nodejs: add updated libressl patch.
This commit is contained in:
parent
c1679325a3
commit
dec027544b
1 changed files with 153 additions and 43 deletions
|
@ -1,5 +1,5 @@
|
|||
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
|
||||
index 5b36906..8128a46 100644
|
||||
index 35d5ba3..37081d9 100644
|
||||
--- a/lib/_tls_wrap.js
|
||||
+++ b/lib/_tls_wrap.js
|
||||
@@ -165,26 +165,31 @@ function onclienthello(hello) {
|
||||
|
@ -98,10 +98,19 @@ index ea5e8fe..995f151 100644
|
|||
V(code_string, "code") \
|
||||
V(compare_string, "compare") \
|
||||
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
||||
index 7911ce9..5cab263 100644
|
||||
index f0d353f..fcaf77d 100644
|
||||
--- a/src/node_crypto.cc
|
||||
+++ b/src/node_crypto.cc
|
||||
@@ -156,8 +156,6 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
|
||||
@@ -129,8 +129,6 @@ template class SSLWrap<TLSWrap>;
|
||||
template void SSLWrap<TLSWrap>::AddMethods(Environment* env,
|
||||
Local<FunctionTemplate> t);
|
||||
template void SSLWrap<TLSWrap>::InitNPN(SecureContext* sc);
|
||||
-template void SSLWrap<TLSWrap>::SetSNIContext(SecureContext* sc);
|
||||
-template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
|
||||
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
|
||||
SSL* s,
|
||||
unsigned char* key,
|
||||
@@ -158,8 +156,6 @@ template int SSLWrap<TLSWrap>::SelectNextProtoCallback(
|
||||
#endif
|
||||
template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg);
|
||||
template void SSLWrap<TLSWrap>::DestroySSL();
|
||||
|
@ -110,7 +119,7 @@ index 7911ce9..5cab263 100644
|
|||
|
||||
|
||||
static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
|
||||
@@ -511,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) {
|
||||
@@ -513,35 +509,45 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) {
|
||||
}
|
||||
|
||||
|
||||
|
@ -167,7 +176,7 @@ index 7911ce9..5cab263 100644
|
|||
goto end;
|
||||
}
|
||||
// Note that we must not free r if it was successfully
|
||||
@@ -550,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
||||
@@ -552,9 +558,18 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
||||
// Find issuer
|
||||
if (*issuer != nullptr || X509_check_issued(ca, x) != X509_V_OK)
|
||||
continue;
|
||||
|
@ -187,7 +196,7 @@ index 7911ce9..5cab263 100644
|
|||
}
|
||||
|
||||
// Try getting issuer from a cert store
|
||||
@@ -564,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
||||
@@ -566,88 +581,13 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
||||
// no need to free `store`
|
||||
} else {
|
||||
// Increment issuer reference count
|
||||
|
@ -278,7 +287,7 @@ index 7911ce9..5cab263 100644
|
|||
return ret;
|
||||
}
|
||||
|
||||
@@ -663,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) {
|
||||
@@ -665,16 +605,6 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) {
|
||||
if (!bio)
|
||||
return;
|
||||
|
||||
|
@ -295,7 +304,7 @@ index 7911ce9..5cab263 100644
|
|||
int rv = SSL_CTX_use_certificate_chain(sc->ctx_,
|
||||
bio,
|
||||
&sc->cert_,
|
||||
@@ -944,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
|
||||
@@ -946,7 +876,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
|
||||
PKCS12* p12 = nullptr;
|
||||
EVP_PKEY* pkey = nullptr;
|
||||
X509* cert = nullptr;
|
||||
|
@ -304,7 +313,7 @@ index 7911ce9..5cab263 100644
|
|||
char* pass = nullptr;
|
||||
bool ret = false;
|
||||
|
||||
@@ -969,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
|
||||
@@ -971,33 +901,28 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
|
||||
pass[passlen] = '\0';
|
||||
}
|
||||
|
||||
|
@ -355,7 +364,7 @@ index 7911ce9..5cab263 100644
|
|||
|
||||
PKCS12_free(p12);
|
||||
BIO_free_all(in);
|
||||
@@ -1050,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
|
||||
@@ -1052,7 +977,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
|
||||
void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
|
||||
SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
|
||||
|
||||
|
@ -364,7 +373,7 @@ index 7911ce9..5cab263 100644
|
|||
}
|
||||
|
||||
|
||||
@@ -1189,7 +1116,6 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) {
|
||||
@@ -1191,7 +1116,6 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) {
|
||||
env->SetProtoMethod(t, "verifyError", VerifyError);
|
||||
env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
|
||||
env->SetProtoMethod(t, "endParser", EndParser);
|
||||
|
@ -372,7 +381,7 @@ index 7911ce9..5cab263 100644
|
|||
env->SetProtoMethod(t, "renegotiate", Renegotiate);
|
||||
env->SetProtoMethod(t, "shutdownSSL", Shutdown);
|
||||
env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
|
||||
@@ -2078,122 +2004,6 @@ int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) {
|
||||
@@ -2080,124 +2004,6 @@ int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) {
|
||||
|
||||
|
||||
template <class Base>
|
||||
|
@ -463,6 +472,8 @@ index 7911ce9..5cab263 100644
|
|||
- rv = SSL_use_PrivateKey(w->ssl_, pkey);
|
||||
- if (rv && chain != nullptr)
|
||||
- rv = SSL_set1_chain(w->ssl_, chain);
|
||||
- if (rv)
|
||||
- rv = w->SetCACerts(sc);
|
||||
- if (!rv) {
|
||||
- unsigned long err = ERR_get_error();
|
||||
- if (!err)
|
||||
|
@ -495,7 +506,38 @@ index 7911ce9..5cab263 100644
|
|||
void SSLWrap<Base>::SSLGetter(Local<String> property,
|
||||
const PropertyCallbackInfo<Value>& info) {
|
||||
HandleScope scope(info.GetIsolate());
|
||||
@@ -2299,10 +2109,6 @@ int Connection::HandleSSLError(const char* func,
|
||||
@@ -2219,30 +2025,6 @@ void SSLWrap<Base>::DestroySSL() {
|
||||
}
|
||||
|
||||
|
||||
-template <class Base>
|
||||
-void SSLWrap<Base>::SetSNIContext(SecureContext* sc) {
|
||||
- InitNPN(sc);
|
||||
- CHECK_EQ(SSL_set_SSL_CTX(ssl_, sc->ctx_), sc->ctx_);
|
||||
-
|
||||
- SetCACerts(sc);
|
||||
-}
|
||||
-
|
||||
-
|
||||
-template <class Base>
|
||||
-int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
|
||||
- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
|
||||
- if (err != 1)
|
||||
- return err;
|
||||
-
|
||||
- STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
|
||||
- SSL_CTX_get_client_CA_list(sc->ctx_));
|
||||
-
|
||||
- // NOTE: `SSL_set_client_CA_list` takes the ownership of `list`
|
||||
- SSL_set_client_CA_list(ssl_, list);
|
||||
- return 1;
|
||||
-}
|
||||
-
|
||||
-
|
||||
void Connection::OnClientHelloParseEnd(void* arg) {
|
||||
Connection* conn = static_cast<Connection*>(arg);
|
||||
|
||||
@@ -2327,10 +2109,6 @@ int Connection::HandleSSLError(const char* func,
|
||||
DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
|
||||
return 0;
|
||||
|
||||
|
@ -506,7 +548,7 @@ index 7911ce9..5cab263 100644
|
|||
} else if (err == SSL_ERROR_ZERO_RETURN) {
|
||||
HandleScope scope(ssl_env()->isolate());
|
||||
|
||||
@@ -2483,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
|
||||
@@ -2511,7 +2289,7 @@ inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
|
||||
SSL* ssl = static_cast<SSL*>(
|
||||
X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
|
||||
|
||||
|
@ -515,7 +557,7 @@ index 7911ce9..5cab263 100644
|
|||
return 1;
|
||||
|
||||
// Client needs to check if the server cert is listed in the
|
||||
@@ -2510,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
|
||||
@@ -2538,7 +2316,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
|
||||
|
||||
// Call the SNI callback and use its return value as context
|
||||
if (!conn->sniObject_.IsEmpty()) {
|
||||
|
@ -524,16 +566,20 @@ index 7911ce9..5cab263 100644
|
|||
|
||||
Local<Object> sni_obj = PersistentToLocal(env->isolate(),
|
||||
conn->sniObject_);
|
||||
@@ -2526,7 +2332,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
|
||||
@@ -2554,9 +2332,10 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) {
|
||||
Local<FunctionTemplate> secure_context_constructor_template =
|
||||
env->secure_context_constructor_template();
|
||||
if (secure_context_constructor_template->HasInstance(ret)) {
|
||||
- conn->sni_context_.Reset(env->isolate(), ret);
|
||||
+ conn->sniContext_.Reset(env->isolate(), ret);
|
||||
SecureContext* sc = Unwrap<SecureContext>(ret.As<Object>());
|
||||
InitNPN(sc);
|
||||
SSL_set_SSL_CTX(s, sc->ctx_);
|
||||
@@ -2565,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
|
||||
- conn->SetSNIContext(sc);
|
||||
+ InitNPN(sc);
|
||||
+ SSL_set_SSL_CTX(s, sc->ctx_);
|
||||
} else {
|
||||
return SSL_TLSEXT_ERR_NOACK;
|
||||
}
|
||||
@@ -2592,8 +2371,6 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
|
||||
|
||||
InitNPN(sc);
|
||||
|
||||
|
@ -543,7 +589,7 @@ index 7911ce9..5cab263 100644
|
|||
if (is_server) {
|
||||
SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
|
||||
diff --git a/src/node_crypto.h b/src/node_crypto.h
|
||||
index e009fc1..6373fc4 100644
|
||||
index cb94650..6373fc4 100644
|
||||
--- a/src/node_crypto.h
|
||||
+++ b/src/node_crypto.h
|
||||
@@ -179,10 +179,7 @@ class SSLWrap {
|
||||
|
@ -588,7 +634,7 @@ index e009fc1..6373fc4 100644
|
|||
static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
@@ -273,12 +263,10 @@ class SSLWrap {
|
||||
@@ -273,14 +263,10 @@ class SSLWrap {
|
||||
void* arg);
|
||||
#endif // OPENSSL_NPN_NEGOTIATED
|
||||
static int TLSExtStatusCallback(SSL* s, void* arg);
|
||||
|
@ -598,10 +644,12 @@ index e009fc1..6373fc4 100644
|
|||
|
||||
void DestroySSL();
|
||||
- void WaitForCertCb(CertCb cb, void* arg);
|
||||
- void SetSNIContext(SecureContext* sc);
|
||||
- int SetCACerts(SecureContext* sc);
|
||||
|
||||
inline Environment* ssl_env() const {
|
||||
return env_;
|
||||
@@ -290,12 +278,6 @@ class SSLWrap {
|
||||
@@ -292,12 +278,6 @@ class SSLWrap {
|
||||
SSL* ssl_;
|
||||
bool session_callbacks_;
|
||||
bool new_session_wait_;
|
||||
|
@ -614,7 +662,7 @@ index e009fc1..6373fc4 100644
|
|||
ClientHelloParser hello_parser_;
|
||||
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
@@ -307,10 +289,6 @@ class SSLWrap {
|
||||
@@ -309,10 +289,6 @@ class SSLWrap {
|
||||
v8::Persistent<v8::Value> selected_npn_proto_;
|
||||
#endif // OPENSSL_NPN_NEGOTIATED
|
||||
|
||||
|
@ -625,7 +673,7 @@ index e009fc1..6373fc4 100644
|
|||
friend class SecureContext;
|
||||
};
|
||||
|
||||
@@ -322,6 +300,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
|
||||
@@ -324,6 +300,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
|
||||
~Connection() override {
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
|
||||
sniObject_.Reset();
|
||||
|
@ -633,7 +681,7 @@ index e009fc1..6373fc4 100644
|
|||
servername_.Reset();
|
||||
#endif
|
||||
}
|
||||
@@ -336,6 +315,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
|
||||
@@ -338,6 +315,7 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
|
||||
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
|
||||
v8::Persistent<v8::Object> sniObject_;
|
||||
|
@ -642,7 +690,7 @@ index e009fc1..6373fc4 100644
|
|||
#endif
|
||||
|
||||
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
|
||||
index 1bdd4b7..68c98d5 100644
|
||||
index d7bf4ed..68c98d5 100644
|
||||
--- a/src/tls_wrap.cc
|
||||
+++ b/src/tls_wrap.cc
|
||||
@@ -141,8 +141,6 @@ void TLSWrap::InitSSL() {
|
||||
|
@ -688,7 +736,17 @@ index 1bdd4b7..68c98d5 100644
|
|||
void TLSWrap::OnClientHelloParseEnd(void* arg) {
|
||||
TLSWrap* c = static_cast<TLSWrap*>(arg);
|
||||
c->Cycle();
|
||||
@@ -889,8 +886,8 @@ void TLSWrap::Initialize(Local<Object> target,
|
||||
@@ -867,7 +864,8 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg) {
|
||||
p->sni_context_.Reset(env->isolate(), ctx);
|
||||
|
||||
SecureContext* sc = Unwrap<SecureContext>(ctx.As<Object>());
|
||||
- p->SetSNIContext(sc);
|
||||
+ InitNPN(sc);
|
||||
+ SSL_set_SSL_CTX(s, sc->ctx_);
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
|
||||
@@ -888,8 +886,8 @@ void TLSWrap::Initialize(Local<Object> target,
|
||||
env->SetProtoMethod(t, "start", Start);
|
||||
env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
|
||||
env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
|
||||
|
@ -741,22 +799,6 @@ index 1148e52..1439862 100644
|
|||
agent1-verify: agent1-cert.pem ca1-cert.pem
|
||||
openssl verify -CAfile ca1-cert.pem agent1-cert.pem
|
||||
|
||||
diff --git a/test/parallel/test-tls-cnnic-whitelist.js b/test/parallel/test-tls-cnnic-whitelist.js
|
||||
index 85e1d90..d639dce 100644
|
||||
--- a/test/parallel/test-tls-cnnic-whitelist.js
|
||||
+++ b/test/parallel/test-tls-cnnic-whitelist.js
|
||||
@@ -53,7 +53,10 @@ var testCases = [
|
||||
port: common.PORT,
|
||||
rejectUnauthorized: true
|
||||
},
|
||||
- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
|
||||
+ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL
|
||||
+ // returns UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
|
||||
+ errorCode: 'CERT_UNTRUSTED'
|
||||
+ //errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
|
||||
}
|
||||
];
|
||||
|
||||
diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
|
||||
index e9443f4..64b6a6c 100644
|
||||
--- a/test/parallel/test-tls-ocsp-callback.js
|
||||
|
@ -812,3 +854,71 @@ index e9443f4..64b6a6c 100644
|
|||
-}
|
||||
-
|
||||
-runTests(0);
|
||||
diff --git a/test/parallel/test-tls-sni-option.js b/test/parallel/test-tls-sni-option.js
|
||||
index 510b929..5b0bd53 100644
|
||||
--- a/test/parallel/test-tls-sni-option.js
|
||||
+++ b/test/parallel/test-tls-sni-option.js
|
||||
@@ -26,8 +26,6 @@ function loadPEM(n) {
|
||||
var serverOptions = {
|
||||
key: loadPEM('agent2-key'),
|
||||
cert: loadPEM('agent2-cert'),
|
||||
- requestCert: true,
|
||||
- rejectUnauthorized: false,
|
||||
SNICallback: function(servername, callback) {
|
||||
var context = SNIContexts[servername];
|
||||
|
||||
@@ -48,8 +46,7 @@ var serverOptions = {
|
||||
var SNIContexts = {
|
||||
'a.example.com': {
|
||||
key: loadPEM('agent1-key'),
|
||||
- cert: loadPEM('agent1-cert'),
|
||||
- ca: [ loadPEM('ca2-cert') ]
|
||||
+ cert: loadPEM('agent1-cert')
|
||||
},
|
||||
'b.example.com': {
|
||||
key: loadPEM('agent3-key'),
|
||||
@@ -71,13 +68,6 @@ var clientsOptions = [{
|
||||
rejectUnauthorized: false
|
||||
}, {
|
||||
port: serverPort,
|
||||
- key: loadPEM('agent4-key'),
|
||||
- cert: loadPEM('agent4-cert'),
|
||||
- ca: [loadPEM('ca1-cert')],
|
||||
- servername: 'a.example.com',
|
||||
- rejectUnauthorized: false
|
||||
-}, {
|
||||
- port: serverPort,
|
||||
key: loadPEM('agent2-key'),
|
||||
cert: loadPEM('agent2-cert'),
|
||||
ca: [loadPEM('ca2-cert')],
|
||||
@@ -107,7 +97,7 @@ let serverError;
|
||||
let clientError;
|
||||
|
||||
var server = tls.createServer(serverOptions, function(c) {
|
||||
- serverResults.push({ sni: c.servername, authorized: c.authorized });
|
||||
+ serverResults.push(c.servername);
|
||||
});
|
||||
|
||||
server.on('clientError', function(err) {
|
||||
@@ -154,16 +144,9 @@ function startTest() {
|
||||
}
|
||||
|
||||
process.on('exit', function() {
|
||||
- assert.deepEqual(serverResults, [
|
||||
- { sni: 'a.example.com', authorized: false },
|
||||
- { sni: 'a.example.com', authorized: true },
|
||||
- { sni: 'b.example.com', authorized: false },
|
||||
- { sni: 'c.wrong.com', authorized: false },
|
||||
- null
|
||||
- ]);
|
||||
- assert.deepEqual(clientResults, [true, true, true, false, false]);
|
||||
- assert.deepEqual(clientErrors, [null, null, null, null, 'socket hang up']);
|
||||
- assert.deepEqual(serverErrors, [
|
||||
- null, null, null, null, 'Invalid SNI context'
|
||||
- ]);
|
||||
+ assert.deepEqual(serverResults, ['a.example.com', 'b.example.com',
|
||||
+ 'c.wrong.com', null]);
|
||||
+ assert.deepEqual(clientResults, [true, true, false, false]);
|
||||
+ assert.deepEqual(clientErrors, [null, null, null, 'socket hang up']);
|
||||
+ assert.deepEqual(serverErrors, [null, null, null, 'Invalid SNI context']);
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue