From e289d3987f373147502fcc6bb74d500b0e4e0d68 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 11 May 2017 09:48:09 +0200 Subject: [PATCH 01/13] Bundle http-parser when bootstraping --- nodejs.spec | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index 618ca89..68cf04d 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -21,7 +21,7 @@ %global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 1 +%global nodejs_release 2 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -39,6 +39,12 @@ %global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} +# http-parser - from deps/http_parser/http_parser.h +%global http_parser_major 2 +%global http_parser_minor 7 +%global http_parser_patch 0 +%global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch} + # punycode - from lib/punycode.js # Note: this was merged into the mainline since 0.6.x # Note: this will be unmerged in v7 or v8 @@ -115,8 +121,10 @@ BuildRequires: gcc-c++ >= 4.8.0 %if ! 0%{?bootstrap} BuildRequires: systemtap-sdt-devel -%endif BuildRequires: http-parser-devel >= 2.7.0 +%else +Provides: bundled(http-parser) = %{http_parser_version} +%endif %if 0%{?epel} BuildRequires: openssl-devel >= 1:1.0.1 @@ -240,8 +248,7 @@ The API documentation for the Node.js JavaScript runtime. # remove bundled dependencies that we aren't building %patch1 -p1 -rm -rf deps/http-parser \ - deps/icu-small \ +rm -rf deps/icu-small \ deps/uv \ deps/zlib @@ -441,6 +448,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Thu May 11 2017 Zuzana Svetlikova - 1:6.10.3-2 +- Provide bundled http-parser in case of boostraping + * Wed May 10 2017 Stephen Gallagher - 1:6.10.3-1 - Update to 6.10.3 (LTS) - https://nodejs.org/en/blog/release/v6.10.3/ From b0da67b00a92f2ad570d91d6f50fb9b1786650c9 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 11 May 2017 10:31:50 +0200 Subject: [PATCH 02/13] Remove shared-http-parser from bootstraped configure --- nodejs.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/nodejs.spec b/nodejs.spec index 68cf04d..8debc37 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -297,7 +297,6 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" --shared-openssl \ --shared-zlib \ --shared-libuv \ - --shared-http-parser \ --without-dtrace \ --with-intl=system-icu \ --openssl-use-def-ca-store From 35216d99851df20a1fcc7c0b6a2b77bbcdc2549a Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 11 May 2017 12:40:45 +0200 Subject: [PATCH 03/13] Commit yaml --- nodejs.yaml | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 nodejs.yaml diff --git a/nodejs.yaml b/nodejs.yaml new file mode 100644 index 0000000..5eb4f61 --- /dev/null +++ b/nodejs.yaml @@ -0,0 +1,66 @@ +document: modulemd +version: 1 +data: + summary: Javascript runtime + description: Node.js is a platform built on V8 JavaScript Engine for easily building fast, scalable network applications. + license: + module: GPLv3 + content: + - MIT + - ASL 2.0 + - ISC + - BSD + dependencies: + buildrequires: + base-runtime: f26 + common-build-dependencies: f26 + common-build-dependencies-bootstrap: f26 + shared-userspace: f26 + requires: + base-runtime: master + references: + community: https://fedoraproject.org/wiki/Modularity + documentation: https://fedoraproject.org/wiki/Fedora_Packaging_Guidelines_for_Modules + tracker: https://taiga.fedorainfracloud.org/project/modularity + profiles: + default: + rpms: + - nodejs + - npm + minimal: + rpms: + - nodejs + components: + rpms: + nodejs: + rationale: JavaScript runtime + ref: f26 + buildorder: 0 + npm: + rationale: npm package manager + ref: f26 + buildorder: 1 + # python: + # rationale: build dependency + # ref: f26 + # openssl: + # rationale: build dependency + # ref: f25 + # #compat-openssl10: f26 + # icu: + # rationale: build dependency + # ref: f26 + # libuv: + # rationale: build dependency + # ref: f26 + # zlib: + # rationale: build dependency + # ref: f26 + # gcc: + # rationale: build dependency + # ref: f26 + # #gcc-c++: + # #rationale: build dependency + # #ref: f26 + # #systemtap-sdt-devel: f26 + # #ca-certificates: f26 From b63fe8420be7c31cfa7d86732fbdb73164769020 Mon Sep 17 00:00:00 2001 From: Tomas Tomecek Date: Thu, 11 May 2017 14:40:28 +0200 Subject: [PATCH 04/13] turn bootstrapping off Signed-off-by: Tomas Tomecek --- nodejs.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs.spec b/nodejs.spec index 8debc37..22129f7 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,6 +1,6 @@ %global with_debug 1 -%{!?_with_bootstrap: %global bootstrap 1} +%{!?_with_bootstrap: %global bootstrap 0} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} From 67880f7f5a4b14cd46bb3f1888997a6548c749f6 Mon Sep 17 00:00:00 2001 From: Tomas Tomecek Date: Thu, 11 May 2017 15:58:04 +0200 Subject: [PATCH 05/13] move nodejs modulemd to modules/nodejs Signed-off-by: Tomas Tomecek --- nodejs.yaml | 66 ----------------------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 nodejs.yaml diff --git a/nodejs.yaml b/nodejs.yaml deleted file mode 100644 index 5eb4f61..0000000 --- a/nodejs.yaml +++ /dev/null @@ -1,66 +0,0 @@ -document: modulemd -version: 1 -data: - summary: Javascript runtime - description: Node.js is a platform built on V8 JavaScript Engine for easily building fast, scalable network applications. - license: - module: GPLv3 - content: - - MIT - - ASL 2.0 - - ISC - - BSD - dependencies: - buildrequires: - base-runtime: f26 - common-build-dependencies: f26 - common-build-dependencies-bootstrap: f26 - shared-userspace: f26 - requires: - base-runtime: master - references: - community: https://fedoraproject.org/wiki/Modularity - documentation: https://fedoraproject.org/wiki/Fedora_Packaging_Guidelines_for_Modules - tracker: https://taiga.fedorainfracloud.org/project/modularity - profiles: - default: - rpms: - - nodejs - - npm - minimal: - rpms: - - nodejs - components: - rpms: - nodejs: - rationale: JavaScript runtime - ref: f26 - buildorder: 0 - npm: - rationale: npm package manager - ref: f26 - buildorder: 1 - # python: - # rationale: build dependency - # ref: f26 - # openssl: - # rationale: build dependency - # ref: f25 - # #compat-openssl10: f26 - # icu: - # rationale: build dependency - # ref: f26 - # libuv: - # rationale: build dependency - # ref: f26 - # zlib: - # rationale: build dependency - # ref: f26 - # gcc: - # rationale: build dependency - # ref: f26 - # #gcc-c++: - # #rationale: build dependency - # #ref: f26 - # #systemtap-sdt-devel: f26 - # #ca-certificates: f26 From 982c5528049512b62cee1567eedea2b37941528d Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 12 May 2017 13:54:03 +0200 Subject: [PATCH 06/13] Rebuild without bootstrap --- nodejs.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index 8debc37..2383a44 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,6 +1,6 @@ %global with_debug 1 -%{!?_with_bootstrap: %global bootstrap 1} +%{!?_with_bootstrap: %global bootstrap 0} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -21,7 +21,7 @@ %global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 2 +%global nodejs_release 3 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -447,6 +447,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Fri May 12 2017 Zuzana Svetlikova - 1:6.10.3-3 +- Rebuild without bootstrap + * Thu May 11 2017 Zuzana Svetlikova - 1:6.10.3-2 - Provide bundled http-parser in case of boostraping From 8951f328666c0efea558c536758001088cf598dc Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Tue, 6 Jun 2017 14:40:56 +0200 Subject: [PATCH 07/13] Require http-parser-devel, enable bootstrap --- nodejs.spec | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index 22129f7..503471e 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,6 +1,6 @@ %global with_debug 1 -%{!?_with_bootstrap: %global bootstrap 0} +%{!?_with_bootstrap: %global bootstrap 1} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -21,7 +21,7 @@ %global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 2 +%global nodejs_release 3 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h @@ -203,6 +203,9 @@ Requires: libuv-devel%{?_isa} Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} Requires: nodejs-packaging +%if ! 0%{?bootstrap} +Requires: http-parser-devel%{?_isa} +%endif %description devel Development headers for the Node.js JavaScript runtime. @@ -447,6 +450,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Tue Jun 06 2017 Zuzana Svetlikova - 1:6.10.3-3 +- Require http-parser-devel when using system http-parser +- enable bootstraping + * Thu May 11 2017 Zuzana Svetlikova - 1:6.10.3-2 - Provide bundled http-parser in case of boostraping From 8cf702090d039ca8fa20e5ff955f9008b7ff4c62 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 9 Jun 2017 12:59:25 +0200 Subject: [PATCH 08/13] Update to 6.11.0, remove merged system CA patch --- .gitignore | 1 + nodejs.spec | 20 +++++++++----------- sources | 2 +- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index e92f336..863b931 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,4 @@ /node-v6.10.1-stripped.tar.gz /node-v6.10.2-stripped.tar.gz /node-v6.10.3-stripped.tar.gz +/node-v6.11.0-stripped.tar.gz diff --git a/nodejs.spec b/nodejs.spec index 2383a44..b2d14fb 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -17,18 +17,18 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 6 -%global nodejs_minor 10 -%global nodejs_patch 3 +%global nodejs_minor 11 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} -%global nodejs_release 3 +%global nodejs_release 1 # == Bundled Dependency Versions == # v8 - from deps/v8/include/v8-version.h %global v8_major 5 %global v8_minor 1 %global v8_build 281 -%global v8_patch 101 +%global v8_patch 102 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -99,10 +99,6 @@ Patch1: 0001-Disable-running-gyp-files-for-bundled-deps.patch # EPEL only has OpenSSL 1.0.1, so we need to carry a patch on that platform Patch2: 0002-Use-openssl-1.0.1.patch -# use system certificates instead of the bundled ones -# Backported from upstream 7.5.0+ -Patch3: 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch - # Backported upstream patch to allow building with GCC 7 from # https://github.com/nodejs/node/commit/2bbee49e6f170a5d6628444a7c9a2235fe0dd929 Patch4: 0004-Fix-compatibility-with-GCC-7.patch @@ -252,9 +248,6 @@ rm -rf deps/icu-small \ deps/uv \ deps/zlib -# Use system CA certificates -%patch3 -p1 - # Fix GCC7 build %patch4 -p1 @@ -447,6 +440,11 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Fri May 12 2017 Zuzana Svetlikova - 1:6.11.0-1 +- Update to 6.11.0 +- remove system CA patch since it was merged upstream +- https://github.com/nodejs/node/pull/8334 + * Fri May 12 2017 Zuzana Svetlikova - 1:6.10.3-3 - Rebuild without bootstrap diff --git a/sources b/sources index fee1521..77400eb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.10.3-stripped.tar.gz) = 0750e6c1597c2379df59fafb5945d3af7d59f371c7996c56394f0cac5361627cebde3f6e46468ef76b0eb6d242e77538ec0c8136f75b98c140f1c6235df596bd +SHA512 (node-v6.11.0-stripped.tar.gz) = a23e0d8461dcf87048555d2e4e62c0bacecf6d2a6a8d6d27ed08f6f0911ec31f9a7abc48ab45478eaf3ba6af593714e628a194340168581f2f9c3c8dbf0c7a1d From 12757baada724c2ddb5f3092fcadac901f38911f Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 9 Jun 2017 14:51:29 +0200 Subject: [PATCH 09/13] Fix spec --- ...em-CAs-instead-of-using-bundled-ones.patch | 84 ------------------- nodejs.spec | 2 +- 2 files changed, 1 insertion(+), 85 deletions(-) delete mode 100644 0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch diff --git a/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch b/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch deleted file mode 100644 index 8c6db97..0000000 --- a/0003-crypto-Use-system-CAs-instead-of-using-bundled-ones.patch +++ /dev/null @@ -1,84 +0,0 @@ -From f1a0660b9186c3f4d55d7c07219126e199c787f9 Mon Sep 17 00:00:00 2001 -From: Adam Majer -Date: Wed, 21 Dec 2016 11:16:38 +0100 -Subject: [PATCH 3/4] crypto: Use system CAs instead of using bundled ones - -NodeJS can already use an external, shared OpenSSL library. This -library knows where to look for OS managed certificates. Allow -a compile-time option to use this CA store by default instead of -using bundled certificates. - -In case when using bundled OpenSSL, the paths are also valid for -majority of Linux systems without additional intervention. If -this is not set, we can use SSL_CERT_DIR to point it to correct -location. - -Fixes: https://github.com/nodejs/node/issues/3159 -PR-URL: https://github.com/nodejs/node/pull/8334 -Reviewed-By: Sam Roberts -Reviewed-By: James M Snell -Reviewed-By: Fedor Indutny ---- - configure | 7 +++++++ - src/node_crypto.cc | 4 ++++ - 2 files changed, 11 insertions(+) - -diff --git a/configure b/configure -index 821b8771bc8909d8453bc31e3c8d8dc65368c0e4..e64bad9a030693b726e0974f48aefa6e1ad87723 100755 ---- a/configure -+++ b/configure -@@ -142,10 +142,15 @@ parser.add_option("--openssl-no-asm", - parser.add_option('--openssl-fips', - action='store', - dest='openssl_fips', - help='Build OpenSSL using FIPS canister .o file in supplied folder') - -+parser.add_option('--openssl-use-def-ca-store', -+ action='store_true', -+ dest='use_openssl_ca_store', -+ help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.') -+ - shared_optgroup.add_option('--shared-http-parser', - action='store_true', - dest='shared_http_parser', - help='link to a shared http_parser DLL instead of static linking') - -@@ -937,10 +942,12 @@ def configure_v8(o): - - def configure_openssl(o): - o['variables']['node_use_openssl'] = b(not options.without_ssl) - o['variables']['node_shared_openssl'] = b(options.shared_openssl) - o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 -+ if options.use_openssl_ca_store: -+ o['defines'] += ['NODE_OPENSSL_CERT_STORE'] - if options.openssl_fips: - o['variables']['openssl_fips'] = options.openssl_fips - fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') - fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld')) - o['make_fips_settings'] = [ -diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index c5630f30d0bef75ced53b36062bb1f0324dbdb9d..873b37d71b51aa62c8ebd56ea5b182567675e2dd 100644 ---- a/src/node_crypto.cc -+++ b/src/node_crypto.cc -@@ -803,14 +803,18 @@ static X509_STORE* NewRootCertStore() { - root_certs_vector->push_back(x509); - } - } - - X509_STORE* store = X509_STORE_new(); -+#if defined(NODE_OPENSSL_CERT_STORE) -+ X509_STORE_set_default_paths(store); -+#else - for (auto& cert : *root_certs_vector) { - X509_up_ref(cert); - X509_STORE_add_cert(store, cert); - } -+#endif - - return store; - } - - --- -2.12.0 - diff --git a/nodejs.spec b/nodejs.spec index b2d14fb..aa28b3f 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -440,7 +440,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog -* Fri May 12 2017 Zuzana Svetlikova - 1:6.11.0-1 +* Fri Jun 09 2017 Zuzana Svetlikova - 1:6.11.0-1 - Update to 6.11.0 - remove system CA patch since it was merged upstream - https://github.com/nodejs/node/pull/8334 From c27e539f1fd9acde3cb3711aaa54d0b4e11a7014 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 14 Jul 2017 10:41:18 +0200 Subject: [PATCH 10/13] Security update --- .gitignore | 1 + nodejs.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 863b931..7739b68 100644 --- a/.gitignore +++ b/.gitignore @@ -68,3 +68,4 @@ /node-v6.10.2-stripped.tar.gz /node-v6.10.3-stripped.tar.gz /node-v6.11.0-stripped.tar.gz +/node-v6.11.1-stripped.tar.gz diff --git a/nodejs.spec b/nodejs.spec index 5c5adac..e8b4c8a 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -18,7 +18,7 @@ %global nodejs_epoch 1 %global nodejs_major 6 %global nodejs_minor 11 -%global nodejs_patch 0 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release 1 @@ -28,7 +28,7 @@ %global v8_major 5 %global v8_minor 1 %global v8_build 281 -%global v8_patch 102 +%global v8_patch 103 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -443,6 +443,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Fri Jul 14 2017 Zuzana Svetlikova - 1:6.11.1-1 +- Security update (https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/) + * Fri Jun 09 2017 Zuzana Svetlikova - 1:6.11.0-1 - Update to 6.11.0 - remove system CA patch since it was merged upstream diff --git a/sources b/sources index 77400eb..2573d80 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.11.0-stripped.tar.gz) = a23e0d8461dcf87048555d2e4e62c0bacecf6d2a6a8d6d27ed08f6f0911ec31f9a7abc48ab45478eaf3ba6af593714e628a194340168581f2f9c3c8dbf0c7a1d +SHA512 (node-v6.11.1-stripped.tar.gz) = 5b539c43103422c059034f99cdef25dd6556cf0b08d85cea6e8bc74862c944d368455e6139680c8b00e602cbf807533bdabf2dfa43d714c9864ab8c79679b74e From d246c5e67e8912d1a2076cf1403dee4eef4ea394 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Tue, 1 Aug 2017 15:10:35 +0200 Subject: [PATCH 11/13] Update to 6.11.2 --- .gitignore | 1 + nodejs.spec | 14 ++++++-------- sources | 2 +- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 7739b68..a10250b 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,4 @@ /node-v6.10.3-stripped.tar.gz /node-v6.11.0-stripped.tar.gz /node-v6.11.1-stripped.tar.gz +/node-v6.11.2-stripped.tar.gz diff --git a/nodejs.spec b/nodejs.spec index e8b4c8a..7481c14 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -18,7 +18,7 @@ %global nodejs_epoch 1 %global nodejs_major 6 %global nodejs_minor 11 -%global nodejs_patch 1 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release 1 @@ -99,10 +99,6 @@ Patch1: 0001-Disable-running-gyp-files-for-bundled-deps.patch # EPEL only has OpenSSL 1.0.1, so we need to carry a patch on that platform Patch2: 0002-Use-openssl-1.0.1.patch -# Backported upstream patch to allow building with GCC 7 from -# https://github.com/nodejs/node/commit/2bbee49e6f170a5d6628444a7c9a2235fe0dd929 -Patch4: 0004-Fix-compatibility-with-GCC-7.patch - # RHEL 7 still uses OpenSSL 1.0.1 for now, and it segfaults on SSL # Revert this upstream patch until RHEL 7 upgrades to 1.0.2 Patch5: EPEL01-openssl101-compat.patch @@ -251,9 +247,6 @@ rm -rf deps/icu-small \ deps/uv \ deps/zlib -# Fix GCC7 build -%patch4 -p1 - %if 0%{?epel} %patch2 -p1 %patch5 -p1 @@ -443,6 +436,11 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Tue Aug 01 2917 Zuzana Svetlikova - 1:6.11.2-1 +- Update to 6.11.2 +- https://nodejs.org/en/blog/release/v6.11.2/ +- gcc 7 patch was backported in upstream + * Fri Jul 14 2017 Zuzana Svetlikova - 1:6.11.1-1 - Security update (https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/) diff --git a/sources b/sources index 2573d80..2adcec3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.11.1-stripped.tar.gz) = 5b539c43103422c059034f99cdef25dd6556cf0b08d85cea6e8bc74862c944d368455e6139680c8b00e602cbf807533bdabf2dfa43d714c9864ab8c79679b74e +SHA512 (node-v6.11.2-stripped.tar.gz) = 037382205b38d1dd693bc40b9c3d2c66b6c9bf4e635b1caaa11e897eaf4411834ca2132fd9c2113833c67cec8fe0764c6475841b8dc3a7477f535bcf28bbf2dd From 61a021e8a041af30a682a51a3fdc17086917752f Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Tue, 1 Aug 2017 15:17:45 +0200 Subject: [PATCH 12/13] Fix typo --- nodejs.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs.spec b/nodejs.spec index 7481c14..3190437 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -436,7 +436,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog -* Tue Aug 01 2917 Zuzana Svetlikova - 1:6.11.2-1 +* Tue Aug 01 2017 Zuzana Svetlikova - 1:6.11.2-1 - Update to 6.11.2 - https://nodejs.org/en/blog/release/v6.11.2/ - gcc 7 patch was backported in upstream From 82f6204ba26debbed775b17f61696acaf0eb90b8 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 7 Sep 2017 16:13:03 +0200 Subject: [PATCH 13/13] Update to v6.11.3, remove openssl 1.0.1 patches --- .gitignore | 1 + ...e-running-gyp-files-for-bundled-deps.patch | 10 +- 0002-Use-openssl-1.0.1.patch | 648 ------------------ 0004-Fix-compatibility-with-GCC-7.patch | 112 --- EPEL01-openssl101-compat.patch | 30 - nodejs.spec | 26 +- sources | 2 +- 7 files changed, 14 insertions(+), 815 deletions(-) delete mode 100644 0002-Use-openssl-1.0.1.patch delete mode 100644 0004-Fix-compatibility-with-GCC-7.patch delete mode 100644 EPEL01-openssl101-compat.patch diff --git a/.gitignore b/.gitignore index a10250b..acb9286 100644 --- a/.gitignore +++ b/.gitignore @@ -70,3 +70,4 @@ /node-v6.11.0-stripped.tar.gz /node-v6.11.1-stripped.tar.gz /node-v6.11.2-stripped.tar.gz +/node-v6.11.3-stripped.tar.gz diff --git a/0001-Disable-running-gyp-files-for-bundled-deps.patch b/0001-Disable-running-gyp-files-for-bundled-deps.patch index fe9f854..a97a09a 100644 --- a/0001-Disable-running-gyp-files-for-bundled-deps.patch +++ b/0001-Disable-running-gyp-files-for-bundled-deps.patch @@ -1,14 +1,14 @@ -From 54cb96f338bd162dcf1301b7d7a46eea2a56befb Mon Sep 17 00:00:00 2001 +From 8946146b37e4170c406fbdd7c60f1bbb79a9311a Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova -Date: Wed, 22 Mar 2017 19:13:10 +0100 -Subject: [PATCH] Disable running gyp files for bundled deps +Date: Wed, 6 Sep 2017 14:17:21 +0200 +Subject: [PATCH] dont run gyp on shared deps --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index a2b64e63b4..7b0847d1d5 100644 +index 577d0e232a..bb47a1b95e 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ $(NODE_G_EXE): config.gypi out/Makefile @@ -21,5 +21,5 @@ index a2b64e63b4..7b0847d1d5 100644 config.gypi: configure -- -2.12.0 +2.14.1 diff --git a/0002-Use-openssl-1.0.1.patch b/0002-Use-openssl-1.0.1.patch deleted file mode 100644 index 4b90ade..0000000 --- a/0002-Use-openssl-1.0.1.patch +++ /dev/null @@ -1,648 +0,0 @@ -From 91d1a67b8cc249af59929cd1a76629a2614860bd Mon Sep 17 00:00:00 2001 -From: Haikel Guemar -Date: Tue, 26 Jul 2016 22:50:22 +0200 -Subject: [PATCH 2/4] Use openssl 1.0.1 - -Based on Solaris patches from upstream #2783 -https://github.com/nodejs/node/issues/2783 ---- - doc/api/tls.md | 6 ++ - src/node_constants.cc | 5 ++ - src/node_crypto.cc | 201 ++++++++++++++++++++++++++++++++++++++++++++++---- - src/node_crypto.h | 16 ++++ - src/tls_wrap.cc | 8 ++ - 5 files changed, 223 insertions(+), 13 deletions(-) - -diff --git a/doc/api/tls.md b/doc/api/tls.md -index 3784210ba7b6c046b39d74b45e44538041d35ae2..3c9d72b8d5ef81d15773aed077bd00d2041c9e93 100644 ---- a/doc/api/tls.md -+++ b/doc/api/tls.md -@@ -113,10 +113,16 @@ handshake extensions: - * ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP, - SPDY, HTTP/2) - * SNI - Allows the use of one TLS server for multiple hostnames with different - SSL certificates. - -+ **NOTE**: dueto a design flaw in node **SNI cannot be -+ used on the server side**, even so all parameters in related functions are -+ accepted for compatibility reasons. And thus the related events will not -+ fire unless one aranges this explicitly. This may change, when the OS -+ provides OpenSSL v1.0.2 or better and node gets linked to this version. -+ - *Note*: Use of ALPN is recommended over NPN. The NPN extension has never been - formally defined or documented and generally not recommended for use. - - ### Client-initiated renegotiation attack mitigation - -diff --git a/src/node_constants.cc b/src/node_constants.cc -index 2e6be8df37c345a383d8a78898daf2a147d90630..239eadbac8ea8e601745a63347a8bb301c22d1b1 100644 ---- a/src/node_constants.cc -+++ b/src/node_constants.cc -@@ -12,11 +12,14 @@ - #include - #include - #include - - #if HAVE_OPENSSL -+# include -+# ifndef OPENSSL_NO_EC - # include -+# endif - # include - # ifndef OPENSSL_NO_ENGINE - # include - # endif // !OPENSSL_NO_ENGINE - #endif -@@ -974,16 +977,18 @@ void DefineOpenSSLConstants(Local target) { - NODE_DEFINE_CONSTANT(target, RSA_PKCS1_PSS_PADDING); - #endif - - #if HAVE_OPENSSL - // NOTE: These are not defines -+# ifndef OPENSSL_NO_EC - NODE_DEFINE_CONSTANT(target, POINT_CONVERSION_COMPRESSED); - - NODE_DEFINE_CONSTANT(target, POINT_CONVERSION_UNCOMPRESSED); - - NODE_DEFINE_CONSTANT(target, POINT_CONVERSION_HYBRID); - #endif -+#endif - } - - void DefineSystemConstants(Local target) { - // file access modes - NODE_DEFINE_CONSTANT(target, O_RDONLY); -diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 482ec230c0f4500b63b705d705a142e63ff179e5..c5630f30d0bef75ced53b36062bb1f0324dbdb9d 100644 ---- a/src/node_crypto.cc -+++ b/src/node_crypto.cc -@@ -22,10 +22,86 @@ - #include // INT_MAX - #include - #include - #include - -+#ifndef SSL_get_server_tmp_key -+/* -+ 1.0.2 SSL_get_server_tmp_key(s, pk) "backport". BAD HACK!!! -+ NOTE: This imports "foreign" knowledge and thus will break, when SESS_CERT -+ or CERT_PKEY change, which is definitely the case for the later for -+ all OpenSSL lib vers != 1.0.1. So don't try to bind to something else! -+ */ -+# define SSL_PKEY_NUM 8 -+typedef struct cert_pkey_st { -+ X509 *x509; -+ EVP_PKEY *privatekey; -+ /* Digest to use when signing */ -+ const EVP_MD *digest; -+} CERT_PKEY; -+ -+typedef struct sess_cert_st { -+ STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */ -+ /* The 'peer_...' members are used only by clients. */ -+ int peer_cert_type; -+ CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never -+ * NULL!) */ -+ CERT_PKEY peer_pkeys[SSL_PKEY_NUM]; -+ /* -+ * Obviously we don't have the private keys of these, so maybe we -+ * shouldn't even use the CERT_PKEY type here. -+ */ -+# ifndef OPENSSL_NO_RSA -+ RSA *peer_rsa_tmp; /* not used for SSL 2 */ -+# endif -+# ifndef OPENSSL_NO_DH -+ DH *peer_dh_tmp; /* not used for SSL 2 */ -+# endif -+# ifndef OPENSSL_NO_ECDH -+ EC_KEY *peer_ecdh_tmp; -+# endif -+ int references; /* actually always 1 at the moment */ -+} SESS_CERT; -+ -+static long SSL_get_server_tmp_key(SSL *s, void *parg) { -+ if (s->server || !s->session || !s->session->sess_cert) -+ return 0; -+ else { -+ SESS_CERT *sc; -+ EVP_PKEY *ptmp; -+ int rv = 0; -+ sc = s->session->sess_cert; -+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH) -+ if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) -+ return 0; -+#endif -+ ptmp = EVP_PKEY_new(); -+ if (!ptmp) -+ return 0; -+ if (0) ; -+#ifndef OPENSSL_NO_RSA -+ else if (sc->peer_rsa_tmp) -+ rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp); -+#endif -+#ifndef OPENSSL_NO_DH -+ else if (sc->peer_dh_tmp) -+ rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp); -+#endif -+#ifndef OPENSSL_NO_ECDH -+ else if (sc->peer_ecdh_tmp) -+ rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp); -+#endif -+ if (rv) { -+ *(EVP_PKEY **)parg = ptmp; -+ return 1; -+ } -+ EVP_PKEY_free(ptmp); -+ return 0; -+ } -+} -+#endif /* SSL_get_server_tmp_key */ -+ - #define THROW_AND_RETURN_IF_NOT_STRING_OR_BUFFER(val, prefix) \ - do { \ - if (!Buffer::HasInstance(val) && !val->IsString()) { \ - return env->ThrowTypeError(prefix " must be a string or a buffer"); \ - } \ -@@ -161,11 +237,15 @@ template int SSLWrap::SelectNextProtoCallback( - #ifdef NODE__HAVE_TLSEXT_STATUS_CB - template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg); - #endif - - template void SSLWrap::DestroySSL(); -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - template int SSLWrap::SSLCertCallback(SSL* s, void* arg); -+#else -+template int SSLWrap::SSLCertCallback(SSL* s, X509 **x509, EVP_PKEY **pkey); -+#endif - template void SSLWrap::WaitForCertCb(CertCb cb, void* arg); - - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - template int SSLWrap::SelectALPNCallback( - SSL* s, -@@ -281,12 +361,16 @@ void SecureContext::Initialize(Environment* env, Local target) { - env->SetProtoMethod(t, "setCert", SecureContext::SetCert); - env->SetProtoMethod(t, "addCACert", SecureContext::AddCACert); - env->SetProtoMethod(t, "addCRL", SecureContext::AddCRL); - env->SetProtoMethod(t, "addRootCerts", SecureContext::AddRootCerts); - env->SetProtoMethod(t, "setCiphers", SecureContext::SetCiphers); -+#ifndef OPENSSL_NO_ECDH - env->SetProtoMethod(t, "setECDHCurve", SecureContext::SetECDHCurve); -+#endif -+#ifndef OPENSSL_NO_DH - env->SetProtoMethod(t, "setDHParam", SecureContext::SetDHParam); -+#endif - env->SetProtoMethod(t, "setOptions", SecureContext::SetOptions); - env->SetProtoMethod(t, "setSessionIdContext", - SecureContext::SetSessionIdContext); - env->SetProtoMethod(t, "setSessionTimeout", - SecureContext::SetSessionTimeout); -@@ -514,12 +598,24 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, - SSL_CTX_clear_extra_chain_certs(ctx); - - for (int i = 0; i < sk_X509_num(extra_certs); i++) { - X509* ca = sk_X509_value(extra_certs, i); - -- // NOTE: Increments reference count on `ca` -- r = SSL_CTX_add1_chain_cert(ctx, ca); -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ // If ctx->cert->key != NULL create ctx->cert->key->chain if not -+ // already there, push 'ca' to this chain and finally increment the ca -+ // reference count by 1 (this is the diff between *_add1_* and *_add0_* -+ // - the later increments by 0 ;-)) and return 1. Otherwise or if -+ // something fails in between, return 0. -+ r = SSL_CTX_add1_chain_cert(ctx, ca); -+#else -+ // Create ctx->extra_certs if not already there, just push 'ca' to this -+ // chain and return 1. If something fails, return 0. -+ // NOTE: 1.0.1- does not support multiple certs having its own chain in -+ // a single context. There is just one: extra_chain! -+ r = SSL_CTX_add_extra_chain_cert(ctx, ca); -+#endif - - if (!r) { - ret = 0; - *issuer = nullptr; - goto end; -@@ -868,10 +964,11 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { - const node::Utf8Value ciphers(args.GetIsolate(), args[0]); - SSL_CTX_set_cipher_list(sc->ctx_, *ciphers); - } - - -+#ifndef OPENSSL_NO_ECDH - void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { - SecureContext* sc; - ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); - Environment* env = sc->env(); - -@@ -895,12 +992,14 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo& args) { - SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE); - SSL_CTX_set_tmp_ecdh(sc->ctx_, ecdh); - - EC_KEY_free(ecdh); - } -+#endif - - -+#ifndef OPENSSL_NO_DH - void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { - SecureContext* sc; - ASSIGN_OR_RETURN_UNWRAP(&sc, args.This()); - Environment* env = sc->env(); - ClearErrorOnReturn clear_error_on_return; -@@ -935,10 +1034,11 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { - DH_free(dh); - - if (!r) - return env->ThrowTypeError("Error setting temp DH parameter"); - } -+#endif - - - void SecureContext::SetOptions(const FunctionCallbackInfo& args) { - SecureContext* sc; - ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); -@@ -1952,10 +2052,11 @@ void SSLWrap::GetEphemeralKeyInfo( - info->Set(env->type_string(), - FIXED_ONE_BYTE_STRING(env->isolate(), "DH")); - info->Set(env->size_string(), - Integer::New(env->isolate(), EVP_PKEY_bits(key))); - break; -+#ifndef OPENSSL_NO_ECDH - case EVP_PKEY_EC: - { - EC_KEY* ec = EVP_PKEY_get1_EC_KEY(key); - int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); - EC_KEY_free(ec); -@@ -1964,10 +2065,11 @@ void SSLWrap::GetEphemeralKeyInfo( - info->Set(env->name_string(), - OneByteString(args.GetIsolate(), OBJ_nid2sn(nid))); - info->Set(env->size_string(), - Integer::New(env->isolate(), EVP_PKEY_bits(key))); - } -+#endif - } - EVP_PKEY_free(key); - } - - return args.GetReturnValue().Set(info); -@@ -2382,11 +2484,16 @@ void SSLWrap::WaitForCertCb(CertCb cb, void* arg) { - cert_cb_arg_ = arg; - } - - - template -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - int SSLWrap::SSLCertCallback(SSL* s, void* arg) { -+#else -+/* NOTE: For now this callback gets usually never called dueto design flaws */ -+int SSLWrap::SSLCertCallback(SSL* s, X509 **x509, EVP_PKEY **pkey) { -+#endif - Base* w = static_cast(SSL_get_app_data(s)); - - if (!w->is_server()) - return 1; - -@@ -2451,23 +2558,57 @@ void SSLWrap::CertCbDone(const FunctionCallbackInfo& args) { - ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As()); - w->sni_context_.Reset(); - w->sni_context_.Reset(env->isolate(), ctx); - - int rv; -+ X509* x509; -+ EVP_PKEY* pkey; -+ STACK_OF(X509)* chain; - - // NOTE: reference count is not increased by this API methods -- X509* x509 = SSL_CTX_get0_certificate(sc->ctx_); -- EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_); -- STACK_OF(X509)* chain; -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ x509 = SSL_CTX_get0_certificate(sc->ctx_); -+ pkey = SSL_CTX_get0_privatekey(sc->ctx_); -+ rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain); -+#else -+ SSL *ssl = SSL_new(sc->ctx_); -+ rv = SSL_CTX_get_extra_chain_certs(sc->ctx_, &chain); -+ if (ssl) { -+ SSL_set_connect_state(ssl); /* just cleanup/reset state - cheap */ -+ x509 = SSL_get_certificate(ssl); -+ SSL_free(ssl); -+ } else { -+ x509 = NULL; -+ pkey = NULL; -+ } -+#endif - -- rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain); -- if (rv) -- rv = SSL_use_certificate(w->ssl_, x509); -- if (rv) -- rv = SSL_use_PrivateKey(w->ssl_, pkey); -- if (rv && chain != nullptr) -- rv = SSL_set1_chain(w->ssl_, chain); -+ if (rv) -+ rv = SSL_use_certificate(w->ssl_, x509); -+ if (rv) -+ rv = SSL_use_PrivateKey(w->ssl_, pkey); -+ if (rv && chain != nullptr) { -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ // replaces w->ssl_->cert->key->chain with a copy of the given chain, -+ // which is allowed to be NULL -+ rv = SSL_set1_chain(w->ssl_, chain); -+#else -+ // just replace the extra chain with the given chain - 1.0.1- does not -+ // support chain per cert -+ SSL_CTX_clear_extra_chain_certs(w->ssl_->ctx); -+ if (chain != NULL) { -+ int i; -+ SSL_CTX* ctx = w->ssl_->ctx; -+ for (i = 0; i < sk_X509_num(chain); i++) { -+ // can't do anything: however others might be ok and still -+ // satisfy requirements -+ SSL_CTX_add_extra_chain_cert(ctx, sk_X509_value(chain,i)); -+ } -+ } -+ rv = 1; -+#endif -+ } - if (rv) - rv = w->SetCACerts(sc); - if (!rv) { - unsigned long err = ERR_get_error(); // NOLINT(runtime/int) - if (!err) -@@ -2527,14 +2668,18 @@ void SSLWrap::SetSNIContext(SecureContext* sc) { - } - - - template - int SSLWrap::SetCACerts(SecureContext* sc) { -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_)); - if (err != 1) - return err; -- -+#else -+ // there is no ssl_->cert->verify_store in <= 1.0.1. So no need to: free the -+ // old store, set the new one to it and increment its ref count. -+#endif - STACK_OF(X509_NAME)* list = SSL_dup_CA_list( - SSL_CTX_get_client_CA_list(sc->ctx_)); - - // NOTE: `SSL_set_client_CA_list` takes the ownership of `list` - SSL_set_client_CA_list(ssl_, list); -@@ -2808,11 +2953,15 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) { - - // Server does not need to check the whitelist. - SSL* ssl = static_cast( - X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); - -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (SSL_is_server(ssl)) -+#else -+ if (ssl->server) -+#endif - return 1; - - // Client needs to check if the server cert is listed in the - // whitelist when it is issued by the specific rootCAs. - CheckResult ret = CheckWhitelistedServerCert(ctx); -@@ -2891,11 +3040,25 @@ void Connection::New(const FunctionCallbackInfo& args) { - if (is_server) - SSL_set_info_callback(conn->ssl_, SSLInfoCallback); - - InitNPN(sc); - -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - SSL_set_cert_cb(conn->ssl_, SSLWrap::SSLCertCallback, conn); -+#else -+ /* 1.0.1 and less have no general cert callback. The closest for a client is -+ SSL_CTX_set_client_cert_cb(conn->ssl_->ctx, SSLWrap::SSLCertCallback); -+ but on the client it is not needed/used by this implementation. Since this -+ the SSLCertCallback actually calls lib/_tls_wrap.js:oncertcb(), which in -+ turn loadSNI() and this the actual SNICallback of the JSON object, sets -+ the context and finally requestOCSP() and certCbDone(). Not sure, why -+ the SNICallback of the JSON object, doesn't get invoked via -+ SelectSNIContextCallback_() - design flaw because lets do 2 things at once -+ (i.e. do SNICallback and attach the certs ca chain), however, this means -+ no server side support for the SNI TLS/OCSP_state extension anymore. -+ */ -+#endif - - #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - if (is_server) { - SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_); - } else if (args[2]->IsString()) { -@@ -4476,10 +4639,11 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { - args.GetReturnValue().Set(vbuf); - delete[] out_value; - } - - -+#ifndef OPENSSL_NO_DH - void DiffieHellman::Initialize(Environment* env, Local target) { - Local t = env->NewFunctionTemplate(New); - - const PropertyAttribute attributes = - static_cast(v8::ReadOnly | v8::DontDelete); -@@ -4877,12 +5041,14 @@ bool DiffieHellman::VerifyContext() { - if (!DH_check(dh, &codes)) - return false; - verifyError_ = codes; - return true; - } -+#endif - - -+#ifndef OPENSSL_NO_ECDH - void ECDH::Initialize(Environment* env, Local target) { - HandleScope scope(env->isolate()); - - Local t = env->NewFunctionTemplate(New); - -@@ -5106,10 +5272,11 @@ void ECDH::SetPrivateKey(const FunctionCallbackInfo& args) { - return env->ThrowError("Failed to set generated public key"); - } - - EC_POINT_free(pub); - } -+#endif - - - void ECDH::SetPublicKey(const FunctionCallbackInfo& args) { - Environment* env = Environment::GetCurrent(args); - -@@ -5659,10 +5826,11 @@ void GetHashes(const FunctionCallbackInfo& args) { - EVP_MD_do_all_sorted(array_push_back, &ctx); - args.GetReturnValue().Set(ctx.arr); - } - - -+# ifndef OPENSSL_NO_EC - void GetCurves(const FunctionCallbackInfo& args) { - Environment* env = Environment::GetCurrent(args); - const size_t num_curves = EC_get_builtin_curves(nullptr, 0); - Local arr = Array::New(env->isolate(), num_curves); - EC_builtin_curve* curves; -@@ -5683,10 +5851,11 @@ void GetCurves(const FunctionCallbackInfo& args) { - free(curves); - } - - args.GetReturnValue().Set(arr); - } -+#endif - - - bool VerifySpkac(const char* data, unsigned int len) { - bool i = 0; - EVP_PKEY* pkey = nullptr; -@@ -5995,12 +6164,16 @@ void InitCrypto(Local target, - - Environment* env = Environment::GetCurrent(context); - SecureContext::Initialize(env, target); - Connection::Initialize(env, target); - CipherBase::Initialize(env, target); -+# ifndef OPENSSL_NO_EC - DiffieHellman::Initialize(env, target); -+#endif -+#ifndef OPENSSL_NO_ECDH - ECDH::Initialize(env, target); -+#endif - Hmac::Initialize(env, target); - Hash::Initialize(env, target); - Sign::Initialize(env, target); - Verify::Initialize(env, target); - -@@ -6016,11 +6189,13 @@ void InitCrypto(Local target, - env->SetMethod(target, "randomBytes", RandomBytes); - env->SetMethod(target, "timingSafeEqual", TimingSafeEqual); - env->SetMethod(target, "getSSLCiphers", GetSSLCiphers); - env->SetMethod(target, "getCiphers", GetCiphers); - env->SetMethod(target, "getHashes", GetHashes); -+# ifndef OPENSSL_NO_EC - env->SetMethod(target, "getCurves", GetCurves); -+#endif - env->SetMethod(target, "publicEncrypt", - PublicKeyCipher::Cipher); - env->SetMethod(target, "privateDecrypt", -diff --git a/src/node_crypto.h b/src/node_crypto.h -index 175206c40df58602b0c24d039b8b5a8bb6f56ba3..5ecc43b08d0b4d97311f09271a26f5a735a6e018 100644 ---- a/src/node_crypto.h -+++ b/src/node_crypto.h -@@ -16,12 +16,16 @@ - #include "base-object-inl.h" - - #include "v8.h" - - #include -+# ifndef OPENSSL_NO_EC - #include -+# endif -+# ifndef OPENSSL_NO_ECDH - #include -+# endif - #ifndef OPENSSL_NO_ENGINE - # include - #endif // !OPENSSL_NO_ENGINE - #include - #include -@@ -100,12 +104,16 @@ class SecureContext : public BaseObject { - static void SetCert(const v8::FunctionCallbackInfo& args); - static void AddCACert(const v8::FunctionCallbackInfo& args); - static void AddCRL(const v8::FunctionCallbackInfo& args); - static void AddRootCerts(const v8::FunctionCallbackInfo& args); - static void SetCiphers(const v8::FunctionCallbackInfo& args); -+#ifndef OPENSSL_NO_ECDH - static void SetECDHCurve(const v8::FunctionCallbackInfo& args); -+#endif -+# ifndef OPENSSL_NO_DH - static void SetDHParam(const v8::FunctionCallbackInfo& args); -+#endif - static void SetOptions(const v8::FunctionCallbackInfo& args); - static void SetSessionIdContext( - const v8::FunctionCallbackInfo& args); - static void SetSessionTimeout( - const v8::FunctionCallbackInfo& args); -@@ -273,11 +281,15 @@ class SSLWrap { - unsigned char* outlen, - const unsigned char* in, - unsigned int inlen, - void* arg); - static int TLSExtStatusCallback(SSL* s, void* arg); -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - static int SSLCertCallback(SSL* s, void* arg); -+#else -+ static int SSLCertCallback(SSL* s, X509 **x509, EVP_PKEY **pkey); -+#endif - static void SSLGetter(v8::Local property, - const v8::PropertyCallbackInfo& info); - - void DestroySSL(); - void WaitForCertCb(CertCb cb, void* arg); -@@ -635,10 +647,11 @@ class PublicKeyCipher { - EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init, - EVP_PKEY_cipher_t EVP_PKEY_cipher> - static void Cipher(const v8::FunctionCallbackInfo& args); - }; - -+#ifndef OPENSSL_NO_DH - class DiffieHellman : public BaseObject { - public: - ~DiffieHellman() override { - if (dh != nullptr) { - DH_free(dh); -@@ -680,11 +693,13 @@ class DiffieHellman : public BaseObject { - - bool initialised_; - int verifyError_; - DH* dh; - }; -+#endif - -+# ifndef OPENSSL_NO_ECDH - class ECDH : public BaseObject { - public: - ~ECDH() override { - if (key_ != nullptr) - EC_KEY_free(key_); -@@ -717,10 +732,11 @@ class ECDH : public BaseObject { - bool IsKeyValidForCurve(const BIGNUM* private_key); - - EC_KEY* key_; - const EC_GROUP* group_; - }; -+#endif - - bool EntropySource(unsigned char* buffer, size_t length); - #ifndef OPENSSL_NO_ENGINE - void SetEngine(const v8::FunctionCallbackInfo& args); - #endif // !OPENSSL_NO_ENGINE -diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc -index d1b1aeccdd95b00b3fd0421c08fd7816cd70d182..a6e63d7c1ccc81e6f7d782dffe833234b003de15 100644 ---- a/src/tls_wrap.cc -+++ b/src/tls_wrap.cc -@@ -140,11 +140,19 @@ void TLSWrap::InitSSL() { - } - #endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - - InitNPN(sc_); - -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L - SSL_set_cert_cb(ssl_, SSLWrap::SSLCertCallback, this); -+#else -+ /* 1.0.1 and less have at most for the client side the function -+ SSL_CTX_set_client_cert_cb(ssl_->ctx, SSLWrap::SSLCertCallback); -+ but on the client it is not needed/used by this implementation. -+ For more info see comments in src/node_crypto.cc Connection::New(). -+ */ -+#endif - - if (is_server()) { - SSL_set_accept_state(ssl_); - } else if (is_client()) { - // Enough space for server response (hello, cert) --- -2.12.0 - diff --git a/0004-Fix-compatibility-with-GCC-7.patch b/0004-Fix-compatibility-with-GCC-7.patch deleted file mode 100644 index 55427f7..0000000 --- a/0004-Fix-compatibility-with-GCC-7.patch +++ /dev/null @@ -1,112 +0,0 @@ -From a75f63218b84ee508c770391519a13bd400a5003 Mon Sep 17 00:00:00 2001 -From: Ben Noordhuis -Date: Thu, 13 Apr 2017 13:48:01 +0200 -Subject: [PATCH 4/4] v8: fix build errors with g++ 7 - -This is a local patch because upstream fixed it differently by moving -large chunks of code out of objects.h. We cannot easily back-port -those changes due to their size and invasiveness. - -Fixes: https://github.com/nodejs/node/issues/10388 -PR-URL: https://github.com/nodejs/node/pull/12392 -Reviewed-By: Anna Henningsen -Reviewed-By: Benjamin Gruenbaum -Reviewed-By: Daniel Bevenius -Reviewed-By: James M Snell ---- - deps/v8/src/objects-body-descriptors.h | 2 +- - deps/v8/src/objects-inl.h | 21 +++++++++++++++++++++ - deps/v8/src/objects.h | 20 ++++---------------- - 3 files changed, 26 insertions(+), 17 deletions(-) - -diff --git a/deps/v8/src/objects-body-descriptors.h b/deps/v8/src/objects-body-descriptors.h -index 91cb8883be88739eab2b10df71f6f0d08aab436e..a1c3634bd762d7e03b4c87d38aa14a9a3ce318e4 100644 ---- a/deps/v8/src/objects-body-descriptors.h -+++ b/deps/v8/src/objects-body-descriptors.h -@@ -97,11 +97,11 @@ class FixedBodyDescriptor final : public BodyDescriptorBase { - IterateBodyImpl(heap, obj, start_offset, end_offset); - } - - template - static inline void IterateBody(HeapObject* obj, int object_size) { -- IterateBody(obj); -+ IterateBody(obj); - } - }; - - - // This class describes a body of an object of a variable size -diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h -index 11f4d7498d7558f56037483004a3d5839154516b..72208c2f00f4a9ff47ae487fa9a42f8f82cf12ea 100644 ---- a/deps/v8/src/objects-inl.h -+++ b/deps/v8/src/objects-inl.h -@@ -34,10 +34,31 @@ - #include "src/v8memory.h" - - namespace v8 { - namespace internal { - -+template -+uint32_t HashTable::Hash(Key key) { -+ if (Shape::UsesSeed) { -+ return Shape::SeededHash(key, GetHeap()->HashSeed()); -+ } else { -+ return Shape::Hash(key); -+ } -+} -+ -+ -+template -+uint32_t HashTable::HashForObject(Key key, -+ Object* object) { -+ if (Shape::UsesSeed) { -+ return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object); -+ } else { -+ return Shape::HashForObject(key, object); -+ } -+} -+ -+ - PropertyDetails::PropertyDetails(Smi* smi) { - value_ = smi->value(); - } - - -diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h -index d1632c9deb298218faea31886ffdb0a8e0201cdc..47b02dadcff9658c9fcfe629e137667015e12079 100644 ---- a/deps/v8/src/objects.h -+++ b/deps/v8/src/objects.h -@@ -3259,26 +3259,14 @@ class HashTableBase : public FixedArray { - - - template - class HashTable : public HashTableBase { - public: -- // Wrapper methods -- inline uint32_t Hash(Key key) { -- if (Shape::UsesSeed) { -- return Shape::SeededHash(key, GetHeap()->HashSeed()); -- } else { -- return Shape::Hash(key); -- } -- } -- -- inline uint32_t HashForObject(Key key, Object* object) { -- if (Shape::UsesSeed) { -- return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object); -- } else { -- return Shape::HashForObject(key, object); -- } -- } -+ // Wrapper methods. Defined in src/objects-inl.h -+ // to break a cycle with src/heap/heap.h. -+ inline uint32_t Hash(Key key); -+ inline uint32_t HashForObject(Key key, Object* object); - - // Returns a new HashTable object. - MUST_USE_RESULT static Handle New( - Isolate* isolate, int at_least_space_for, - MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY, --- -2.12.2 - diff --git a/EPEL01-openssl101-compat.patch b/EPEL01-openssl101-compat.patch deleted file mode 100644 index f419f95..0000000 --- a/EPEL01-openssl101-compat.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -ru a/src/node_crypto.cc b/src/node_crypto.cc ---- a/src/node_crypto.cc 2017-03-31 22:39:56.483283868 +0200 -+++ b/src/node_crypto.cc 2017-03-31 22:45:36.250267750 +0200 -@@ -851,8 +851,6 @@ - } - } - -- // Increment reference count so global store is not deleted along with CTX. -- X509_STORE_up_ref(root_cert_store); - SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); - } - -diff -ru a/src/node_crypto.h b/src/node_crypto.h ---- a/src/node_crypto.h 2017-03-21 20:43:33.000000000 +0100 -+++ b/src/node_crypto.h 2017-03-31 22:43:15.548183432 +0200 -@@ -145,6 +145,13 @@ - } - - env()->isolate()->AdjustAmountOfExternalAllocatedMemory(-kExternalSize); -+ if (ctx_->cert_store == root_cert_store) { -+ // SSL_CTX_free() will attempt to free the cert_store as well. -+ // Since we want our root_cert_store to stay around forever -+ // we just clear the field. Hopefully OpenSSL will not modify this -+ // struct in future versions. -+ ctx_->cert_store = nullptr; -+ } - SSL_CTX_free(ctx_); - if (cert_ != nullptr) - X509_free(cert_); - diff --git a/nodejs.spec b/nodejs.spec index 3190437..3d96d75 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -18,7 +18,7 @@ %global nodejs_epoch 1 %global nodejs_major 6 %global nodejs_minor 11 -%global nodejs_patch 2 +%global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release 1 @@ -28,7 +28,7 @@ %global v8_major 5 %global v8_minor 1 %global v8_build 281 -%global v8_patch 103 +%global v8_patch 107 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -96,13 +96,6 @@ Source7: nodejs_native.attr # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-files-for-bundled-deps.patch -# EPEL only has OpenSSL 1.0.1, so we need to carry a patch on that platform -Patch2: 0002-Use-openssl-1.0.1.patch - -# RHEL 7 still uses OpenSSL 1.0.1 for now, and it segfaults on SSL -# Revert this upstream patch until RHEL 7 upgrades to 1.0.2 -Patch5: EPEL01-openssl101-compat.patch - BuildRequires: python-devel BuildRequires: libuv-devel >= 1:1.9.1 Requires: libuv >= 1:1.9.1 @@ -118,15 +111,11 @@ BuildRequires: http-parser-devel >= 2.7.0 Provides: bundled(http-parser) = %{http_parser_version} %endif -%if 0%{?epel} -BuildRequires: openssl-devel >= 1:1.0.1 -%else %if 0%{?fedora} > 25 BuildRequires: compat-openssl10-devel >= 1:1.0.2 %else BuildRequires: openssl-devel >= 1:1.0.2 %endif -%endif # we need the system certificate store when Patch2 is applied Requires: ca-certificates @@ -247,12 +236,6 @@ rm -rf deps/icu-small \ deps/uv \ deps/zlib -%if 0%{?epel} -%patch2 -p1 -%patch5 -p1 -%endif - - %build # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 6 because of incorrect usage of methods on @@ -436,6 +419,11 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules %{buildroot}/%{_bindir}/node - %{_pkgdocdir}/npm/doc %changelog +* Thu Sep 07 2017 Zuzana Svetlikova - 1:6.11.3-1 +- Update to 6.11.3 +- https://nodejs.org/en/blog/release/v6.11.3/ +- remove openssl 1.0.1 patches + * Tue Aug 01 2017 Zuzana Svetlikova - 1:6.11.2-1 - Update to 6.11.2 - https://nodejs.org/en/blog/release/v6.11.2/ diff --git a/sources b/sources index 2adcec3..4174557 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v6.11.2-stripped.tar.gz) = 037382205b38d1dd693bc40b9c3d2c66b6c9bf4e635b1caaa11e897eaf4411834ca2132fd9c2113833c67cec8fe0764c6475841b8dc3a7477f535bcf28bbf2dd +SHA512 (node-v6.11.3-stripped.tar.gz) = 7e1e60d42d197c4634dd3d79888ea3cffa580bdbb8db1ec359a5d6277504bc013dd22b3a2c33cf957b4a858a3bcdc4e3752ab42b821e3c504887ade40286655a