Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
nodejs4.3534
8334.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 8334.diff of Package nodejs4.3534
Author: Adam Majer <amajer@suse.de> Summary: Add compile time option to use system CA store instead of bundled ones diff --git a/configure b/configure index 42dac5f..0dd5fd4 100755 --- a/configure +++ b/configure @@ -187,6 +187,11 @@ shared_optgroup.add_option('--shared-openssl-libpath', dest='shared_openssl_libpath', help='a directory to search for the shared OpenSSL DLLs') +shared_optgroup.add_option('--use-system-ca-store', + action='store_true', + dest='use_system_ca_store', + help='use system supplied Root CA store instead of bundled copy') + shared_optgroup.add_option('--shared-zlib', action='store_true', dest='shared_zlib', @@ -905,6 +910,8 @@ def configure_openssl(o): o['variables']['node_use_openssl'] = b(not options.without_ssl) o['variables']['node_shared_openssl'] = b(options.shared_openssl) o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 + if options.use_system_ca_store: + o['defines'] += ['NODE_SYSTEM_CERT_STORE'] if options.openssl_fips: o['variables']['openssl_fips'] = options.openssl_fips fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 9cf216f..ec7f7d2 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -751,6 +751,23 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) { CHECK_EQ(sc->ca_store_, nullptr); if (!root_cert_store) { +#if defined(NODE_SYSTEM_CERT_STORE) + // *Assume* OpenSSL is setup correctly, which is the case + // for distribution supplied versions. + // + // If this does not work, define SSL_CERT_DIR environment + if (SSL_CTX_set_default_verify_paths(sc->ctx_)) { + root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); + // root_cert_store created here is already assigned to the SSL_CTX + // so when it is assigned again below, the reference is dropped by 1 + // and then we will delete root store with the SSL_CTX deletion. + // Increase references to 2 to avoid this scenario. + CRYPTO_add(&root_cert_store->references, 1, CRYPTO_LOCK_X509_STORE); + } else { + // failed to load, default to nothing + root_cert_store = X509_STORE_new(); + } +#else /* Use supplied certificates */ root_cert_store = X509_STORE_new(); for (size_t i = 0; i < arraysize(root_certs); i++) { @@ -770,9 +787,12 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) { BIO_free_all(bp); X509_free(x509); } +#endif // defined(USE_SYSTEM_CERTIFICATE_STORE) } sc->ca_store_ = root_cert_store; + // increment reference count so global store is not deleted along with CTX + CRYPTO_add(&root_cert_store->references, 1, CRYPTO_LOCK_X509_STORE); SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); } diff --git a/src/node_crypto.h b/src/node_crypto.h index 24ac773..fd3e2ce 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -142,13 +142,6 @@ class SecureContext : public BaseObject { void FreeCTXMem() { if (ctx_) { env()->isolate()->AdjustAmountOfExternalAllocatedMemory(-kExternalSize); - if (ctx_->cert_store == root_cert_store) { - // SSL_CTX_free() will attempt to free the cert_store as well. - // Since we want our root_cert_store to stay around forever - // we just clear the field. Hopefully OpenSSL will not modify this - // struct in future versions. - ctx_->cert_store = nullptr; - } SSL_CTX_free(ctx_); if (cert_ != nullptr) X509_free(cert_);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor