux - ---- a/src/node_crypto.cc -+++ b/src/node_crypto.cc -@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name = - - static Mutex* mutexes; +diff --git a/configure b/configure +index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755 +--- a/configure ++++ b/configure +@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm", + parser.add_option('--openssl-fips', + action='store', + dest='openssl_fips', + help='Build OpenSSL using FIPS canister .o file in supplied folder') --const char* const root_certs[] = { --#include "node_root_certs.h" // NOLINT(build/include_order) -+const char* root_certs[] = { -+ NULL - }; ++parser.add_option('--openssl-use-def-ca-store', ++ action='store_true', ++ dest='use_openssl_ca_store', ++ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.') ++ + shared_optgroup.add_option('--shared-http-parser', + action='store_true', + dest='shared_http_parser', + help='link to a shared http_parser DLL instead of static linking') - X509_STORE* root_cert_store; -@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { - CHECK_EQ(sc->ca_store_, nullptr); +@@ -937,10 +942,12 @@ def configure_v8(o): - if (!root_cert_store) { -- root_cert_store = X509_STORE_new(); -- -- for (size_t i = 0; i < arraysize(root_certs); i++) { -- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); -- if (bp == nullptr) { -- return; -- } -- -- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); -- if (x509 == nullptr) { -- BIO_free_all(bp); -- return; -- } -- -- X509_STORE_add_cert(root_cert_store, x509); -- -- BIO_free_all(bp); -- X509_free(x509); -+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) { -+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); -+ } else { -+ // empty store -+ root_cert_store = X509_STORE_new(); + def configure_openssl(o): + o['variables']['node_use_openssl'] = b(not options.without_ssl) + o['variables']['node_shared_openssl'] = b(options.shared_openssl) + o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 ++ if options.use_openssl_ca_store: ++ o['defines'] += ['NODE_OPENSSL_CERT_STORE'] + if options.openssl_fips: + o['variables']['openssl_fips'] = options.openssl_fips + fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') + fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld')) + o['make_fips_settings'] = [ +diff --git a/src/node_crypto.cc b/src/node_crypto.cc +index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644 +--- a/src/node_crypto.cc ++++ b/src/node_crypto.cc +@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() { + root_certs_vector->push_back(x509); } -+ } else { -+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); } - sc->ca_store_ = root_cert_store; -- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); + X509_STORE* store = X509_STORE_new(); ++#if defined(NODE_OPENSSL_CERT_STORE) ++ X509_STORE_set_default_paths(store); ++#else + for (auto& cert : *root_certs_vector) { + X509_up_ref(cert); + X509_STORE_add_cert(store, cert); + } ++#endif + + return store; } -- -2.9.0 +2.12.0 -- cgit v1.2.3