diff options
author | Chen, Chih-Chia <pigfoot@gmail.com> | 2017-03-23 17:36:54 +0800 |
---|---|---|
committer | Chen, Chih-Chia <pigfoot@gmail.com> | 2017-03-23 17:36:54 +0800 |
commit | 18a9a3549834e2018d9f2faa720ca9568d415cfe (patch) | |
tree | 50470971ee8e488d5f4edd1eef05501998f975fd | |
parent | [net-libs/nodejs] Version bump to 6.9.4 (diff) | |
download | pigfoot-18a9a3549834e2018d9f2faa720ca9568d415cfe.tar.gz pigfoot-18a9a3549834e2018d9f2faa720ca9568d415cfe.tar.bz2 pigfoot-18a9a3549834e2018d9f2faa720ca9568d415cfe.zip |
[net-libs/nodejs] Version bump to 7.7.3
-rw-r--r-- | net-libs/nodejs/Manifest | 1 | ||||
-rw-r--r-- | net-libs/nodejs/files/nodejs-7.7.3-libressl.patch | 837 | ||||
-rw-r--r-- | net-libs/nodejs/files/rollback.sh | 32 | ||||
-rw-r--r-- | net-libs/nodejs/nodejs-6.9.4.ebuild | 2 | ||||
-rw-r--r-- | net-libs/nodejs/nodejs-7.7.3.ebuild | 205 |
5 files changed, 1076 insertions, 1 deletions
diff --git a/net-libs/nodejs/Manifest b/net-libs/nodejs/Manifest index 5bf175e..3c7b285 100644 --- a/net-libs/nodejs/Manifest +++ b/net-libs/nodejs/Manifest @@ -1,2 +1,3 @@ DIST node-v5.9.1.tar.xz 13226192 SHA256 668067077dfceb3d2039d0df693fec6aa20b920d01a42b53dc61d4aa91e0ae55 SHA512 34774d88eda775bdf153a76bd02b26c499e4a9ef47d8e94ad7b66d360d04891b45ce8f211833ca69e8c0a786ca36424b0c620a90b1fbc6d5afc77d20f4b5fadb WHIRLPOOL d666aa6fd4d577f7a6f89c3bfa75e62a0281e0dd7592373f384bfe01fa2dcbf81156bf6a21fc2097d48d5024a39057713c2593f4609c70ff8f84090471b073a9 DIST node-v6.9.4.tar.xz 15519264 SHA256 c51d7c61db40455d57428abcadc7eb0f0a08a8878cb1d8ea3c1e211c54532c35 SHA512 86d3e2889031c2b50c021bd3fd63194c2c22c44291d51dff1b5e1652b01853c09d2880c2f58fdad062e3e2a3f637a3f0d78dac66b835b676790cf272e64f8dce WHIRLPOOL d1bcf488ed1aae7959303b988c9467fc5d0930166c7bfe0e441392763e19f788496971c07560a9f62586bbb2be7ce741ece8346140d665d29593b9b8f649b002 +DIST node-v7.7.3.tar.xz 16681592 SHA256 5441daf11f743b5508ddf31a16b4f268835fbceb59ef709b44e85b03fece0edf SHA512 9698510990e444f664c844c3d2ffac2cc8094abfe123e49f656193d5ef75ee10716adfa69da8e689b8deb18a33381ca8e37042dfbd602a7923971c5c1c86b331 WHIRLPOOL c181a8416126621a5accfc962af072888be235a84314d7c0143414e92dace2ebb93b35713e45884eac1c7addaf24158e3ecd7cac850401bad75165e9b964f745 diff --git a/net-libs/nodejs/files/nodejs-7.7.3-libressl.patch b/net-libs/nodejs/files/nodejs-7.7.3-libressl.patch new file mode 100644 index 0000000..ad99c96 --- /dev/null +++ b/net-libs/nodejs/files/nodejs-7.7.3-libressl.patch @@ -0,0 +1,837 @@ +diff --git a/lib/_tls_wrap.js.BAK b/lib/_tls_wrap.js +index e01c143..0437c21 100644 +--- a/lib/_tls_wrap.js.BAK ++++ b/lib/_tls_wrap.js +@@ -155,27 +155,33 @@ function onclienthello(hello) { + if (err) + return self.destroy(err); + +- self._handle.endParser(); +- }); +-} +- +- +-function oncertcb(info) { +- var self = this; +- var servername = info.servername; +- +- loadSNI(self, servername, function(err, ctx) { +- if (err) +- return self.destroy(err); +- requestOCSP(self, info, ctx, function(err) { ++ // Servername came from SSL session ++ // NOTE: TLS Session ticket doesn't include servername information ++ // ++ // Another note, From RFC3546: ++ // ++ // If, on the other hand, the older ++ // session is resumed, then the server MUST ignore extensions appearing ++ // in the client hello, and send a server hello containing no ++ // extensions; in this case the extension functionality negotiated ++ // during the original session initiation is applied to the resumed ++ // session. ++ // ++ // Therefore we should account session loading when dealing with servername ++ var servername = session && session.servername || hello.servername; ++ loadSNI(self, servername, function(err, ctx) { + if (err) + return self.destroy(err); + +- if (!self._handle) +- return self.destroy(new Error('Socket is closed')); +- + try { +- self._handle.certCbDone(); ++ requestOCSP(self, hello, ctx, function(err) { ++ if (err) ++ return self.destroy(err); ++ ++ if (!self._handle) ++ return self.destroy(new Error('Socket is closed')); ++ self._handle.endParser() ++ }); + } catch (e) { + self.destroy(e); + } +@@ -418,18 +424,15 @@ TLSSocket.prototype._init = function(socket, wrap) { + ssl.onhandshakestart = () => onhandshakestart.call(this); + ssl.onhandshakedone = () => onhandshakedone.call(this); + ssl.onclienthello = (hello) => onclienthello.call(this, hello); +- ssl.oncertcb = (info) => oncertcb.call(this, info); + ssl.onnewsession = (key, session) => onnewsession.call(this, key, session); + ssl.lastHandshakeTime = 0; + ssl.handshakes = 0; + +- if (this.server) { +- if (this.server.listenerCount('resumeSession') > 0 || +- this.server.listenerCount('newSession') > 0) { +- ssl.enableSessionCallbacks(); +- } +- if (this.server.listenerCount('OCSPRequest') > 0) +- ssl.enableCertCb(); ++ if (this.server && ++ (this.server.listenerCount('resumeSession') > 0 || ++ this.server.listenerCount('newSession') > 0 || ++ this.server.listenerCount('OCSPRequest') > 0)) { ++ ssl.enableSessionCallbacks(); + } + } else { + ssl.onhandshakestart = function() {}; +@@ -473,7 +476,7 @@ TLSSocket.prototype._init = function(socket, wrap) { + options.server._contexts.length)) { + assert(typeof options.SNICallback === 'function'); + this._SNICallback = options.SNICallback; +- ssl.enableCertCb(); ++ ssl.enableHelloParser(); + } + + if (process.features.tls_npn && options.NPNProtocols) +@@ -667,13 +670,6 @@ TLSSocket.prototype.getCipher = function(err) { + } + }; + +-TLSSocket.prototype.getEphemeralKeyInfo = function() { +- if (this._handle) +- return this._handle.getEphemeralKeyInfo(); +- +- return null; +-}; +- + TLSSocket.prototype.getProtocol = function() { + if (this._handle) + return this._handle.getProtocol(); +@@ -1070,17 +1066,6 @@ exports.connect = function(/* [port, host], options, cb */) { + socket._start(); + + socket.on('secure', function() { +- // Check the size of DHE parameter above minimum requirement +- // specified in options. +- var ekeyinfo = socket.getEphemeralKeyInfo(); +- if (ekeyinfo.type === 'DH' && ekeyinfo.size < options.minDHSize) { +- var err = new Error('DH parameter size ' + ekeyinfo.size + +- ' is less than ' + options.minDHSize); +- socket.emit('error', err); +- socket.destroy(); +- return; +- } +- + var verifyError = socket._handle.verifyError(); + + // Verify that server's identity matches it's certificate's names +diff --git a/src/env.h.BAK b/src/env.h +index cf881a4..6a4f521 100644 +--- a/src/env.h.BAK ++++ b/src/env.h +@@ -71,7 +71,6 @@ namespace node { + V(cached_data_rejected_string, "cachedDataRejected") \ + V(callback_string, "callback") \ + V(change_string, "change") \ +- V(oncertcb_string, "oncertcb") \ + V(onclose_string, "_onclose") \ + V(code_string, "code") \ + V(configurable_string, "configurable") \ +diff --git a/src/node_crypto.cc.BAK b/src/node_crypto.cc +index b83794a..227d4b1 100644 +--- a/src/node_crypto.cc.BAK ++++ b/src/node_crypto.cc +@@ -167,8 +167,6 @@ template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg); + #endif + + template void SSLWrap<TLSWrap>::DestroySSL(); +-template int SSLWrap<TLSWrap>::SSLCertCallback(SSL* s, void* arg); +-template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg); + + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + template int SSLWrap<TLSWrap>::SelectALPNCallback( +@@ -523,8 +521,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, + for (int i = 0; i < sk_X509_num(extra_certs); i++) { + X509* ca = sk_X509_value(extra_certs, i); + +- // NOTE: Increments reference count on `ca` +- r = SSL_CTX_add1_chain_cert(ctx, ca); ++ r = SSL_CTX_add_extra_chain_cert(ctx, ca); + + if (!r) { + ret = 0; +@@ -680,20 +677,26 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) { + } + + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)) || defined(LIBRESSL_VERSION_NUMBER) + // This section contains OpenSSL 1.1.0 functions reimplemented for OpenSSL + // 1.0.2 so that the following code can be written without lots of #if lines. ++// Meanwhile libressl only implemented X509_up_ref but not X509_STORE_up_ref. + ++#if defined(LIBRESSL_VERSION_NUMBER) + static int X509_STORE_up_ref(X509_STORE* store) { + CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE); + return 1; + } ++#endif // LIBRESSL_VERSION_NUMBER + ++#if !defined(LIBRESSL_VERSION_NUMBER) + static int X509_up_ref(X509* cert) { + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); + return 1; + } +-#endif // OPENSSL_VERSION_NUMBER < 0x10100000L && !OPENSSL_IS_BORINGSSL ++#endif // !defined(LIBRESSL_VERSION_NUMBER) ++ ++#endif // (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)) || defined(LIBRESSL_VERSION_NUMBER) + + + static X509_STORE* NewRootCertStore() { +@@ -1153,7 +1156,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) { + + + void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER) + // |freelist_max_len| was removed in OpenSSL 1.1.0. In that version OpenSSL + // mallocs and frees buffers directly, without the use of a freelist. + SecureContext* wrap; +@@ -1300,14 +1303,12 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) { + env->SetProtoMethod(t, "verifyError", VerifyError); + env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher); + env->SetProtoMethod(t, "endParser", EndParser); +- env->SetProtoMethod(t, "certCbDone", CertCbDone); + env->SetProtoMethod(t, "renegotiate", Renegotiate); + env->SetProtoMethod(t, "shutdownSSL", Shutdown); + env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket); + env->SetProtoMethod(t, "newSessionDone", NewSessionDone); + env->SetProtoMethod(t, "setOCSPResponse", SetOCSPResponse); + env->SetProtoMethod(t, "requestOCSP", RequestOCSP); +- env->SetProtoMethod(t, "getEphemeralKeyInfo", GetEphemeralKeyInfo); + env->SetProtoMethod(t, "getProtocol", GetProtocol); + + #ifdef SSL_set_max_send_fragment +@@ -1927,51 +1928,6 @@ void SSLWrap<Base>::RequestOCSP( + } + + +-template <class Base> +-void SSLWrap<Base>::GetEphemeralKeyInfo( +- const v8::FunctionCallbackInfo<v8::Value>& args) { +- Base* w; +- ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder()); +- Environment* env = Environment::GetCurrent(args); +- +- CHECK_NE(w->ssl_, nullptr); +- +- // tmp key is available on only client +- if (w->is_server()) +- return args.GetReturnValue().SetNull(); +- +- Local<Object> info = Object::New(env->isolate()); +- +- EVP_PKEY* key; +- +- if (SSL_get_server_tmp_key(w->ssl_, &key)) { +- switch (EVP_PKEY_id(key)) { +- case EVP_PKEY_DH: +- info->Set(env->type_string(), +- FIXED_ONE_BYTE_STRING(env->isolate(), "DH")); +- info->Set(env->size_string(), +- Integer::New(env->isolate(), EVP_PKEY_bits(key))); +- break; +- case EVP_PKEY_EC: +- { +- EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key); +- int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); +- EC_KEY_free(ec); +- info->Set(env->type_string(), +- FIXED_ONE_BYTE_STRING(env->isolate(), "ECDH")); +- info->Set(env->name_string(), +- OneByteString(args.GetIsolate(), OBJ_nid2sn(nid))); +- info->Set(env->size_string(), +- Integer::New(env->isolate(), EVP_PKEY_bits(key))); +- } +- } +- EVP_PKEY_free(key); +- } +- +- return args.GetReturnValue().Set(info); +-} +- +- + #ifdef SSL_set_max_send_fragment + template <class Base> + void SSLWrap<Base>::SetMaxSendFragment( +@@ -2374,126 +2330,6 @@ int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) { + + + template <class Base> +-void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) { +- cert_cb_ = cb; +- cert_cb_arg_ = arg; +-} +- +- +-template <class Base> +-int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) { +- Base* w = static_cast<Base*>(SSL_get_app_data(s)); +- +- if (!w->is_server()) +- return 1; +- +- if (!w->is_waiting_cert_cb()) +- return 1; +- +- if (w->cert_cb_running_) +- return -1; +- +- Environment* env = w->env(); +- HandleScope handle_scope(env->isolate()); +- Context::Scope context_scope(env->context()); +- w->cert_cb_running_ = true; +- +- Local<Object> info = Object::New(env->isolate()); +- +- const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); +- if (servername == nullptr) { +- info->Set(env->servername_string(), String::Empty(env->isolate())); +- } else { +- Local<String> str = OneByteString(env->isolate(), servername, +- strlen(servername)); +- info->Set(env->servername_string(), str); +- } +- +- bool ocsp = false; +-#ifdef NODE__HAVE_TLSEXT_STATUS_CB +- ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp; +-#endif +- +- info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp)); +- +- Local<Value> argv[] = { info }; +- w->MakeCallback(env->oncertcb_string(), arraysize(argv), argv); +- +- if (!w->cert_cb_running_) +- return 1; +- +- // Performing async action, wait... +- return -1; +-} +- +- +-template <class Base> +-void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) { +- Base* w; +- ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder()); +- Environment* env = w->env(); +- +- CHECK(w->is_waiting_cert_cb() && w->cert_cb_running_); +- +- Local<Object> object = w->object(); +- Local<Value> ctx = object->Get(env->sni_context_string()); +- Local<FunctionTemplate> cons = env->secure_context_constructor_template(); +- +- // Not an object, probably undefined or null +- if (!ctx->IsObject()) +- goto fire_cb; +- +- if (cons->HasInstance(ctx)) { +- SecureContext* sc; +- ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>()); +- w->sni_context_.Reset(); +- w->sni_context_.Reset(env->isolate(), ctx); +- +- int rv; +- +- // NOTE: reference count is not increased by this API methods +- X509* x509 = SSL_CTX_get0_certificate(sc->ctx_); +- EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_); +- STACK_OF(X509)* chain; +- +- rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain); +- if (rv) +- rv = SSL_use_certificate(w->ssl_, x509); +- if (rv) +- rv = SSL_use_PrivateKey(w->ssl_, pkey); +- if (rv && chain != nullptr) +- rv = SSL_set1_chain(w->ssl_, chain); +- if (rv) +- rv = w->SetCACerts(sc); +- if (!rv) { +- unsigned long err = ERR_get_error(); // NOLINT(runtime/int) +- if (!err) +- return env->ThrowError("CertCbDone"); +- return ThrowCryptoError(env, err); +- } +- } else { +- // Failure: incorrect SNI context object +- Local<Value> err = Exception::TypeError(env->sni_context_err_string()); +- w->MakeCallback(env->onerror_string(), 1, &err); +- return; +- } +- +- fire_cb: +- CertCb cb; +- void* arg; +- +- cb = w->cert_cb_; +- arg = w->cert_cb_arg_; +- +- w->cert_cb_running_ = false; +- w->cert_cb_ = nullptr; +- w->cert_cb_arg_ = nullptr; +- +- cb(arg); +-} +- +- +-template <class Base> + void SSLWrap<Base>::SSLGetter(Local<String> property, + const PropertyCallbackInfo<Value>& info) { + Base* base; +@@ -2526,10 +2362,6 @@ void SSLWrap<Base>::SetSNIContext(SecureContext* sc) { + + template <class Base> + int SSLWrap<Base>::SetCACerts(SecureContext* sc) { +- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_)); +- if (err != 1) +- return err; +- + STACK_OF(X509_NAME)* list = SSL_dup_CA_list( + SSL_CTX_get_client_CA_list(sc->ctx_)); + +@@ -2623,10 +2455,6 @@ int Connection::HandleSSLError(const char* func, + DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func); + return 0; + +- } else if (err == SSL_ERROR_WANT_X509_LOOKUP) { +- DEBUG_PRINT("[%p] SSL: %s want x509 lookup\n", ssl_, func); +- return 0; +- + } else if (err == SSL_ERROR_ZERO_RETURN) { + HandleScope scope(ssl_env()->isolate()); + +@@ -2841,7 +2669,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { + SSL* ssl = static_cast<SSL*>( + X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); + +- if (SSL_is_server(ssl)) ++ if (ssl->server) + return 1; + + // Client needs to check if the server cert is listed in the +@@ -2868,7 +2696,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { + + // Call the SNI callback and use its return value as context + if (!conn->sniObject_.IsEmpty()) { +- conn->sni_context_.Reset(); ++ conn->sniContext_.Reset(); + + Local<Object> sni_obj = PersistentToLocal(env->isolate(), + conn->sniObject_); +@@ -2884,7 +2712,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { + Local<FunctionTemplate> secure_context_constructor_template = + env->secure_context_constructor_template(); + if (secure_context_constructor_template->HasInstance(ret)) { +- conn->sni_context_.Reset(env->isolate(), ret); ++ conn->sniContext_.Reset(env->isolate(), ret); + SecureContext* sc; + ASSIGN_OR_RETURN_UNWRAP(&sc, ret.As<Object>(), SSL_TLSEXT_ERR_NOACK); + conn->SetSNIContext(sc); +@@ -2924,8 +2752,6 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) { + + InitNPN(sc); + +- SSL_set_cert_cb(conn->ssl_, SSLWrap<Connection>::SSLCertCallback, conn); +- + #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + if (is_server) { + SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_); +@@ -5975,11 +5801,15 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) { + #endif // !OPENSSL_NO_ENGINE + + void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) { ++#ifdef NODE_FIPS_MODE + if (FIPS_mode()) { + args.GetReturnValue().Set(1); + } else { + args.GetReturnValue().Set(0); + } ++#else ++ args.GetReturnValue().Set(0); ++#endif + } + + void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) { +diff --git a/src/node_crypto.h.BAK b/src/node_crypto.h +index 24ac773..caafeff 100644 +--- a/src/node_crypto.h.BAK ++++ b/src/node_crypto.h +@@ -171,10 +171,7 @@ class SSLWrap { + kind_(kind), + next_sess_(nullptr), + session_callbacks_(false), +- new_session_wait_(false), +- cert_cb_(nullptr), +- cert_cb_arg_(nullptr), +- cert_cb_running_(false) { ++ new_session_wait_(false) { + ssl_ = SSL_new(sc->ctx_); + env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize); + CHECK_NE(ssl_, nullptr); +@@ -187,10 +184,6 @@ class SSLWrap { + next_sess_ = nullptr; + } + +-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB +- sni_context_.Reset(); +-#endif +- + #ifdef NODE__HAVE_TLSEXT_STATUS_CB + ocsp_response_.Reset(); + #endif // NODE__HAVE_TLSEXT_STATUS_CB +@@ -201,11 +194,8 @@ class SSLWrap { + inline bool is_server() const { return kind_ == kServer; } + inline bool is_client() const { return kind_ == kClient; } + inline bool is_waiting_new_session() const { return new_session_wait_; } +- inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; } + + protected: +- typedef void (*CertCb)(void* arg); +- + // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and + // some for buffers. + // NOTE: Actually it is much more than this +@@ -233,15 +223,12 @@ class SSLWrap { + static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args); + static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args); + static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args); +- static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args); + static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args); + static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args); + static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args); + static void NewSessionDone(const v8::FunctionCallbackInfo<v8::Value>& args); + static void SetOCSPResponse(const v8::FunctionCallbackInfo<v8::Value>& args); + static void RequestOCSP(const v8::FunctionCallbackInfo<v8::Value>& args); +- static void GetEphemeralKeyInfo( +- const v8::FunctionCallbackInfo<v8::Value>& args); + static void GetProtocol(const v8::FunctionCallbackInfo<v8::Value>& args); + + #ifdef SSL_set_max_send_fragment +@@ -275,12 +262,10 @@ class SSLWrap { + unsigned int inlen, + void* arg); + static int TLSExtStatusCallback(SSL* s, void* arg); +- static int SSLCertCallback(SSL* s, void* arg); + static void SSLGetter(v8::Local<v8::String> property, + const v8::PropertyCallbackInfo<v8::Value>& info); + + void DestroySSL(); +- void WaitForCertCb(CertCb cb, void* arg); + void SetSNIContext(SecureContext* sc); + int SetCACerts(SecureContext* sc); + +@@ -295,21 +280,12 @@ class SSLWrap { + bool session_callbacks_; + bool new_session_wait_; + +- // SSL_set_cert_cb +- CertCb cert_cb_; +- void* cert_cb_arg_; +- bool cert_cb_running_; +- + ClientHelloParser hello_parser_; + + #ifdef NODE__HAVE_TLSEXT_STATUS_CB + v8::Persistent<v8::Object> ocsp_response_; + #endif // NODE__HAVE_TLSEXT_STATUS_CB + +-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB +- v8::Persistent<v8::Value> sni_context_; +-#endif +- + friend class SecureContext; + }; + +@@ -321,6 +297,7 @@ class Connection : public AsyncWrap, public SSLWrap<Connection> { + ~Connection() override { + #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + sniObject_.Reset(); ++ sniContext_.Reset(); + servername_.Reset(); + #endif + } +@@ -335,6 +312,7 @@ class Connection : public AsyncWrap, public SSLWrap<Connection> { + + #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + v8::Persistent<v8::Object> sniObject_; ++ v8::Persistent<v8::Value> sniContext_; + v8::Persistent<v8::String> servername_; + #endif + +diff --git a/src/tls_wrap.cc.BAK b/src/tls_wrap.cc +index d1b1aec..11fc404 100644 +--- a/src/tls_wrap.cc.BAK ++++ b/src/tls_wrap.cc +@@ -142,8 +142,6 @@ void TLSWrap::InitSSL() { + + InitNPN(sc_); + +- SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this); +- + if (is_server()) { + SSL_set_accept_state(ssl_); + } else if (is_client()) { +@@ -357,7 +355,6 @@ Local<Value> TLSWrap::GetSSLError(int status, int* err, const char** msg) { + case SSL_ERROR_NONE: + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: +- case SSL_ERROR_WANT_X509_LOOKUP: + break; + case SSL_ERROR_ZERO_RETURN: + return scope.Escape(env()->zero_return_string()); +@@ -774,6 +771,11 @@ void TLSWrap::EnableSessionCallbacks( + "EnableSessionCallbacks after destroySSL"); + } + wrap->enable_session_callbacks(); ++ EnableHelloParser(args); ++} ++ ++void TLSWrap::EnableHelloParser(const FunctionCallbackInfo<Value>& args) { ++ TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder()); + NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength); + wrap->hello_parser_.Start(SSLWrap<TLSWrap>::OnClientHello, + OnClientHelloParseEnd, +@@ -799,13 +801,6 @@ void TLSWrap::DestroySSL(const FunctionCallbackInfo<Value>& args) { + } + + +-void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) { +- TLSWrap* wrap; +- ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder()); +- wrap->WaitForCertCb(OnClientHelloParseEnd, wrap); +-} +- +- + void TLSWrap::OnClientHelloParseEnd(void* arg) { + TLSWrap* c = static_cast<TLSWrap*>(arg); + c->Cycle(); +@@ -909,8 +904,8 @@ void TLSWrap::Initialize(Local<Object> target, + env->SetProtoMethod(t, "start", Start); + env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode); + env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks); ++ env->SetProtoMethod(t, "enableHelloParser", EnableHelloParser); + env->SetProtoMethod(t, "destroySSL", DestroySSL); +- env->SetProtoMethod(t, "enableCertCb", EnableCertCb); + + StreamBase::AddMethods<TLSWrap>(env, t, StreamBase::kFlagHasWritev); + SSLWrap<TLSWrap>::AddMethods(env, t); +diff --git a/src/tls_wrap.h.BAK b/src/tls_wrap.h +index f390c9f..6995eb6 100644 +--- a/src/tls_wrap.h.BAK ++++ b/src/tls_wrap.h +@@ -134,7 +134,7 @@ class TLSWrap : public AsyncWrap, + static void SetVerifyMode(const v8::FunctionCallbackInfo<v8::Value>& args); + static void EnableSessionCallbacks( + const v8::FunctionCallbackInfo<v8::Value>& args); +- static void EnableCertCb( ++ static void EnableHelloParser( + const v8::FunctionCallbackInfo<v8::Value>& args); + static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args); + +@@ -162,6 +162,10 @@ class TLSWrap : public AsyncWrap, + // If true - delivered EOF to the js-land, either after `close_notify`, or + // after the `UV_EOF` on socket. + bool eof_; ++ ++#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB ++ v8::Persistent<v8::Value> sni_context_; ++#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + }; + + } // namespace node +diff --git a/test/parallel/test-tls-client-getephemeralkeyinfo.js.BAK b/test/parallel/test-tls-client-getephemeralkeyinfo.js +index 7d68046..e69de29 100644 +--- a/test/parallel/test-tls-client-getephemeralkeyinfo.js.BAK ++++ b/test/parallel/test-tls-client-getephemeralkeyinfo.js +@@ -1,98 +0,0 @@ +-'use strict'; +-const common = require('../common'); +-const assert = require('assert'); +- +-if (!common.hasCrypto) { +- common.skip('missing crypto'); +- process.exit(); +-} +-const tls = require('tls'); +- +-const fs = require('fs'); +-const key = fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'); +-const cert = fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'); +- +-let ntests = 0; +-let nsuccess = 0; +- +-function loadDHParam(n) { +- let path = common.fixturesDir; +- if (n !== 'error') path += '/keys'; +- return fs.readFileSync(path + '/dh' + n + '.pem'); +-} +- +-const cipherlist = { +- 'NOT_PFS': 'AES128-SHA256', +- 'DH': 'DHE-RSA-AES128-GCM-SHA256', +- 'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256' +-}; +- +-function test(size, type, name, next) { +- const cipher = type ? cipherlist[type] : cipherlist['NOT_PFS']; +- +- if (name) tls.DEFAULT_ECDH_CURVE = name; +- +- const options = { +- key: key, +- cert: cert, +- ciphers: cipher +- }; +- +- if (type === 'DH') options.dhparam = loadDHParam(size); +- +- const server = tls.createServer(options, function(conn) { +- assert.strictEqual(conn.getEphemeralKeyInfo(), null); +- conn.end(); +- }); +- +- server.on('close', common.mustCall(function(err) { +- assert.ifError(err); +- if (next) next(); +- })); +- +- server.listen(0, '127.0.0.1', common.mustCall(function() { +- const client = tls.connect({ +- port: this.address().port, +- rejectUnauthorized: false +- }, function() { +- const ekeyinfo = client.getEphemeralKeyInfo(); +- assert.strictEqual(ekeyinfo.type, type); +- assert.strictEqual(ekeyinfo.size, size); +- assert.strictEqual(ekeyinfo.name, name); +- nsuccess++; +- server.close(); +- }); +- })); +-} +- +-function testNOT_PFS() { +- test(undefined, undefined, undefined, testDHE1024); +- ntests++; +-} +- +-function testDHE1024() { +- test(1024, 'DH', undefined, testDHE2048); +- ntests++; +-} +- +-function testDHE2048() { +- test(2048, 'DH', undefined, testECDHE256); +- ntests++; +-} +- +-function testECDHE256() { +- test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512); +- ntests++; +-} +- +-function testECDHE512() { +- test(521, 'ECDH', 'secp521r1', null); +- ntests++; +-} +- +-testNOT_PFS(); +- +-process.on('exit', function() { +- assert.strictEqual(ntests, nsuccess); +- assert.strictEqual(ntests, 5); +-}); +diff --git a/test/parallel/test-tls-cnnic-whitelist.js.BAK b/test/parallel/test-tls-cnnic-whitelist.js +index c2b9c08..a433323 100644 +--- a/test/parallel/test-tls-cnnic-whitelist.js.BAK ++++ b/test/parallel/test-tls-cnnic-whitelist.js +@@ -52,7 +52,9 @@ const testCases = [ + port: undefined, + rejectUnauthorized: true + }, +- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' ++ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY. ++ errorCode: 'CERT_UNTRUSTED' ++ // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' + } + ]; + +diff --git a/test/parallel/test-tls-sni-server-client.js.BAK b/test/parallel/test-tls-sni-server-client.js +index e743078..47006d4 100644 +--- a/test/parallel/test-tls-sni-server-client.js.BAK ++++ b/test/parallel/test-tls-sni-server-client.js +@@ -36,39 +36,37 @@ const SNIContexts = { + 'asterisk.test.com': { + key: loadPEM('agent3-key'), + cert: loadPEM('agent3-cert') +- }, +- 'chain.example.com': { +- key: loadPEM('agent6-key'), +- // NOTE: Contains ca3 chain cert +- cert: loadPEM('agent6-cert') + } + }; + + const clientsOptions = [{ + port: undefined, ++ key: loadPEM('agent1-key'), ++ cert: loadPEM('agent1-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'a.example.com', + rejectUnauthorized: false + }, { + port: undefined, ++ key: loadPEM('agent2-key'), ++ cert: loadPEM('agent2-cert'), + ca: [loadPEM('ca2-cert')], + servername: 'b.test.com', + rejectUnauthorized: false + }, { + port: undefined, ++ key: loadPEM('agent2-key'), ++ cert: loadPEM('agent2-cert'), + ca: [loadPEM('ca2-cert')], + servername: 'a.b.test.com', + rejectUnauthorized: false + }, { + port: undefined, ++ key: loadPEM('agent3-key'), ++ cert: loadPEM('agent3-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'c.wrong.com', + rejectUnauthorized: false +-}, { +- port: undefined, +- ca: [loadPEM('ca1-cert')], +- servername: 'chain.example.com', +- rejectUnauthorized: false + }]; + + const serverResults = []; +@@ -80,7 +78,6 @@ const server = tls.createServer(serverOptions, function(c) { + + server.addContext('a.example.com', SNIContexts['a.example.com']); + server.addContext('*.test.com', SNIContexts['asterisk.test.com']); +-server.addContext('chain.example.com', SNIContexts['chain.example.com']); + + server.listen(0, startTest); + +@@ -109,8 +106,7 @@ function startTest() { + + process.on('exit', function() { + assert.deepStrictEqual(serverResults, [ +- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com', +- 'chain.example.com' ++ 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com' + ]); +- assert.deepStrictEqual(clientResults, [true, true, false, false, true]); ++ assert.deepStrictEqual(clientResults, [true, true, false, false]); + }); diff --git a/net-libs/nodejs/files/rollback.sh b/net-libs/nodejs/files/rollback.sh new file mode 100644 index 0000000..0393198 --- /dev/null +++ b/net-libs/nodejs/files/rollback.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +R=1 +Array=( +lib/_tls_wrap.js +src/env.h +src/node_crypto.cc +src/node_crypto.h +src/tls_wrap.cc +src/tls_wrap.h +test/parallel/test-tls-client-getephemeralkeyinfo.js +test/parallel/test-tls-cnnic-whitelist.js +test/parallel/test-tls-sni-server-client.js +) + +_SCRIPT=$(readlink -f $0) +_SCRIPT_PATH=$(dirname $_SCRIPT) +_NODEJS_DIR=$(basename $PWD) +_NODEJS_VER=${_NODEJS_DIR##*v} + +if [[ -z ${R} ]]; then + for i in ${Array[@]}; do + echo cp -av ${i} ${i}.BAK + cp -av ${i} ${i}.BAK + done +else + for i in ${Array[@]}; do + echo cp -av ${i}.BAK ${i} + cp -av ${i}.BAK ${i} + done + patch -p1 -g0 -E --no-backup-if-mismatch -f < "${_SCRIPT_PATH}/nodejs-${_NODEJS_VER}-libressl.patch" +fi diff --git a/net-libs/nodejs/nodejs-6.9.4.ebuild b/net-libs/nodejs/nodejs-6.9.4.ebuild index 1d76e03..627fde6 100644 --- a/net-libs/nodejs/nodejs-6.9.4.ebuild +++ b/net-libs/nodejs/nodejs-6.9.4.ebuild @@ -49,7 +49,7 @@ src_prepare() { export BUILDTYPE=Release if use libressl; then - epatch "${FILESDIR}"/${PN}-6.9.4-libressl.patch + epatch "${FILESDIR}"/${PN}-{PV}-libressl.patch fi # fix compilation on Darwin diff --git a/net-libs/nodejs/nodejs-7.7.3.ebuild b/net-libs/nodejs/nodejs-7.7.3.ebuild new file mode 100644 index 0000000..50b5dd4 --- /dev/null +++ b/net-libs/nodejs/nodejs-7.7.3.ebuild @@ -0,0 +1,205 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +RESTRICT="test" + +PYTHON_COMPAT=( python2_7 ) +PYTHON_REQ_USE="threads" + +inherit bash-completion-r1 eutils flag-o-matic pax-utils python-single-r1 toolchain-funcs + +DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine" +HOMEPAGE="https://nodejs.org/" +SRC_URI="https://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz" + +LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x64-macos" +IUSE="cpu_flags_x86_sse2 debug doc icu libressl +npm +snapshot +ssl systemtap test" + +RDEPEND="icu? ( >=dev-libs/icu-56:= ) + npm? ( ${PYTHON_DEPS} ) + >=net-libs/http-parser-2.6.2:= + >=dev-libs/libuv-1.11.0:= + !libressl? ( >=dev-libs/openssl-1.0.2g:0=[-bindist] ) + libressl? ( dev-libs/libressl ) + sys-libs/zlib" +DEPEND="${RDEPEND} + ${PYTHON_DEPS} + systemtap? ( dev-util/systemtap ) + test? ( net-misc/curl )" + +S="${WORKDIR}/node-v${PV}" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +PATCHES=( + "${FILESDIR}"/gentoo-global-npm-config.patch +) + +pkg_pretend() { + (use x86 && ! use cpu_flags_x86_sse2) && \ + die "Your CPU doesn't support the required SSE2 instruction." + + ( [[ ${MERGE_TYPE} != "binary" ]] && ! test-flag-CXX -std=c++11 ) && \ + die "Your compiler doesn't support C++11. Use GCC 4.8, Clang 3.3 or newer." +} + +src_prepare() { + tc-export CC CXX PKG_CONFIG + export V=1 + export BUILDTYPE=Release + + if use libressl; then + epatch "${FILESDIR}"/${PN}-${PV}-libressl.patch + fi + + # fix compilation on Darwin + # https://code.google.com/p/gyp/issues/detail?id=260 + sed -i -e "/append('-arch/d" tools/gyp/pylib/gyp/xcode_emulation.py || die + + # make sure we use python2.* while using gyp + sed -i -e "s/python/${EPYTHON}/" deps/npm/node_modules/node-gyp/gyp/gyp || die + sed -i -e "s/|| 'python'/|| '${EPYTHON}'/" deps/npm/node_modules/node-gyp/lib/configure.js || die + + # less verbose install output (stating the same as portage, basically) + sed -i -e "/print/d" tools/install.py || die + + # proper libdir, hat tip @ryanpcmcquen https://github.com/iojs/io.js/issues/504 + local LIBDIR=$(get_libdir) + sed -i -e "s|lib/|${LIBDIR}/|g" tools/install.py || die + sed -i -e "s/'lib'/'${LIBDIR}'/" lib/module.js || die + sed -i -e "s|\"lib\"|\"${LIBDIR}\"|" deps/npm/lib/npm.js || die + + # Avoid writing a depfile, not useful + sed -i -e "/DEPFLAGS =/d" tools/gyp/pylib/gyp/generator/make.py || die + + # Avoid a test that I've only been able to reproduce from emerge. It doesnt + # seem sandbox related either (invoking it from a sandbox works fine). + # The issue is that no stdin handle is openened when asked for one. + # It doesn't really belong upstream , so it'll just be removed until someone + # with more gentoo-knowledge than me (jbergstroem) figures it out. + rm test/parallel/test-stdout-close-unref.js || die + + # debug builds. change install path, remove optimisations and override buildtype + if use debug; then + sed -i -e "s|out/Release/|out/Debug/|g" tools/install.py || die + BUILDTYPE=Debug + fi + + default +} + +src_configure() { + local myarch="" + local myconf=( --shared-openssl --shared-libuv --shared-http-parser --shared-zlib ) + use npm || myconf+=( --without-npm ) + use icu && myconf+=( --with-intl=system-icu ) + use snapshot && myconf+=( --with-snapshot ) + use ssl || myconf+=( --without-ssl ) + use debug && myconf+=( --debug ) + + case ${ABI} in + amd64) myarch="x64";; + arm) myarch="arm";; + arm64) myarch="arm64";; + ppc64) myarch="ppc64";; + x32) myarch="x32";; + x86) myarch="ia32";; + *) myarch="${ABI}";; + esac + + GYP_DEFINES="linux_use_gold_flags=0 + linux_use_bundled_binutils=0 + linux_use_bundled_gold=0" \ + "${PYTHON}" configure \ + --prefix="${EPREFIX}"/usr \ + --dest-cpu=${myarch} \ + $(use_with systemtap dtrace) \ + "${myconf[@]}" || die +} + +src_compile() { + emake -C out mksnapshot + pax-mark m "out/${BUILDTYPE}/mksnapshot" + emake -C out +} + +src_install() { + local LIBDIR="${ED}/usr/$(get_libdir)" + emake install DESTDIR="${D}" + pax-mark -m "${ED}"usr/bin/node + + # set up a symlink structure that node-gyp expects.. + dodir /usr/include/node/deps/{v8,uv} + dosym . /usr/include/node/src + for var in deps/{uv,v8}/include; do + dosym ../.. /usr/include/node/${var} + done + + if use doc; then + # Patch docs to make them offline readable + for i in `grep -rl 'fonts.googleapis.com' "${S}"/out/doc/api/*`; do + sed -i '/fonts.googleapis.com/ d' $i; + done + # Install docs! + dohtml -r "${S}"/doc/* + fi + + if use npm; then + dodir /etc/npm + + # Install bash completion for `npm` + # We need to temporarily replace default config path since + # npm otherwise tries to write outside of the sandbox + local npm_config="usr/$(get_libdir)/node_modules/npm/lib/config/core.js" + sed -i -e "s|'/etc'|'${ED}/etc'|g" "${ED}/${npm_config}" || die + local tmp_npm_completion_file="$(emktemp)" + "${ED}/usr/bin/npm" completion > "${tmp_npm_completion_file}" + newbashcomp "${tmp_npm_completion_file}" npm + sed -i -e "s|'${ED}/etc'|'/etc'|g" "${ED}/${npm_config}" || die + + # Move man pages + doman "${LIBDIR}"/node_modules/npm/man/man{1,5,7}/* + + # Clean up + rm "${LIBDIR}"/node_modules/npm/{.mailmap,.npmignore,Makefile} || die + rm -rf "${LIBDIR}"/node_modules/npm/{doc,html,man} || die + + local find_exp="-or -name" + local find_name=() + for match in "AUTHORS*" "CHANGELOG*" "CONTRIBUT*" "README*" \ + ".travis.yml" ".eslint*" ".wercker.yml" ".npmignore" \ + "*.md" "*.markdown" "*.bat" "*.cmd"; do + find_name+=( ${find_exp} "${match}" ) + done + + # Remove various development and/or inappropriate files and + # useless docs of dependend packages. + find "${LIBDIR}"/node_modules \ + \( -type d -name examples \) -or \( -type f \( \ + -iname "LICEN?E*" \ + "${find_name[@]}" \ + \) \) -exec rm -rf "{}" \; + fi +} + +src_test() { + out/${BUILDTYPE}/cctest || die + "${PYTHON}" tools/test.py --mode=${BUILDTYPE,,} -J message parallel sequential || die +} + +pkg_postinst() { + einfo "The global npm config lives in /etc/npm. This deviates slightly" + einfo "from upstream which otherwise would have it live in /usr/etc/." + einfo "" + einfo "Protip: When using node-gyp to install native modules, you can" + einfo "avoid having to download extras by doing the following:" + einfo "$ node-gyp --nodedir /usr/include/node <command>" + if use libressl; then + ewarn + ewarn "You enabled libressl support. As such, you are missing the" + ewarn "getEphemeralKeyInfo and onCertCb JavaScript APIs." + ewarn "Some node packages may be broken." + fi +} |