nodejs: add updated libressl patch.

This commit is contained in:
Enno Boland 2016-03-06 00:29:34 +01:00
parent c1679325a3
commit dec027544b

View file

@ -1,5 +1,5 @@
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 5b36906..8128a46 100644
index 35d5ba3..37081d9 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -165,26 +165,31 @@ function onclienthello(hello) {
@ -98,10 +98,19 @@ index ea5e8fe..995f151 100644
V(code_string, "code") \
V(compare_string, "compare") \
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 7911ce9..5cab263 100644
index f0d353f..fcaf77d 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -156,8 +156,6 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
@@ -129,8 +129,6 @@ template class SSLWrap<TLSWrap>;
template void SSLWrap<TLSWrap>::AddMethods(Environment* env,
Local<FunctionTemplate> t);
template void SSLWrap<TLSWrap>::InitNPN(SecureContext* sc);
-template void SSLWrap<TLSWrap>::SetSNIContext(SecureContext* sc);
-template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
SSL* s,
unsigned char* key,
@@ -158,8 +156,6 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
#endif
template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
template void SSLWrap<TLSWrap>::DestroySSL();
@ -110,7 +119,7 @@ index 7911ce9..5cab263 100644
static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
@@ -511,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) {
@@ -513,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) {
}
@ -167,7 +176,7 @@ index 7911ce9..5cab263 100644
goto end;
}
// Note that we must not free r if it was successfully
@@ -550,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
@@ -552,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
// Find issuer
if (*issuer != nullptr || X509_check_issued(ca, x) != X509_V_OK)
continue;
@ -187,7 +196,7 @@ index 7911ce9..5cab263 100644
}
// Try getting issuer from a cert store
@@ -564,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
@@ -566,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
// no need to free `store`
} else {
// Increment issuer reference count
@ -278,7 +287,7 @@ index 7911ce9..5cab263 100644
return ret;
}
@@ -663,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) {
@@ -665,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) {
if (!bio)
return;
@ -295,7 +304,7 @@ index 7911ce9..5cab263 100644
int rv = SSL_CTX_use_certificate_chain(sc->ctx_,
bio,
&sc->cert_,
@@ -944,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
@@ -946,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
PKCS12* p12 = nullptr;
EVP_PKEY* pkey = nullptr;
X509* cert = nullptr;
@ -304,7 +313,7 @@ index 7911ce9..5cab263 100644
char* pass = nullptr;
bool ret = false;
@@ -969,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
@@ -971,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
pass[passlen] = '\0';
}
@ -355,7 +364,7 @@ index 7911ce9..5cab263 100644
PKCS12_free(p12);
BIO_free_all(in);
@@ -1050,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
@@ -1052,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
@ -364,7 +373,7 @@ index 7911ce9..5cab263 100644
}
@@ -1189,7 +1116,6 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) {
@@ -1191,7 +1116,6 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) {
env->SetProtoMethod(t, "verifyError", VerifyError);
env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
env->SetProtoMethod(t, "endParser", EndParser);
@ -372,7 +381,7 @@ index 7911ce9..5cab263 100644
env->SetProtoMethod(t, "renegotiate", Renegotiate);
env->SetProtoMethod(t, "shutdownSSL", Shutdown);
env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
@@ -2078,122 +2004,6 @@ int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) {
@@ -2080,124 +2004,6 @@ int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) {
template <class Base>
@ -463,6 +472,8 @@ index 7911ce9..5cab263 100644
- rv = SSL_use_PrivateKey(w->ssl_, pkey);
- if (rv && chain != nullptr)
- rv = SSL_set1_chain(w->ssl_, chain);
- if (rv)
- rv = w->SetCACerts(sc);
- if (!rv) {
- unsigned long err = ERR_get_error();
- if (!err)
@ -495,7 +506,38 @@ index 7911ce9..5cab263 100644
void SSLWrap<Base>::SSLGetter(Local<String> property,
const PropertyCallbackInfo<Value>& info) {
HandleScope scope(info.GetIsolate());
@@ -2299,10 +2109,6 @@ int Connection::HandleSSLError(const char* func,
@@ -2219,30 +2025,6 @@ void SSLWrap<Base>::DestroySSL() {
}
-template <class Base>
-void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
- InitNPN(sc);
- CHECK_EQ(SSL_set_SSL_CTX(ssl_, sc->ctx_), sc->ctx_);
-
- SetCACerts(sc);
-}
-
-
-template <class Base>
-int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
- if (err != 1)
- return err;
-
- STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
- SSL_CTX_get_client_CA_list(sc->ctx_));
-
- // NOTE: `SSL_set_client_CA_list` takes the ownership of `list`
- SSL_set_client_CA_list(ssl_, list);
- return 1;
-}
-
-
void Connection::OnClientHelloParseEnd(void* arg) {
Connection* conn = static_cast<Connection*>(arg);
@@ -2327,10 +2109,6 @@ int Connection::HandleSSLError(const char* func,
DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
return 0;
@ -506,7 +548,7 @@ index 7911ce9..5cab263 100644
} else if (err == SSL_ERROR_ZERO_RETURN) {
HandleScope scope(ssl_env()->isolate());
@@ -2483,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
@@ -2511,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
SSL* ssl = static_cast<SSL*>(
X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
@ -515,7 +557,7 @@ index 7911ce9..5cab263 100644
return 1;
// Client needs to check if the server cert is listed in the
@@ -2510,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
@@ -2538,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
// Call the SNI callback and use its return value as context
if (!conn->sniObject_.IsEmpty()) {
@ -524,16 +566,20 @@ index 7911ce9..5cab263 100644
Local<Object> sni_obj = PersistentToLocal(env->isolate(),
conn->sniObject_);
@@ -2526,7 +2332,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
@@ -2554,9 +2332,10 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
Local<FunctionTemplate> secure_context_constructor_template =
env->secure_context_constructor_template();
if (secure_context_constructor_template->HasInstance(ret)) {
- conn->sni_context_.Reset(env->isolate(), ret);
+ conn->sniContext_.Reset(env->isolate(), ret);
SecureContext* sc = Unwrap<SecureContext>(ret.As<Object>());
InitNPN(sc);
SSL_set_SSL_CTX(s, sc->ctx_);
@@ -2565,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
- conn->SetSNIContext(sc);
+ InitNPN(sc);
+ SSL_set_SSL_CTX(s, sc->ctx_);
} else {
return SSL_TLSEXT_ERR_NOACK;
}
@@ -2592,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
InitNPN(sc);
@ -543,7 +589,7 @@ index 7911ce9..5cab263 100644
if (is_server) {
SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
diff --git a/src/node_crypto.h b/src/node_crypto.h
index e009fc1..6373fc4 100644
index cb94650..6373fc4 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -179,10 +179,7 @@ class SSLWrap {
@ -588,7 +634,7 @@ index e009fc1..6373fc4 100644
static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -273,12 +263,10 @@ class SSLWrap {
@@ -273,14 +263,10 @@ class SSLWrap {
void* arg);
#endif // OPENSSL_NPN_NEGOTIATED
static int TLSExtStatusCallback(SSL* s, void* arg);
@ -598,10 +644,12 @@ index e009fc1..6373fc4 100644
void DestroySSL();
- void WaitForCertCb(CertCb cb, void* arg);
- void SetSNIContext(SecureContext* sc);
- int SetCACerts(SecureContext* sc);
inline Environment* ssl_env() const {
return env_;
@@ -290,12 +278,6 @@ class SSLWrap {
@@ -292,12 +278,6 @@ class SSLWrap {
SSL* ssl_;
bool session_callbacks_;
bool new_session_wait_;
@ -614,7 +662,7 @@ index e009fc1..6373fc4 100644
ClientHelloParser hello_parser_;
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
@@ -307,10 +289,6 @@ class SSLWrap {
@@ -309,10 +289,6 @@ class SSLWrap {
v8::Persistent<v8::Value> selected_npn_proto_;
#endif // OPENSSL_NPN_NEGOTIATED
@ -625,7 +673,7 @@ index e009fc1..6373fc4 100644
friend class SecureContext;
};
@@ -322,6 +300,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
@@ -324,6 +300,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
~Connection() override {
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
sniObject_.Reset();
@ -633,7 +681,7 @@ index e009fc1..6373fc4 100644
servername_.Reset();
#endif
}
@@ -336,6 +315,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
@@ -338,6 +315,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
v8::Persistent<v8::Object> sniObject_;
@ -642,7 +690,7 @@ index e009fc1..6373fc4 100644
#endif
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index 1bdd4b7..68c98d5 100644
index d7bf4ed..68c98d5 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -141,8 +141,6 @@ void TLSWrap::InitSSL() {
@ -688,7 +736,17 @@ index 1bdd4b7..68c98d5 100644
void TLSWrap::OnClientHelloParseEnd(void* arg) {
TLSWrap* c = static_cast<TLSWrap*>(arg);
c->Cycle();
@@ -889,8 +886,8 @@ void TLSWrap::Initialize(Local<Object> target,
@@ -867,7 +864,8 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg) {
p->sni_context_.Reset(env->isolate(), ctx);
SecureContext* sc = Unwrap<SecureContext>(ctx.As<Object>());
- p->SetSNIContext(sc);
+ InitNPN(sc);
+ SSL_set_SSL_CTX(s, sc->ctx_);
return SSL_TLSEXT_ERR_OK;
}
#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
@@ -888,8 +886,8 @@ void TLSWrap::Initialize(Local<Object> target,
env->SetProtoMethod(t, "start", Start);
env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
@ -741,22 +799,6 @@ index 1148e52..1439862 100644
agent1-verify: agent1-cert.pem ca1-cert.pem
openssl verify -CAfile ca1-cert.pem agent1-cert.pem
diff --git a/test/parallel/test-tls-cnnic-whitelist.js b/test/parallel/test-tls-cnnic-whitelist.js
index 85e1d90..d639dce 100644
--- a/test/parallel/test-tls-cnnic-whitelist.js
+++ b/test/parallel/test-tls-cnnic-whitelist.js
@@ -53,7 +53,10 @@ var testCases = [
port: common.PORT,
rejectUnauthorized: true
},
- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL
+ // returns UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
+ errorCode: 'CERT_UNTRUSTED'
+ //errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
];
diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
index e9443f4..64b6a6c 100644
--- a/test/parallel/test-tls-ocsp-callback.js
@ -812,3 +854,71 @@ index e9443f4..64b6a6c 100644
-}
-
-runTests(0);
diff --git a/test/parallel/test-tls-sni-option.js b/test/parallel/test-tls-sni-option.js
index 510b929..5b0bd53 100644
--- a/test/parallel/test-tls-sni-option.js
+++ b/test/parallel/test-tls-sni-option.js
@@ -26,8 +26,6 @@ function loadPEM(n) {
var serverOptions = {
key: loadPEM('agent2-key'),
cert: loadPEM('agent2-cert'),
- requestCert: true,
- rejectUnauthorized: false,
SNICallback: function(servername, callback) {
var context = SNIContexts[servername];
@@ -48,8 +46,7 @@ var serverOptions = {
var SNIContexts = {
'a.example.com': {
key: loadPEM('agent1-key'),
- cert: loadPEM('agent1-cert'),
- ca: [ loadPEM('ca2-cert') ]
+ cert: loadPEM('agent1-cert')
},
'b.example.com': {
key: loadPEM('agent3-key'),
@@ -71,13 +68,6 @@ var clientsOptions = [{
rejectUnauthorized: false
}, {
port: serverPort,
- key: loadPEM('agent4-key'),
- cert: loadPEM('agent4-cert'),
- ca: [loadPEM('ca1-cert')],
- servername: 'a.example.com',
- rejectUnauthorized: false
-}, {
- port: serverPort,
key: loadPEM('agent2-key'),
cert: loadPEM('agent2-cert'),
ca: [loadPEM('ca2-cert')],
@@ -107,7 +97,7 @@ let serverError;
let clientError;
var server = tls.createServer(serverOptions, function(c) {
- serverResults.push({ sni: c.servername, authorized: c.authorized });
+ serverResults.push(c.servername);
});
server.on('clientError', function(err) {
@@ -154,16 +144,9 @@ function startTest() {
}
process.on('exit', function() {
- assert.deepEqual(serverResults, [
- { sni: 'a.example.com', authorized: false },
- { sni: 'a.example.com', authorized: true },
- { sni: 'b.example.com', authorized: false },
- { sni: 'c.wrong.com', authorized: false },
- null
- ]);
- assert.deepEqual(clientResults, [true, true, true, false, false]);
- assert.deepEqual(clientErrors, [null, null, null, null, 'socket hang up']);
- assert.deepEqual(serverErrors, [
- null, null, null, null, 'Invalid SNI context'
- ]);
+ assert.deepEqual(serverResults, ['a.example.com', 'b.example.com',
+ 'c.wrong.com', null]);
+ assert.deepEqual(clientResults, [true, true, false, false]);
+ assert.deepEqual(clientErrors, [null, null, null, 'socket hang up']);
+ assert.deepEqual(serverErrors, [null, null, null, 'Invalid SNI context']);
});