From 7ad8128083c8009f5eae1cb05ddc1842fbd9592f Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 19 Jan 2017 09:34:15 -0500 Subject: [PATCH 1/5] Enable DTrace support. Eliminate newlines from CFLAGS due to broken dtrace shim https://sourceware.org/bugzilla/show_bug.cgi?id=21063 Thanks to Kinston Hughes for the fix. --- nodejs.spec | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index 5feca0e..4fb77ea 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -19,7 +19,7 @@ %global nodejs_patch 4 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 1 +%global nodejs_release 2 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -109,6 +109,7 @@ BuildRequires: libicu-devel BuildRequires: zlib-devel BuildRequires: gcc >= 4.8.0 BuildRequires: gcc-c++ >= 4.8.0 +BuildRequires: systemtap-sdt-devel %if 0%{?epel} BuildRequires: openssl-devel >= 1:1.0.1 @@ -263,11 +264,15 @@ export CXXFLAGS='%{optflags} -g \ -DZLIB_CONST \ -fno-delete-null-pointer-checks' +# Explicit new lines in C(XX)FLAGS can break naive build scripts +export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' ' ')" +export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" + ./configure --prefix=%{_prefix} \ --shared-openssl \ --shared-zlib \ --shared-libuv \ - --without-dtrace \ + --with-dtrace \ --with-intl=system-icu %if %{?with_debug} == 1 @@ -283,9 +288,6 @@ rm -rf %{buildroot} ./tools/install.py install %{buildroot} %{_prefix} -# and remove dtrace file again -rm -rf %{buildroot}/%{_prefix}/lib/dtrace - # Set the binary permissions properly chmod 0755 %{buildroot}/%{_bindir}/node @@ -373,6 +375,8 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %dir %{_datadir}/systemtap %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/node.stp +%dir %{_usr}/lib/dtrace +%{_usr}/lib/dtrace/node.d %{_rpmconfigdir}/fileattrs/nodejs_native.attr %{_rpmconfigdir}/nodejs_native.req %license LICENSE @@ -403,6 +407,12 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Tue Jan 17 2017 Stephen Gallagher - 1:6.9.4-2 +- Enable DTrace support. +- Eliminate newlines from CFLAGS due to broken dtrace shim + https://sourceware.org/bugzilla/show_bug.cgi?id=21063 + Thanks to Kinston Hughes for the fix. + * Tue Jan 10 2017 Zuzana Svetlikova - 1:6.9.4-1 - Update to v6.9.4 From 9037187f05e7af9e5079680d0a7a295fd032b51f Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Wed, 1 Feb 2017 16:53:44 +0100 Subject: [PATCH 2/5] Update to 6.9.5 (security) --- .gitignore | 1 + nodejs.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index e33f382..bd55c66 100644 --- a/.gitignore +++ b/.gitignore @@ -62,3 +62,4 @@ /node-v6.9.2-stripped.tar.gz /node-v6.9.3-stripped.tar.gz /node-v6.9.4-stripped.tar.gz +/node-v6.9.5-stripped.tar.gz diff --git a/nodejs.spec b/nodejs.spec index 4fb77ea..28690bd 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -16,10 +16,10 @@ %global nodejs_epoch 1 %global nodejs_major 6 %global nodejs_minor 9 -%global nodejs_patch 4 +%global nodejs_patch 5 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 2 +%global nodejs_release 1 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -407,6 +407,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Wed Feb 1 2017 Zuzana Svetlikova - 1:6.9.5-1 +- Update to v6.9.5(security) +- Reenable debug mode (https://github.com/nodejs/node/pull/10525) + * Tue Jan 17 2017 Stephen Gallagher - 1:6.9.4-2 - Enable DTrace support. - Eliminate newlines from CFLAGS due to broken dtrace shim diff --git a/sources b/sources index c9867a2..8b2794f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.9.4-stripped.tar.gz) = e953b9a592cedb2b0e62e97bd042c005cf585c8d33dee7ff59f461234bd9379cf03183e5004f8964669f26a0d375ecbce90a4696ab8ed6accfc9b2f715973d5e +SHA512 (node-v6.9.5-stripped.tar.gz) = 1d10a60295fba32eddb5187a5986f8103f34115d2fe06895596a662c98191afc81bc9246100f8360d308a07db0bc7b8df9e37fe59d042ac136b42248582f4af2 From f40549b226f9d3e7672eda133bc23aea7e285eac Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 10 Feb 2017 22:21:39 +0000 Subject: [PATCH 3/5] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- nodejs.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index 28690bd..41e0397 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -72,7 +72,7 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: %{nodejs_release}%{?dist} +Release: %{nodejs_release}%{?dist}.1 Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -200,7 +200,7 @@ Development headers for the Node.js JavaScript runtime. Summary: Node.js Package Manager Epoch: %{npm_epoch} Version: %{npm_version} -Release: %{npm_release}%{?dist} +Release: %{npm_release}%{?dist}.1 # We used to ship npm separately, but it is so tightly integrated with Node.js # (and expected to be present on all Node.js systems) that we ship it bundled @@ -407,6 +407,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Fri Feb 10 2017 Fedora Release Engineering - 1:6.9.5-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Wed Feb 1 2017 Zuzana Svetlikova - 1:6.9.5-1 - Update to v6.9.5(security) - Reenable debug mode (https://github.com/nodejs/node/pull/10525) From b22fc35f9a99b3e32b1454bb98999663335846d0 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 28 Feb 2017 14:03:17 -0500 Subject: [PATCH 4/5] Fix FTBFS against GCC 7 Resolves: RHBZ 1423991 --- ...e-running-gyp-files-for-bundled-deps.patch | 14 +- 0002-Use-openssl-1.0.1.patch | 202 ++++++++++++++---- ...-Certificates-are-provided-by-Fedora.patch | 20 +- 0004-Fix-compatibility-with-GCC-7.patch | 103 +++++++++ nodejs.spec | 15 +- 5 files changed, 302 insertions(+), 52 deletions(-) create mode 100644 0004-Fix-compatibility-with-GCC-7.patch diff --git a/0001-disable-running-gyp-files-for-bundled-deps.patch b/0001-disable-running-gyp-files-for-bundled-deps.patch index 4e46de4..539e591 100644 --- a/0001-disable-running-gyp-files-for-bundled-deps.patch +++ b/0001-disable-running-gyp-files-for-bundled-deps.patch @@ -1,17 +1,19 @@ -From da4ed485ddd52cd156406f939225146e8539cabb Mon Sep 17 00:00:00 2001 +From 71a2912f95f287519a3c695417655a0cae4e1bc0 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 Dec 2015 16:35:29 -0500 -Subject: [PATCH 1/3] disable running gyp files for bundled deps +Subject: [PATCH 1/4] disable running gyp files for bundled deps --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index a8870a5..f7fc4a9 100644 +index 719b855559383a8011c8f6f073ed69a1cf21aeee..31cd25452dccb0624809c0570a738c5b49cc782c 100644 --- a/Makefile +++ b/Makefile -@@ -70,7 +70,7 @@ $(NODE_G_EXE): config.gypi out/Makefile +@@ -70,11 +70,11 @@ $(NODE_EXE): config.gypi out/Makefile + + $(NODE_G_EXE): config.gypi out/Makefile $(MAKE) -C out BUILDTYPE=Debug V=$(V) ln -fs out/Debug/$(NODE_EXE) $@ @@ -20,6 +22,8 @@ index a8870a5..f7fc4a9 100644 $(PYTHON) tools/gyp_node.py -f make config.gypi: configure + $(error Missing or stale $@, please run ./$<) + -- -2.9.0 +2.11.1 diff --git a/0002-Use-openssl-1.0.1.patch b/0002-Use-openssl-1.0.1.patch index 700e8fc..7988f1e 100644 --- a/0002-Use-openssl-1.0.1.patch +++ b/0002-Use-openssl-1.0.1.patch @@ -1,7 +1,7 @@ -From 6cf8243a70e26843c7770f7b29b1a33b822d1c26 Mon Sep 17 00:00:00 2001 +From f614552e1698387dd4d245e07de6b75d9c023e65 Mon Sep 17 00:00:00 2001 From: Haikel Guemar Date: Tue, 26 Jul 2016 22:50:22 +0200 -Subject: [PATCH 2/3] Use openssl 1.0.1 +Subject: [PATCH 2/4] Use openssl 1.0.1 Based on Solaris patches from upstream #2783 https://github.com/nodejs/node/issues/2783 @@ -14,10 +14,12 @@ https://github.com/nodejs/node/issues/2783 5 files changed, 223 insertions(+), 13 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md -index 7feaff2..97ad7a5 100644 +index 488337a0764e4cc5e7c27bb8075c1b907696908b..292bbf26ddf5a8dd373cb15e97d220229b4cdcc1 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md -@@ -114,6 +114,12 @@ handshake extensions: +@@ -112,10 +112,16 @@ handshake extensions: + * ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP, + SPDY, HTTP/2) * SNI - Allows the use of one TLS server for multiple hostnames with different SSL certificates. @@ -30,11 +32,15 @@ index 7feaff2..97ad7a5 100644 *Note*: Use of ALPN is recommended over NPN. The NPN extension has never been formally defined or documented and generally not recommended for use. + ### Client-initiated renegotiation attack mitigation + diff --git a/src/node_constants.cc b/src/node_constants.cc -index 2e6be8d..239eadb 100644 +index 2e6be8df37c345a383d8a78898daf2a147d90630..239eadbac8ea8e601745a63347a8bb301c22d1b1 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc -@@ -14,7 +14,10 @@ +@@ -12,11 +12,14 @@ + #include + #include #include #if HAVE_OPENSSL @@ -45,7 +51,11 @@ index 2e6be8d..239eadb 100644 # include # ifndef OPENSSL_NO_ENGINE # include -@@ -976,12 +979,14 @@ void DefineOpenSSLConstants(Local target) { + # endif // !OPENSSL_NO_ENGINE + #endif +@@ -974,16 +977,18 @@ void DefineOpenSSLConstants(Local target) { + NODE_DEFINE_CONSTANT(target, RSA_PKCS1_PSS_PADDING); + #endif #if HAVE_OPENSSL // NOTE: These are not defines @@ -60,11 +70,15 @@ index 2e6be8d..239eadb 100644 } void DefineSystemConstants(Local target) { + // file access modes + NODE_DEFINE_CONSTANT(target, O_RDONLY); diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 9cf216f..888a0f8 100644 +index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66e6f49bf4 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -24,6 +24,82 @@ +@@ -22,10 +22,86 @@ + #include // INT_MAX + #include #include #include @@ -147,7 +161,11 @@ index 9cf216f..888a0f8 100644 #define THROW_AND_RETURN_IF_NOT_STRING_OR_BUFFER(val, prefix) \ do { \ if (!Buffer::HasInstance(val) && !val->IsString()) { \ -@@ -160,7 +236,11 @@ template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg); + return env->ThrowTypeError(prefix " must be a string or a buffer"); \ + } \ +@@ -158,11 +234,15 @@ template int SSLWrap::SelectNextProtoCallback( + #ifdef NODE__HAVE_TLSEXT_STATUS_CB + template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg); #endif template void SSLWrap::DestroySSL(); @@ -159,7 +177,11 @@ index 9cf216f..888a0f8 100644 template void SSLWrap::WaitForCertCb(CertCb cb, void* arg); #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation -@@ -280,8 +360,12 @@ void SecureContext::Initialize(Environment* env, Local target) { + template int SSLWrap::SelectALPNCallback( + SSL* s, +@@ -278,12 +358,16 @@ void SecureContext::Initialize(Environment* env, Local target) { + env->SetProtoMethod(t, "setCert", SecureContext::SetCert); + env->SetProtoMethod(t, "addCACert", SecureContext::AddCACert); env->SetProtoMethod(t, "addCRL", SecureContext::AddCRL); env->SetProtoMethod(t, "addRootCerts", SecureContext::AddRootCerts); env->SetProtoMethod(t, "setCiphers", SecureContext::SetCiphers); @@ -172,7 +194,11 @@ index 9cf216f..888a0f8 100644 env->SetProtoMethod(t, "setOptions", SecureContext::SetOptions); env->SetProtoMethod(t, "setSessionIdContext", SecureContext::SetSessionIdContext); -@@ -515,8 +599,20 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, + env->SetProtoMethod(t, "setSessionTimeout", + SecureContext::SetSessionTimeout); +@@ -513,12 +597,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, + SSL_CTX_clear_extra_chain_certs(ctx); + for (int i = 0; i < sk_X509_num(extra_certs); i++) { X509* ca = sk_X509_value(extra_certs, i); @@ -195,7 +221,11 @@ index 9cf216f..888a0f8 100644 if (!r) { ret = 0; -@@ -795,6 +891,7 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { + *issuer = nullptr; + goto end; +@@ -793,10 +889,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { + const node::Utf8Value ciphers(args.GetIsolate(), args[0]); + SSL_CTX_set_cipher_list(sc->ctx_, *ciphers); } @@ -203,7 +233,11 @@ index 9cf216f..888a0f8 100644 void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { SecureContext* sc; ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); -@@ -822,8 +919,10 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { + Environment* env = sc->env(); + +@@ -820,12 +917,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { + SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh); EC_KEY_free(ecdh); } @@ -214,7 +248,11 @@ index 9cf216f..888a0f8 100644 void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { SecureContext* sc; ASSIGN_OR_RETURN_UNWRAP(&sc, args.This()); -@@ -862,6 +961,7 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { + Environment* env = sc->env(); + ClearErrorOnReturn clear_error_on_return; +@@ -860,10 +959,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { + DH_free(dh); + if (!r) return env->ThrowTypeError("Error setting temp DH parameter"); } @@ -222,7 +260,11 @@ index 9cf216f..888a0f8 100644 void SecureContext::SetOptions(const FunctionCallbackInfo& args) { -@@ -1872,6 +1972,7 @@ void SSLWrap::GetEphemeralKeyInfo( + SecureContext* sc; + ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); +@@ -1870,10 +1970,11 @@ void SSLWrap::GetEphemeralKeyInfo( + info->Set(env->type_string(), + FIXED_ONE_BYTE_STRING(env->isolate(), "DH")); info->Set(env->size_string(), Integer::New(env->isolate(), EVP_PKEY_bits(key))); break; @@ -230,7 +272,11 @@ index 9cf216f..888a0f8 100644 case EVP_PKEY_EC: { EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key); -@@ -1884,6 +1985,7 @@ void SSLWrap::GetEphemeralKeyInfo( + int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + EC_KEY_free(ec); +@@ -1882,10 +1983,11 @@ void SSLWrap::GetEphemeralKeyInfo( + info->Set(env->name_string(), + OneByteString(args.GetIsolate(), OBJ_nid2sn(nid))); info->Set(env->size_string(), Integer::New(env->isolate(), EVP_PKEY_bits(key))); } @@ -238,7 +284,11 @@ index 9cf216f..888a0f8 100644 } EVP_PKEY_free(key); } -@@ -2301,7 +2403,12 @@ void SSLWrap::WaitForCertCb(CertCb cb, void* arg) { + + return args.GetReturnValue().Set(info); +@@ -2300,11 +2402,16 @@ void SSLWrap::WaitForCertCb(CertCb cb, void* arg) { + cert_cb_arg_ = arg; + } template @@ -251,7 +301,11 @@ index 9cf216f..888a0f8 100644 Base* w = static_cast(SSL_get_app_data(s)); if (!w->is_server()) -@@ -2375,19 +2482,53 @@ void SSLWrap::CertCbDone(const FunctionCallbackInfo& args) { + return 1; + +@@ -2369,23 +2476,57 @@ void SSLWrap::CertCbDone(const FunctionCallbackInfo& args) { + ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As()); + w->sni_context_.Reset(); w->sni_context_.Reset(env->isolate(), ctx); int rv; @@ -315,7 +369,11 @@ index 9cf216f..888a0f8 100644 if (rv) rv = w->SetCACerts(sc); if (!rv) { -@@ -2451,10 +2592,14 @@ void SSLWrap::SetSNIContext(SecureContext* sc) { + unsigned long err = ERR_get_error(); // NOLINT(runtime/int) + if (!err) +@@ -2445,14 +2586,18 @@ void SSLWrap::SetSNIContext(SecureContext* sc) { + } + template int SSLWrap::SetCACerts(SecureContext* sc) { @@ -331,7 +389,11 @@ index 9cf216f..888a0f8 100644 STACK_OF(X509_NAME)* list = SSL_dup_CA_list( SSL_CTX_get_client_CA_list(sc->ctx_)); -@@ -2732,7 +2877,11 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { + // NOTE: `SSL_set_client_CA_list` takes the ownership of `list` + SSL_set_client_CA_list(ssl_, list); +@@ -2726,11 +2871,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { + + // Server does not need to check the whitelist. SSL* ssl = static_cast( X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); @@ -343,7 +405,11 @@ index 9cf216f..888a0f8 100644 return 1; // Client needs to check if the server cert is listed in the -@@ -2815,7 +2964,21 @@ void Connection::New(const FunctionCallbackInfo& args) { + // whitelist when it is issued by the specific rootCAs. + CheckResult ret = CheckWhitelistedServerCert(ctx); +@@ -2809,11 +2958,25 @@ void Connection::New(const FunctionCallbackInfo& args) { + if (is_server) + SSL_set_info_callback(conn->ssl_, SSLInfoCallback); InitNPN(sc); @@ -365,7 +431,11 @@ index 9cf216f..888a0f8 100644 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB if (is_server) { -@@ -4404,6 +4567,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { + SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_); + } else if (args[2]->IsString()) { +@@ -4394,10 +4557,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { + args.GetReturnValue().Set(vbuf); + delete[] out_value; } @@ -373,7 +443,11 @@ index 9cf216f..888a0f8 100644 void DiffieHellman::Initialize(Environment* env, Local target) { Local t = env->NewFunctionTemplate(New); -@@ -4805,8 +4969,10 @@ bool DiffieHellman::VerifyContext() { + const PropertyAttribute attributes = + static_cast(v8::ReadOnly | v8::DontDelete); +@@ -4795,12 +4959,14 @@ bool DiffieHellman::VerifyContext() { + if (!DH_check(dh, &codes)) + return false; verifyError_ = codes; return true; } @@ -384,7 +458,11 @@ index 9cf216f..888a0f8 100644 void ECDH::Initialize(Environment* env, Local target) { HandleScope scope(env->isolate()); -@@ -5034,6 +5200,7 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo& args) { + Local t = env->NewFunctionTemplate(New); + +@@ -5024,10 +5190,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo& args) { + return env->ThrowError("Failed to set generated public key"); + } EC_POINT_free(pub); } @@ -392,7 +470,11 @@ index 9cf216f..888a0f8 100644 void ECDH::SetPublicKey(const FunctionCallbackInfo& args) { -@@ -5587,6 +5754,7 @@ void GetHashes(const FunctionCallbackInfo& args) { + Environment* env = Environment::GetCurrent(args); + +@@ -5577,10 +5744,11 @@ void GetHashes(const FunctionCallbackInfo& args) { + EVP_MD_do_all_sorted(array_push_back, &ctx); + args.GetReturnValue().Set(ctx.arr); } @@ -400,7 +482,11 @@ index 9cf216f..888a0f8 100644 void GetCurves(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); const size_t num_curves = EC_get_builtin_curves(nullptr, 0); -@@ -5611,6 +5779,7 @@ void GetCurves(const FunctionCallbackInfo& args) { + Local arr = Array::New(env->isolate(), num_curves); + EC_builtin_curve* curves; +@@ -5601,10 +5769,11 @@ void GetCurves(const FunctionCallbackInfo& args) { + free(curves); + } args.GetReturnValue().Set(arr); } @@ -408,7 +494,11 @@ index 9cf216f..888a0f8 100644 bool VerifySpkac(const char* data, unsigned int len) { -@@ -5886,8 +6055,12 @@ void InitCrypto(Local target, + bool i = 0; + EVP_PKEY* pkey = nullptr; +@@ -5913,12 +6082,16 @@ void InitCrypto(Local target, + + Environment* env = Environment::GetCurrent(context); SecureContext::Initialize(env, target); Connection::Initialize(env, target); CipherBase::Initialize(env, target); @@ -421,7 +511,11 @@ index 9cf216f..888a0f8 100644 Hmac::Initialize(env, target); Hash::Initialize(env, target); Sign::Initialize(env, target); -@@ -5906,7 +6079,9 @@ void InitCrypto(Local target, + Verify::Initialize(env, target); + +@@ -5934,11 +6107,13 @@ void InitCrypto(Local target, + env->SetMethod(target, "randomBytes", RandomBytes); + env->SetMethod(target, "timingSafeEqual", TimingSafeEqual); env->SetMethod(target, "getSSLCiphers", GetSSLCiphers); env->SetMethod(target, "getCiphers", GetCiphers); env->SetMethod(target, "getHashes", GetHashes); @@ -431,11 +525,15 @@ index 9cf216f..888a0f8 100644 env->SetMethod(target, "publicEncrypt", PublicKeyCipher::Cipher); + env->SetMethod(target, "privateDecrypt", diff --git a/src/node_crypto.h b/src/node_crypto.h -index 24ac773..2b1b6ae 100644 +index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f21a82b8e 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h -@@ -18,8 +18,12 @@ +@@ -16,12 +16,16 @@ + #include "base-object-inl.h" + #include "v8.h" #include @@ -448,7 +546,11 @@ index 24ac773..2b1b6ae 100644 #ifndef OPENSSL_NO_ENGINE # include #endif // !OPENSSL_NO_ENGINE -@@ -101,8 +105,12 @@ class SecureContext : public BaseObject { + #include + #include +@@ -99,12 +103,16 @@ class SecureContext : public BaseObject { + static void SetCert(const v8::FunctionCallbackInfo& args); + static void AddCACert(const v8::FunctionCallbackInfo& args); static void AddCRL(const v8::FunctionCallbackInfo& args); static void AddRootCerts(const v8::FunctionCallbackInfo& args); static void SetCiphers(const v8::FunctionCallbackInfo& args); @@ -461,7 +563,11 @@ index 24ac773..2b1b6ae 100644 static void SetOptions(const v8::FunctionCallbackInfo& args); static void SetSessionIdContext( const v8::FunctionCallbackInfo& args); -@@ -283,7 +291,11 @@ class SSLWrap { + static void SetSessionTimeout( + const v8::FunctionCallbackInfo& args); +@@ -281,11 +289,15 @@ class SSLWrap { + unsigned char* outlen, + const unsigned char* in, unsigned int inlen, void* arg); static int TLSExtStatusCallback(SSL* s, void* arg); @@ -473,7 +579,11 @@ index 24ac773..2b1b6ae 100644 static void SSLGetter(v8::Local property, const v8::PropertyCallbackInfo& info); -@@ -645,6 +657,7 @@ class PublicKeyCipher { + void DestroySSL(); + void WaitForCertCb(CertCb cb, void* arg); +@@ -643,10 +655,11 @@ class PublicKeyCipher { + EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init, + EVP_PKEY_cipher_t EVP_PKEY_cipher> static void Cipher(const v8::FunctionCallbackInfo& args); }; @@ -481,7 +591,11 @@ index 24ac773..2b1b6ae 100644 class DiffieHellman : public BaseObject { public: ~DiffieHellman() override { -@@ -690,7 +703,9 @@ class DiffieHellman : public BaseObject { + if (dh != nullptr) { + DH_free(dh); +@@ -688,11 +701,13 @@ class DiffieHellman : public BaseObject { + + bool initialised_; int verifyError_; DH* dh; }; @@ -491,7 +605,11 @@ index 24ac773..2b1b6ae 100644 class ECDH : public BaseObject { public: ~ECDH() override { -@@ -727,6 +742,7 @@ class ECDH : public BaseObject { + if (key_ != nullptr) + EC_KEY_free(key_); +@@ -725,10 +740,11 @@ class ECDH : public BaseObject { + bool IsKeyValidForCurve(const BIGNUM* private_key); + EC_KEY* key_; const EC_GROUP* group_; }; @@ -499,11 +617,15 @@ index 24ac773..2b1b6ae 100644 bool EntropySource(unsigned char* buffer, size_t length); #ifndef OPENSSL_NO_ENGINE + void SetEngine(const v8::FunctionCallbackInfo& args); + #endif // !OPENSSL_NO_ENGINE diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc -index 7c5df11..3e06621 100644 +index d1b1aeccdd95b00b3fd0421c08fd7816cd70d182..a6e63d7c1ccc81e6f7d782dffe833234b003de15 100644 --- a/src/tls_wrap.cc +++ b/src/tls_wrap.cc -@@ -142,7 +142,15 @@ void TLSWrap::InitSSL() { +@@ -140,11 +140,19 @@ void TLSWrap::InitSSL() { + } + #endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB InitNPN(sc_); @@ -519,6 +641,8 @@ index 7c5df11..3e06621 100644 if (is_server()) { SSL_set_accept_state(ssl_); + } else if (is_client()) { + // Enough space for server response (hello, cert) -- -2.9.0 +2.11.1 diff --git a/0003-CA-Certificates-are-provided-by-Fedora.patch b/0003-CA-Certificates-are-provided-by-Fedora.patch index 1c82a0f..ab1121c 100644 --- a/0003-CA-Certificates-are-provided-by-Fedora.patch +++ b/0003-CA-Certificates-are-provided-by-Fedora.patch @@ -1,7 +1,7 @@ -From 08305ba6b7fddab1f35c59dc82a3c6b11ceceae3 Mon Sep 17 00:00:00 2001 +From 4ea8ba0dcc7fe20c8fff7f574304e749bd37ecea Mon Sep 17 00:00:00 2001 From: Haikel Guemar Date: Tue, 26 Jul 2016 22:00:25 +0200 -Subject: [PATCH 3/3] CA Certificates are provided by Fedora. +Subject: [PATCH 3/4] CA Certificates are provided by Fedora. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -26,10 +26,12 @@ Node.js 4.4.7 1 file changed, 9 insertions(+), 21 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 888a0f8..3feff0e 100644 +index 89cd651248361d4fff3c442d5e36cc66e6f49bf4..4fadc0a001422dea3aeade330f8f596c0dab36ee 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name = +@@ -190,12 +190,12 @@ static X509_NAME *cnnic_ev_name = + d2i_X509_NAME(nullptr, &cnnic_ev_p, + sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1); static Mutex* mutexes; @@ -40,7 +42,11 @@ index 888a0f8..3feff0e 100644 }; X509_STORE* root_cert_store; -@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { + + // Just to generate static methods +@@ -845,33 +845,21 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { + (void) &clear_error_on_return; // Silence compiler warning. + CHECK_EQ(sc->ca_store_, nullptr); if (!root_cert_store) { @@ -77,6 +83,8 @@ index 888a0f8..3feff0e 100644 } + void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { + SecureContext* sc; -- -2.9.0 +2.11.1 diff --git a/0004-Fix-compatibility-with-GCC-7.patch b/0004-Fix-compatibility-with-GCC-7.patch new file mode 100644 index 0000000..a7566c4 --- /dev/null +++ b/0004-Fix-compatibility-with-GCC-7.patch @@ -0,0 +1,103 @@ +From c5a932e20110008273acbde5066c4231293d3a54 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis +Date: Tue, 28 Feb 2017 13:56:40 -0500 +Subject: [PATCH 4/4] Fix compatibility with GCC 7 + +Signed-off-by: Stephen Gallagher +--- + deps/v8/src/objects-body-descriptors.h | 2 +- + deps/v8/src/objects-inl.h | 21 +++++++++++++++++++++ + deps/v8/src/objects.h | 20 ++++---------------- + 3 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/deps/v8/src/objects-body-descriptors.h b/deps/v8/src/objects-body-descriptors.h +index 91cb8883be88739eab2b10df71f6f0d08aab436e..a1c3634bd762d7e03b4c87d38aa14a9a3ce318e4 100644 +--- a/deps/v8/src/objects-body-descriptors.h ++++ b/deps/v8/src/objects-body-descriptors.h +@@ -97,11 +97,11 @@ class FixedBodyDescriptor final : public BodyDescriptorBase { + IterateBodyImpl(heap, obj, start_offset, end_offset); + } + + template + static inline void IterateBody(HeapObject* obj, int object_size) { +- IterateBody(obj); ++ IterateBody(obj); + } + }; + + + // This class describes a body of an object of a variable size +diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h +index b75dd1c969a498d66584143adf0f03140a69bbd6..690a338a023c25646863715466f777850bc7f437 100644 +--- a/deps/v8/src/objects-inl.h ++++ b/deps/v8/src/objects-inl.h +@@ -34,10 +34,31 @@ + #include "src/v8memory.h" + + namespace v8 { + namespace internal { + ++template ++uint32_t HashTable::Hash(Key key) { ++ if (Shape::UsesSeed) { ++ return Shape::SeededHash(key, GetHeap()->HashSeed()); ++ } else { ++ return Shape::Hash(key); ++ } ++} ++ ++ ++template ++uint32_t HashTable::HashForObject(Key key, ++ Object* object) { ++ if (Shape::UsesSeed) { ++ return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object); ++ } else { ++ return Shape::HashForObject(key, object); ++ } ++} ++ ++ + PropertyDetails::PropertyDetails(Smi* smi) { + value_ = smi->value(); + } + + +diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h +index abced2d4bad50ca2e01373ac5ad3330cdbbdd682..e507dba665bfbd64f5ee5851b08a507de0a2519a 100644 +--- a/deps/v8/src/objects.h ++++ b/deps/v8/src/objects.h +@@ -3259,26 +3259,14 @@ class HashTableBase : public FixedArray { + + + template + class HashTable : public HashTableBase { + public: +- // Wrapper methods +- inline uint32_t Hash(Key key) { +- if (Shape::UsesSeed) { +- return Shape::SeededHash(key, GetHeap()->HashSeed()); +- } else { +- return Shape::Hash(key); +- } +- } +- +- inline uint32_t HashForObject(Key key, Object* object) { +- if (Shape::UsesSeed) { +- return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object); +- } else { +- return Shape::HashForObject(key, object); +- } +- } ++ // Wrapper methods. Defined in src/objects-inl.h ++ // to break a cycle with src/heap/heap.h. ++ inline uint32_t Hash(Key key); ++ inline uint32_t HashForObject(Key key, Object* object); + + // Returns a new HashTable object. + MUST_USE_RESULT static Handle New( + Isolate* isolate, int at_least_space_for, + MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY, +-- +2.11.1 + diff --git a/nodejs.spec b/nodejs.spec index 41e0397..cf506d5 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -19,7 +19,7 @@ %global nodejs_patch 5 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 1 +%global nodejs_release 2 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -72,7 +72,7 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: %{nodejs_release}%{?dist}.1 +Release: %{nodejs_release}%{?dist} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -102,6 +102,10 @@ Patch2: 0002-Use-openssl-1.0.1.patch # http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch Patch3: 0003-CA-Certificates-are-provided-by-Fedora.patch +# Patch to allow building with GCC 7 from +# https://github.com/nodejs/node/issues/10388#issuecomment-283120731 +Patch4: 0004-Fix-compatibility-with-GCC-7.patch + BuildRequires: python-devel BuildRequires: libuv-devel >= 1:1.9.1 Requires: libuv >= 1:1.9.1 @@ -244,6 +248,9 @@ rm -rf deps/uv \ rm -f src/node_root_certs.h %patch3 -p1 +# Fix GCC7 build +%patch4 -p1 + %if 0%{?epel} %patch2 -p1 %endif @@ -407,6 +414,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Tue Feb 28 2017 Stephen Gallagher - - +- Fix FTBFS against GCC 7 +- Resolves: RHBZ 1423991 + * Fri Feb 10 2017 Fedora Release Engineering - 1:6.9.5-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild From 1b7255bc99ddff65820cac15a98ad78b879c8ac9 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 9 Mar 2017 14:08:08 -0500 Subject: [PATCH 5/5] Update to 6.10.0 https://nodejs.org/en/blog/release/v6.10.0/ New patch for handling system CA certificates --- .gitignore | 1 + ...e-running-gyp-files-for-bundled-deps.patch | 4 +- 0002-Use-openssl-1.0.1.patch | 62 ++++++------- ...-Certificates-are-provided-by-Fedora.patch | 90 ------------------- ...em-CAs-instead-of-using-bundled-ones.patch | 84 +++++++++++++++++ 0004-Fix-compatibility-with-GCC-7.patch | 8 +- nodejs.spec | 28 +++--- sources | 2 +- 8 files changed, 139 insertions(+), 140 deletions(-) delete mode 100644 0003-CA-Certificates-are-provided-by-Fedora.patch create mode 100644 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch diff --git a/.gitignore b/.gitignore index bd55c66..3fc8526 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,4 @@ /node-v6.9.3-stripped.tar.gz /node-v6.9.4-stripped.tar.gz /node-v6.9.5-stripped.tar.gz +/node-v6.10.0-stripped.tar.gz diff --git a/0001-disable-running-gyp-files-for-bundled-deps.patch b/0001-disable-running-gyp-files-for-bundled-deps.patch index 539e591..7dbeb1c 100644 --- a/0001-disable-running-gyp-files-for-bundled-deps.patch +++ b/0001-disable-running-gyp-files-for-bundled-deps.patch @@ -1,4 +1,4 @@ -From 71a2912f95f287519a3c695417655a0cae4e1bc0 Mon Sep 17 00:00:00 2001 +From 061822759b37ab5bda659d74f9149cace5afe628 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 Dec 2015 16:35:29 -0500 Subject: [PATCH 1/4] disable running gyp files for bundled deps @@ -25,5 +25,5 @@ index 719b855559383a8011c8f6f073ed69a1cf21aeee..31cd25452dccb0624809c0570a738c5b $(error Missing or stale $@, please run ./$<) -- -2.11.1 +2.12.0 diff --git a/0002-Use-openssl-1.0.1.patch b/0002-Use-openssl-1.0.1.patch index 7988f1e..4b90ade 100644 --- a/0002-Use-openssl-1.0.1.patch +++ b/0002-Use-openssl-1.0.1.patch @@ -1,4 +1,4 @@ -From f614552e1698387dd4d245e07de6b75d9c023e65 Mon Sep 17 00:00:00 2001 +From 91d1a67b8cc249af59929cd1a76629a2614860bd Mon Sep 17 00:00:00 2001 From: Haikel Guemar Date: Tue, 26 Jul 2016 22:50:22 +0200 Subject: [PATCH 2/4] Use openssl 1.0.1 @@ -14,10 +14,10 @@ https://github.com/nodejs/node/issues/2783 5 files changed, 223 insertions(+), 13 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md -index 488337a0764e4cc5e7c27bb8075c1b907696908b..292bbf26ddf5a8dd373cb15e97d220229b4cdcc1 100644 +index 3784210ba7b6c046b39d74b45e44538041d35ae2..3c9d72b8d5ef81d15773aed077bd00d2041c9e93 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md -@@ -112,10 +112,16 @@ handshake extensions: +@@ -113,10 +113,16 @@ handshake extensions: * ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP, SPDY, HTTP/2) * SNI - Allows the use of one TLS server for multiple hostnames with different @@ -73,7 +73,7 @@ index 2e6be8df37c345a383d8a78898daf2a147d90630..239eadbac8ea8e601745a63347a8bb30 // file access modes NODE_DEFINE_CONSTANT(target, O_RDONLY); diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66e6f49bf4 100644 +index 482ec230c0f4500b63b705d705a142e63ff179e5..c5630f30d0bef75ced53b36062bb1f0324dbdb9d 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -22,10 +22,86 @@ @@ -163,7 +163,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 if (!Buffer::HasInstance(val) && !val->IsString()) { \ return env->ThrowTypeError(prefix " must be a string or a buffer"); \ } \ -@@ -158,11 +234,15 @@ template int SSLWrap::SelectNextProtoCallback( +@@ -161,11 +237,15 @@ template int SSLWrap::SelectNextProtoCallback( #ifdef NODE__HAVE_TLSEXT_STATUS_CB template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg); #endif @@ -179,7 +179,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation template int SSLWrap::SelectALPNCallback( SSL* s, -@@ -278,12 +358,16 @@ void SecureContext::Initialize(Environment* env, Local target) { +@@ -281,12 +361,16 @@ void SecureContext::Initialize(Environment* env, Local target) { env->SetProtoMethod(t, "setCert", SecureContext::SetCert); env->SetProtoMethod(t, "addCACert", SecureContext::AddCACert); env->SetProtoMethod(t, "addCRL", SecureContext::AddCRL); @@ -196,7 +196,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 SecureContext::SetSessionIdContext); env->SetProtoMethod(t, "setSessionTimeout", SecureContext::SetSessionTimeout); -@@ -513,12 +597,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, +@@ -514,12 +598,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, SSL_CTX_clear_extra_chain_certs(ctx); for (int i = 0; i < sk_X509_num(extra_certs); i++) { @@ -223,7 +223,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 ret = 0; *issuer = nullptr; goto end; -@@ -793,10 +889,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { +@@ -868,10 +964,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { const node::Utf8Value ciphers(args.GetIsolate(), args[0]); SSL_CTX_set_cipher_list(sc->ctx_, *ciphers); } @@ -235,7 +235,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); -@@ -820,12 +917,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { +@@ -895,12 +992,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh); @@ -250,7 +250,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 ASSIGN_OR_RETURN_UNWRAP(&sc, args.This()); Environment* env = sc->env(); ClearErrorOnReturn clear_error_on_return; -@@ -860,10 +959,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { +@@ -935,10 +1034,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { DH_free(dh); if (!r) @@ -262,7 +262,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 void SecureContext::SetOptions(const FunctionCallbackInfo& args) { SecureContext* sc; ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); -@@ -1870,10 +1970,11 @@ void SSLWrap::GetEphemeralKeyInfo( +@@ -1952,10 +2052,11 @@ void SSLWrap::GetEphemeralKeyInfo( info->Set(env->type_string(), FIXED_ONE_BYTE_STRING(env->isolate(), "DH")); info->Set(env->size_string(), @@ -274,7 +274,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key); int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); EC_KEY_free(ec); -@@ -1882,10 +1983,11 @@ void SSLWrap::GetEphemeralKeyInfo( +@@ -1964,10 +2065,11 @@ void SSLWrap::GetEphemeralKeyInfo( info->Set(env->name_string(), OneByteString(args.GetIsolate(), OBJ_nid2sn(nid))); info->Set(env->size_string(), @@ -286,7 +286,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 } return args.GetReturnValue().Set(info); -@@ -2300,11 +2402,16 @@ void SSLWrap::WaitForCertCb(CertCb cb, void* arg) { +@@ -2382,11 +2484,16 @@ void SSLWrap::WaitForCertCb(CertCb cb, void* arg) { cert_cb_arg_ = arg; } @@ -303,7 +303,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 if (!w->is_server()) return 1; -@@ -2369,23 +2476,57 @@ void SSLWrap::CertCbDone(const FunctionCallbackInfo& args) { +@@ -2451,23 +2558,57 @@ void SSLWrap::CertCbDone(const FunctionCallbackInfo& args) { ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As()); w->sni_context_.Reset(); w->sni_context_.Reset(env->isolate(), ctx); @@ -371,7 +371,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 if (!rv) { unsigned long err = ERR_get_error(); // NOLINT(runtime/int) if (!err) -@@ -2445,14 +2586,18 @@ void SSLWrap::SetSNIContext(SecureContext* sc) { +@@ -2527,14 +2668,18 @@ void SSLWrap::SetSNIContext(SecureContext* sc) { } @@ -391,7 +391,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 // NOTE: `SSL_set_client_CA_list` takes the ownership of `list` SSL_set_client_CA_list(ssl_, list); -@@ -2726,11 +2871,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { +@@ -2808,11 +2953,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { // Server does not need to check the whitelist. SSL* ssl = static_cast( @@ -407,7 +407,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 // Client needs to check if the server cert is listed in the // whitelist when it is issued by the specific rootCAs. CheckResult ret = CheckWhitelistedServerCert(ctx); -@@ -2809,11 +2958,25 @@ void Connection::New(const FunctionCallbackInfo& args) { +@@ -2891,11 +3040,25 @@ void Connection::New(const FunctionCallbackInfo& args) { if (is_server) SSL_set_info_callback(conn->ssl_, SSLInfoCallback); @@ -433,7 +433,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 if (is_server) { SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_); } else if (args[2]->IsString()) { -@@ -4394,10 +4557,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { +@@ -4476,10 +4639,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { args.GetReturnValue().Set(vbuf); delete[] out_value; } @@ -445,7 +445,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 const PropertyAttribute attributes = static_cast(v8::ReadOnly | v8::DontDelete); -@@ -4795,12 +4959,14 @@ bool DiffieHellman::VerifyContext() { +@@ -4877,12 +5041,14 @@ bool DiffieHellman::VerifyContext() { if (!DH_check(dh, &codes)) return false; verifyError_ = codes; @@ -460,7 +460,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 Local t = env->NewFunctionTemplate(New); -@@ -5024,10 +5190,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo& args) { +@@ -5106,10 +5272,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo& args) { return env->ThrowError("Failed to set generated public key"); } @@ -472,7 +472,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 void ECDH::SetPublicKey(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); -@@ -5577,10 +5744,11 @@ void GetHashes(const FunctionCallbackInfo& args) { +@@ -5659,10 +5826,11 @@ void GetHashes(const FunctionCallbackInfo& args) { EVP_MD_do_all_sorted(array_push_back, &ctx); args.GetReturnValue().Set(ctx.arr); } @@ -484,7 +484,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 const size_t num_curves = EC_get_builtin_curves(nullptr, 0); Local arr = Array::New(env->isolate(), num_curves); EC_builtin_curve* curves; -@@ -5601,10 +5769,11 @@ void GetCurves(const FunctionCallbackInfo& args) { +@@ -5683,10 +5851,11 @@ void GetCurves(const FunctionCallbackInfo& args) { free(curves); } @@ -496,7 +496,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 bool VerifySpkac(const char* data, unsigned int len) { bool i = 0; EVP_PKEY* pkey = nullptr; -@@ -5913,12 +6082,16 @@ void InitCrypto(Local target, +@@ -5995,12 +6164,16 @@ void InitCrypto(Local target, Environment* env = Environment::GetCurrent(context); SecureContext::Initialize(env, target); @@ -513,7 +513,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 Sign::Initialize(env, target); Verify::Initialize(env, target); -@@ -5934,11 +6107,13 @@ void InitCrypto(Local target, +@@ -6016,11 +6189,13 @@ void InitCrypto(Local target, env->SetMethod(target, "randomBytes", RandomBytes); env->SetMethod(target, "timingSafeEqual", TimingSafeEqual); env->SetMethod(target, "getSSLCiphers", GetSSLCiphers); @@ -528,7 +528,7 @@ index b83794a770d672d492a5b01aee9a46fcaa39be85..89cd651248361d4fff3c442d5e36cc66 EVP_PKEY_encrypt>); env->SetMethod(target, "privateDecrypt", diff --git a/src/node_crypto.h b/src/node_crypto.h -index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f21a82b8e 100644 +index 175206c40df58602b0c24d039b8b5a8bb6f56ba3..5ecc43b08d0b4d97311f09271a26f5a735a6e018 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -16,12 +16,16 @@ @@ -548,7 +548,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f #endif // !OPENSSL_NO_ENGINE #include #include -@@ -99,12 +103,16 @@ class SecureContext : public BaseObject { +@@ -100,12 +104,16 @@ class SecureContext : public BaseObject { static void SetCert(const v8::FunctionCallbackInfo& args); static void AddCACert(const v8::FunctionCallbackInfo& args); static void AddCRL(const v8::FunctionCallbackInfo& args); @@ -565,7 +565,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f const v8::FunctionCallbackInfo& args); static void SetSessionTimeout( const v8::FunctionCallbackInfo& args); -@@ -281,11 +289,15 @@ class SSLWrap { +@@ -273,11 +281,15 @@ class SSLWrap { unsigned char* outlen, const unsigned char* in, unsigned int inlen, @@ -581,7 +581,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f void DestroySSL(); void WaitForCertCb(CertCb cb, void* arg); -@@ -643,10 +655,11 @@ class PublicKeyCipher { +@@ -635,10 +647,11 @@ class PublicKeyCipher { EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init, EVP_PKEY_cipher_t EVP_PKEY_cipher> static void Cipher(const v8::FunctionCallbackInfo& args); @@ -593,7 +593,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f ~DiffieHellman() override { if (dh != nullptr) { DH_free(dh); -@@ -688,11 +701,13 @@ class DiffieHellman : public BaseObject { +@@ -680,11 +693,13 @@ class DiffieHellman : public BaseObject { bool initialised_; int verifyError_; @@ -607,7 +607,7 @@ index 24ac77365cf45578f2be359f18b8e9c347209531..2b1b6ae80f668149c0691c44aa4e295f ~ECDH() override { if (key_ != nullptr) EC_KEY_free(key_); -@@ -725,10 +740,11 @@ class ECDH : public BaseObject { +@@ -717,10 +732,11 @@ class ECDH : public BaseObject { bool IsKeyValidForCurve(const BIGNUM* private_key); EC_KEY* key_; @@ -644,5 +644,5 @@ index d1b1aeccdd95b00b3fd0421c08fd7816cd70d182..a6e63d7c1ccc81e6f7d782dffe833234 } else if (is_client()) { // Enough space for server response (hello, cert) -- -2.11.1 +2.12.0 diff --git a/0003-CA-Certificates-are-provided-by-Fedora.patch b/0003-CA-Certificates-are-provided-by-Fedora.patch deleted file mode 100644 index ab1121c..0000000 --- a/0003-CA-Certificates-are-provided-by-Fedora.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 4ea8ba0dcc7fe20c8fff7f574304e749bd37ecea Mon Sep 17 00:00:00 2001 -From: Haikel Guemar -Date: Tue, 26 Jul 2016 22:00:25 +0200 -Subject: [PATCH 3/4] CA Certificates are provided by Fedora. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Forwarded: need some feedback before submitting the matter upstream -Author: Jérémy Lal -Last-Update: 2014-03-02 - -Modified 2014-05-02 by T.C. Hollingsworth with the -correct path for Fedora - -Modified 2015-12-01 by Stephen Gallagher to update for -Node.js 4.2 - -Modified 2016-03-04 by Stephen Gallagher to update for -Node.js 5.4.1 - -Modified 2016-07-26 by Haikel Guemar to update for -Node.js 4.4.7 ---- - src/node_crypto.cc | 30 +++++++++--------------------- - 1 file changed, 9 insertions(+), 21 deletions(-) - -diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 89cd651248361d4fff3c442d5e36cc66e6f49bf4..4fadc0a001422dea3aeade330f8f596c0dab36ee 100644 ---- a/src/node_crypto.cc -+++ b/src/node_crypto.cc -@@ -190,12 +190,12 @@ static X509_NAME *cnnic_ev_name = - d2i_X509_NAME(nullptr, &cnnic_ev_p, - sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1); - - static Mutex* mutexes; - --const char* const root_certs[] = { --#include "node_root_certs.h" // NOLINT(build/include_order) -+const char* root_certs[] = { -+ NULL - }; - - X509_STORE* root_cert_store; - - // Just to generate static methods -@@ -845,33 +845,21 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { - (void) &clear_error_on_return; // Silence compiler warning. - - CHECK_EQ(sc->ca_store_, nullptr); - - if (!root_cert_store) { -- root_cert_store = X509_STORE_new(); -- -- for (size_t i = 0; i < arraysize(root_certs); i++) { -- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); -- if (bp == nullptr) { -- return; -- } -- -- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); -- if (x509 == nullptr) { -- BIO_free_all(bp); -- return; -- } -- -- X509_STORE_add_cert(root_cert_store, x509); -- -- BIO_free_all(bp); -- X509_free(x509); -+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) { -+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); -+ } else { -+ // empty store -+ root_cert_store = X509_STORE_new(); - } -+ } else { -+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); - } - - sc->ca_store_ = root_cert_store; -- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); - } - - - void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { - SecureContext* sc; --- -2.11.1 - diff --git a/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch b/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch new file mode 100644 index 0000000..8c6db97 --- /dev/null +++ b/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch @@ -0,0 +1,84 @@ +From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001 +From: Adam Majer +Date: Wed, 21 Dec 2016 11:16:38 +0100 +Subject: [PATCH 3/4] crypto: Use system CAs instead of using bundled ones + +NodeJS can already use an external, shared OpenSSL library. This +library knows where to look for OS managed certificates. Allow +a compile-time option to use this CA store by default instead of +using bundled certificates. + +In case when using bundled OpenSSL, the paths are also valid for +majority of Linux systems without additional intervention. If +this is not set, we can use SSL_CERT_DIR to point it to correct +location. + +Fixes: https://github.com/nodejs/node/issues/3159 +PR-URL: https://github.com/nodejs/node/pull/8334 +Reviewed-By: Sam Roberts +Reviewed-By: James M Snell +Reviewed-By: Fedor Indutny +--- + configure | 7 +++++++ + src/node_crypto.cc | 4 ++++ + 2 files changed, 11 insertions(+) + +diff --git a/configure b/configure +index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755 +--- a/configure ++++ b/configure +@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm", + parser.add_option('--openssl-fips', + action='store', + dest='openssl_fips', + help='Build OpenSSL using FIPS canister .o file in supplied folder') + ++parser.add_option('--openssl-use-def-ca-store', ++ action='store_true', ++ dest='use_openssl_ca_store', ++ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.') ++ + shared_optgroup.add_option('--shared-http-parser', + action='store_true', + dest='shared_http_parser', + help='link to a shared http_parser DLL instead of static linking') + +@@ -937,10 +942,12 @@ def configure_v8(o): + + def configure_openssl(o): + o['variables']['node_use_openssl'] = b(not options.without_ssl) + o['variables']['node_shared_openssl'] = b(options.shared_openssl) + o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 ++ if options.use_openssl_ca_store: ++ o['defines'] += ['NODE_OPENSSL_CERT_STORE'] + if options.openssl_fips: + o['variables']['openssl_fips'] = options.openssl_fips + fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') + fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld')) + o['make_fips_settings'] = [ +diff --git a/src/node_crypto.cc b/src/node_crypto.cc +index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644 +--- a/src/node_crypto.cc ++++ b/src/node_crypto.cc +@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() { + root_certs_vector->push_back(x509); + } + } + + X509_STORE* store = X509_STORE_new(); ++#if defined(NODE_OPENSSL_CERT_STORE) ++ X509_STORE_set_default_paths(store); ++#else + for (auto& cert : *root_certs_vector) { + X509_up_ref(cert); + X509_STORE_add_cert(store, cert); + } ++#endif + + return store; + } + + +-- +2.12.0 + diff --git a/0004-Fix-compatibility-with-GCC-7.patch b/0004-Fix-compatibility-with-GCC-7.patch index a7566c4..da90368 100644 --- a/0004-Fix-compatibility-with-GCC-7.patch +++ b/0004-Fix-compatibility-with-GCC-7.patch @@ -1,4 +1,4 @@ -From c5a932e20110008273acbde5066c4231293d3a54 Mon Sep 17 00:00:00 2001 +From fbb5821dc3d967e916a187ee009e955530d2ce8d Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Tue, 28 Feb 2017 13:56:40 -0500 Subject: [PATCH 4/4] Fix compatibility with GCC 7 @@ -28,7 +28,7 @@ index 91cb8883be88739eab2b10df71f6f0d08aab436e..a1c3634bd762d7e03b4c87d38aa14a9a // This class describes a body of an object of a variable size diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h -index b75dd1c969a498d66584143adf0f03140a69bbd6..690a338a023c25646863715466f777850bc7f437 100644 +index 11f4d7498d7558f56037483004a3d5839154516b..72208c2f00f4a9ff47ae487fa9a42f8f82cf12ea 100644 --- a/deps/v8/src/objects-inl.h +++ b/deps/v8/src/objects-inl.h @@ -34,10 +34,31 @@ @@ -64,7 +64,7 @@ index b75dd1c969a498d66584143adf0f03140a69bbd6..690a338a023c25646863715466f77785 diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h -index abced2d4bad50ca2e01373ac5ad3330cdbbdd682..e507dba665bfbd64f5ee5851b08a507de0a2519a 100644 +index d1632c9deb298218faea31886ffdb0a8e0201cdc..47b02dadcff9658c9fcfe629e137667015e12079 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -3259,26 +3259,14 @@ class HashTableBase : public FixedArray { @@ -99,5 +99,5 @@ index abced2d4bad50ca2e01373ac5ad3330cdbbdd682..e507dba665bfbd64f5ee5851b08a507d Isolate* isolate, int at_least_space_for, MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY, -- -2.11.1 +2.12.0 diff --git a/nodejs.spec b/nodejs.spec index cf506d5..2bb558f 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -15,18 +15,18 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 6 -%global nodejs_minor 9 -%global nodejs_patch 5 +%global nodejs_minor 10 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 2 +%global nodejs_release 1 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h %global v8_major 5 %global v8_minor 1 %global v8_build 281 -%global v8_patch 89 +%global v8_patch 93 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -98,9 +98,8 @@ Patch1: 0001-disable-running-gyp-files-for-bundled-deps.patch Patch2: 0002-Use-openssl-1.0.1.patch # use system certificates instead of the bundled ones -# modified version of Debian patch: -# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch -Patch3: 0003-CA-Certificates-are-provided-by-Fedora.patch +# Backported from upstream 7.5.0+ +Patch3: 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch # Patch to allow building with GCC 7 from # https://github.com/nodejs/node/issues/10388#issuecomment-283120731 @@ -204,7 +203,7 @@ Development headers for the Node.js JavaScript runtime. Summary: Node.js Package Manager Epoch: %{npm_epoch} Version: %{npm_version} -Release: %{npm_release}%{?dist}.1 +Release: %{npm_release}%{?dist} # We used to ship npm separately, but it is so tightly integrated with Node.js # (and expected to be present on all Node.js systems) that we ship it bundled @@ -244,8 +243,7 @@ The API documentation for the Node.js JavaScript runtime. rm -rf deps/uv \ deps/zlib -# remove bundled CA certificates -rm -f src/node_root_certs.h +# Use system CA certificates %patch3 -p1 # Fix GCC7 build @@ -280,7 +278,8 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" --shared-zlib \ --shared-libuv \ --with-dtrace \ - --with-intl=system-icu + --with-intl=system-icu \ + --openssl-use-def-ca-store %if %{?with_debug} == 1 # Setting BUILDTYPE=Debug builds both release and debug binaries @@ -414,7 +413,12 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog -* Tue Feb 28 2017 Stephen Gallagher - - +* Thu Mar 09 2017 Stephen Gallagher - 1:6.10.0-1 +- Update to 6.10.0 +- https://nodejs.org/en/blog/release/v6.10.0/ +- New patch for handling system CA certificates + +* Tue Feb 28 2017 Stephen Gallagher - 1:6.9.5-2 - Fix FTBFS against GCC 7 - Resolves: RHBZ 1423991 diff --git a/sources b/sources index 8b2794f..31d2fa7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.9.5-stripped.tar.gz) = 1d10a60295fba32eddb5187a5986f8103f34115d2fe06895596a662c98191afc81bc9246100f8360d308a07db0bc7b8df9e37fe59d042ac136b42248582f4af2 +SHA512 (node-v6.10.0-stripped.tar.gz) = 2da288352df3113d59e882aeb7007a956c4ae7d3fa74262f9492dd789c6c299ff299a355b9a55f999ed3e4e78dd3d7ad4e55fece5e93b9e9ef82da8e670d562e