summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChen, Chih-Chia <pigfoot@gmail.com>2018-07-20 10:48:36 +0800
committerChen, Chih-Chia <pigfoot@gmail.com>2018-07-20 10:48:36 +0800
commitcd3009867c65fea16f9029409d46edb3b25bcd6a (patch)
tree362892011fc4dfd9f420648c267ef212ce8b6098
parentFIX #1 (diff)
downloadpigfoot-cd3009867c65fea16f9029409d46edb3b25bcd6a.tar.gz
pigfoot-cd3009867c65fea16f9029409d46edb3b25bcd6a.tar.bz2
pigfoot-cd3009867c65fea16f9029409d46edb3b25bcd6a.zip
Add net-libs/nodejs (libressl)
-rw-r--r--net-libs/nodejs/Manifest2
-rw-r--r--net-libs/nodejs/files/gentoo-global-npm-config.patch40
-rw-r--r--net-libs/nodejs/files/nodejs-4.6.1-libressl.patch587
-rw-r--r--net-libs/nodejs/files/nodejs-8.1.0-libressl.patch697
-rw-r--r--net-libs/nodejs/files/nodejs-8.1.1-libressl.patch697
-rw-r--r--net-libs/nodejs/files/nodejs-8.11.1-libressl.patch894
-rw-r--r--net-libs/nodejs/nodejs-6.11.5.ebuild196
-rw-r--r--net-libs/nodejs/nodejs-8.11.1.ebuild208
8 files changed, 3321 insertions, 0 deletions
diff --git a/net-libs/nodejs/Manifest b/net-libs/nodejs/Manifest
new file mode 100644
index 0000000..68b917e
--- /dev/null
+++ b/net-libs/nodejs/Manifest
@@ -0,0 +1,2 @@
+DIST node-v6.11.5.tar.xz 15699404 BLAKE2B ba2df91bf5ef38cedb60b42919cf56f16807e619a81876fc92a5741e49da7ec91c4239d00f549c5e80d0bb8282bb9b396dd984507916cd18d61b403a3a7cef94 SHA512 62490725ef7957294c1bddf21ef0626c7472876791210168116501255ecee58457e9de9b044e10033706243299bbfd1495efeca169596fbf26f5eeba6d8fa4c9
+DIST node-v8.11.1.tar.xz 18279516 BLAKE2B b06f31571c93455d16899e3ba57d1e5835951be7a644fafbfcac9cce1bf33ed8ca47929e0a5d0df72034a6c2b967c578e3c78a2ed27ba85e41c4af1de2307293 SHA512 0ca0dead15a1623ece7f972d420dec623141a795ddd984c32ce7e92ae32ead97bb0153ebd8c1c249b91a1bd6efcef7fb313105455f66d4d181473153c4e0736f
diff --git a/net-libs/nodejs/files/gentoo-global-npm-config.patch b/net-libs/nodejs/files/gentoo-global-npm-config.patch
new file mode 100644
index 0000000..e7346b8
--- /dev/null
+++ b/net-libs/nodejs/files/gentoo-global-npm-config.patch
@@ -0,0 +1,40 @@
+commit 46ac7cd4229eac5e0182ab62b7ed844c24a8c52e
+Author: Johan Bergström <bugs@bergstroem.nu>
+Date: Wed Feb 10 22:45:59 2016 +1100
+
+ npm: set global config folder to /etc/npm
+
+ npm previously assumed that the global config path would be
+ based on $prefix/etc. Since gentoo installs nodejs into /usr,
+ this means we're also creating /usr/etc which is less desirable.
+
+ This patch will likely never go upstream.
+
+diff --git a/deps/npm/lib/config/core.js b/deps/npm/lib/config/core.js
+index d1306eb..bd2ef89 100644
+--- a/deps/npm/lib/config/core.js
++++ b/deps/npm/lib/config/core.js
+@@ -150,16 +150,14 @@ function load_ (builtin, rc, cli, cb) {
+ // Eg, `npm config get globalconfig --prefix ~/local` should
+ // return `~/local/etc/npmrc`
+ // annoying humans and their expectations!
+- if (conf.get('prefix')) {
+- var etc = path.resolve(conf.get('prefix'), 'etc')
+- mkdirp(etc, function () {
+- defaults.globalconfig = path.resolve(etc, 'npmrc')
+- defaults.globalignorefile = path.resolve(etc, 'npmignore')
+- afterUserContinuation()
+- })
+- } else {
++
++ // gentoo deviates wrt global config; store in /etc/npm
++ var globalconfig = path.resolve('/etc', 'npm')
++ mkdirp(globalconfig, function () {
++ defaults.globalconfig = path.resolve(globalconfig, 'npmrc')
++ defaults.globalignorefile = path.resolve(globalconfig, 'npmignore')
+ afterUserContinuation()
+- }
++ })
+ }
+
+ function afterUserContinuation () {
diff --git a/net-libs/nodejs/files/nodejs-4.6.1-libressl.patch b/net-libs/nodejs/files/nodejs-4.6.1-libressl.patch
new file mode 100644
index 0000000..6cdb715
--- /dev/null
+++ b/net-libs/nodejs/files/nodejs-4.6.1-libressl.patch
@@ -0,0 +1,587 @@
+diff -Naur node-v4.6.1.orig/lib/_tls_wrap.js node-v4.6.1/lib/_tls_wrap.js
+--- node-v4.6.1.orig/lib/_tls_wrap.js 2017-04-12 12:40:43.517228944 -0700
++++ node-v4.6.1/lib/_tls_wrap.js 2017-04-12 12:49:51.155877106 -0700
+@@ -165,30 +165,33 @@
+ if (err)
+ return self.destroy(err);
+
+- self._handle.endParser();
+- });
+-}
+-
+-
+-function oncertcb(info) {
+- var self = this;
+- var servername = info.servername;
+-
+- loadSNI(self, servername, function(err, ctx) {
+- if (err)
+- return self.destroy(err);
+- requestOCSP(self, info, ctx, function(err) {
++ // Servername came from SSL session
++ // NOTE: TLS Session ticket doesn't include servername information
++ //
++ // Another note, From RFC3546:
++ //
++ // If, on the other hand, the older
++ // session is resumed, then the server MUST ignore extensions appearing
++ // in the client hello, and send a server hello containing no
++ // extensions; in this case the extension functionality negotiated
++ // during the original session initiation is applied to the resumed
++ // session.
++ //
++ // Therefore we should account session loading when dealing with servername
++ var servername = session && session.servername || hello.servername;
++ loadSNI(self, servername, function(err, ctx) {
+ if (err)
+ return self.destroy(err);
+
+- if (!self._handle)
+- return self.destroy(new Error('Socket is closed'));
++ requestOCSP(self, info, ctx, function(err) {
++ if (err)
++ return self.destroy(err);
++
++ if (!self._handle)
++ return self.destroy(new Error('Socket is closed'));
+
+- try {
+- self._handle.certCbDone();
+- } catch (e) {
+- self.destroy(e);
+- }
++ self._handle.endParser();
++ });
+ });
+ });
+ }
+@@ -410,18 +413,15 @@
+ ssl.onhandshakestart = () => onhandshakestart.call(this);
+ ssl.onhandshakedone = () => onhandshakedone.call(this);
+ ssl.onclienthello = (hello) => onclienthello.call(this, hello);
+- ssl.oncertcb = (info) => oncertcb.call(this, info);
+ ssl.onnewsession = (key, session) => onnewsession.call(this, key, session);
+ ssl.lastHandshakeTime = 0;
+ ssl.handshakes = 0;
+
+- if (this.server) {
+- if (this.server.listenerCount('resumeSession') > 0 ||
+- this.server.listenerCount('newSession') > 0) {
+- ssl.enableSessionCallbacks();
+- }
+- if (this.server.listenerCount('OCSPRequest') > 0)
+- ssl.enableCertCb();
++ if (this.server &&
++ (this.server.listenerCount('resumeSession') > 0 ||
++ this.server.listenerCount('newSession') > 0 ||
++ this.server.listenerCount('OCSPRequest') > 0)) {
++ ssl.enableSessionCallbacks();
+ }
+ } else {
+ ssl.onhandshakestart = function() {};
+@@ -463,7 +463,7 @@
+ options.server._contexts.length)) {
+ assert(typeof options.SNICallback === 'function');
+ this._SNICallback = options.SNICallback;
+- ssl.enableCertCb();
++ ssl.enableHelloParser();
+ }
+
+ if (process.features.tls_npn && options.NPNProtocols)
+diff -Naur node-v4.6.1.orig/src/env.h node-v4.6.1/src/env.h
+--- node-v4.6.1.orig/src/env.h 2017-04-12 12:40:43.536229174 -0700
++++ node-v4.6.1/src/env.h 2017-04-12 12:50:02.055009418 -0700
+@@ -57,7 +57,6 @@
+ V(bytes_read_string, "bytesRead") \
+ V(callback_string, "callback") \
+ V(change_string, "change") \
+- V(oncertcb_string, "oncertcb") \
+ V(onclose_string, "_onclose") \
+ V(code_string, "code") \
+ V(compare_string, "compare") \
+diff -Naur node-v4.6.1.orig/src/node_crypto.cc node-v4.6.1/src/node_crypto.cc
+--- node-v4.6.1.orig/src/node_crypto.cc 2017-04-12 12:40:43.541229235 -0700
++++ node-v4.6.1/src/node_crypto.cc 2017-04-12 12:52:59.371161636 -0700
+@@ -160,8 +160,6 @@
+ #endif
+
+ template void SSLWrap<TLSWrap>::DestroySSL();
+-template int SSLWrap<TLSWrap>::SSLCertCallback(SSL* s, void* arg);
+-template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
+
+
+ static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
+@@ -525,8 +523,7 @@
+ for (int i = 0; i < sk_X509_num(extra_certs); i++) {
+ X509* ca = sk_X509_value(extra_certs, i);
+
+- // NOTE: Increments reference count on `ca`
+- r = SSL_CTX_add1_chain_cert(ctx, ca);
++ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+
+ if (!r) {
+ ret = 0;
+@@ -1051,7 +1048,7 @@
+ void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
+ SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
+
+- wrap->ctx_->freelist_max_len = args[0]->Int32Value();
++ // wrap->ctx_->freelist_max_len = args[0]->Int32Value();
+ }
+
+
+@@ -1188,7 +1185,6 @@
+ env->SetProtoMethod(t, "verifyError", VerifyError);
+ env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
+ env->SetProtoMethod(t, "endParser", EndParser);
+- env->SetProtoMethod(t, "certCbDone", CertCbDone);
+ env->SetProtoMethod(t, "renegotiate", Renegotiate);
+ env->SetProtoMethod(t, "shutdownSSL", Shutdown);
+ env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
+@@ -2079,129 +2075,6 @@
+
+
+ template <class Base>
+-void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
+- cert_cb_ = cb;
+- cert_cb_arg_ = arg;
+-}
+-
+-
+-template <class Base>
+-int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) {
+- Base* w = static_cast<Base*>(SSL_get_app_data(s));
+-
+- if (!w->is_server())
+- return 1;
+-
+- if (!w->is_waiting_cert_cb())
+- return 1;
+-
+- if (w->cert_cb_running_)
+- return -1;
+-
+- Environment* env = w->env();
+- HandleScope handle_scope(env->isolate());
+- Context::Scope context_scope(env->context());
+- w->cert_cb_running_ = true;
+-
+- Local<Object> info = Object::New(env->isolate());
+-
+- SSL_SESSION* sess = SSL_get_session(s);
+- if (sess != nullptr) {
+- if (sess->tlsext_hostname == nullptr) {
+- info->Set(env->servername_string(), String::Empty(env->isolate()));
+- } else {
+- Local<String> servername = OneByteString(env->isolate(),
+- sess->tlsext_hostname,
+- strlen(sess->tlsext_hostname));
+- info->Set(env->servername_string(), servername);
+- }
+- info->Set(env->tls_ticket_string(),
+- Boolean::New(env->isolate(), sess->tlsext_ticklen != 0));
+- }
+-
+- bool ocsp = false;
+-#ifdef NODE__HAVE_TLSEXT_STATUS_CB
+- ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp;
+-#endif
+-
+- info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp));
+-
+- Local<Value> argv[] = { info };
+- w->MakeCallback(env->oncertcb_string(), arraysize(argv), argv);
+-
+- if (!w->cert_cb_running_)
+- return 1;
+-
+- // Performing async action, wait...
+- return -1;
+-}
+-
+-
+-template <class Base>
+-void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
+- Base* w = Unwrap<Base>(args.Holder());
+- Environment* env = w->env();
+-
+- CHECK(w->is_waiting_cert_cb() && w->cert_cb_running_);
+-
+- Local<Object> object = w->object();
+- Local<Value> ctx = object->Get(env->sni_context_string());
+- Local<FunctionTemplate> cons = env->secure_context_constructor_template();
+-
+- // Not an object, probably undefined or null
+- if (!ctx->IsObject())
+- goto fire_cb;
+-
+- if (cons->HasInstance(ctx)) {
+- SecureContext* sc = Unwrap<SecureContext>(ctx.As<Object>());
+- w->sni_context_.Reset();
+- w->sni_context_.Reset(env->isolate(), ctx);
+-
+- int rv;
+-
+- // NOTE: reference count is not increased by this API methods
+- X509* x509 = SSL_CTX_get0_certificate(sc->ctx_);
+- EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_);
+- STACK_OF(X509)* chain;
+-
+- rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain);
+- if (rv)
+- rv = SSL_use_certificate(w->ssl_, x509);
+- if (rv)
+- rv = SSL_use_PrivateKey(w->ssl_, pkey);
+- if (rv && chain != nullptr)
+- rv = SSL_set1_chain(w->ssl_, chain);
+- if (rv)
+- rv = w->SetCACerts(sc);
+- if (!rv) {
+- unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
+- if (!err)
+- return env->ThrowError("CertCbDone");
+- return ThrowCryptoError(env, err);
+- }
+- } else {
+- // Failure: incorrect SNI context object
+- Local<Value> err = Exception::TypeError(env->sni_context_err_string());
+- w->MakeCallback(env->onerror_string(), 1, &err);
+- return;
+- }
+-
+- fire_cb:
+- CertCb cb;
+- void* arg;
+-
+- cb = w->cert_cb_;
+- arg = w->cert_cb_arg_;
+-
+- w->cert_cb_running_ = false;
+- w->cert_cb_ = nullptr;
+- w->cert_cb_arg_ = nullptr;
+-
+- cb(arg);
+-}
+-
+-
+-template <class Base>
+ void SSLWrap<Base>::SSLGetter(Local<String> property,
+ const PropertyCallbackInfo<Value>& info) {
+ SSL* ssl = Unwrap<Base>(info.This())->ssl_;
+@@ -2232,10 +2105,6 @@
+
+ template <class Base>
+ int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
+- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
+- if (err != 1)
+- return err;
+-
+ STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
+ SSL_CTX_get_client_CA_list(sc->ctx_));
+
+@@ -2329,10 +2198,6 @@
+ DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
+ return 0;
+
+- } else if (err == SSL_ERROR_WANT_X509_LOOKUP) {
+- DEBUG_PRINT("[%p] SSL: %s want x509 lookup\n", ssl_, func);
+- return 0;
+-
+ } else if (err == SSL_ERROR_ZERO_RETURN) {
+ HandleScope scope(ssl_env()->isolate());
+
+@@ -2513,7 +2378,7 @@
+ SSL* ssl = static_cast<SSL*>(
+ X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+
+- if (SSL_is_server(ssl))
++ if (ssl->server)
+ return 1;
+
+ // Client needs to check if the server cert is listed in the
+@@ -2540,7 +2405,7 @@
+
+ // Call the SNI callback and use its return value as context
+ if (!conn->sniObject_.IsEmpty()) {
+- conn->sni_context_.Reset();
++ conn->sniContext_.Reset();
+
+ Local<Object> sni_obj = PersistentToLocal(env->isolate(),
+ conn->sniObject_);
+@@ -2556,7 +2421,7 @@
+ Local<FunctionTemplate> secure_context_constructor_template =
+ env->secure_context_constructor_template();
+ if (secure_context_constructor_template->HasInstance(ret)) {
+- conn->sni_context_.Reset(env->isolate(), ret);
++ conn->sniContext_.Reset(env->isolate(), ret);
+ SecureContext* sc = Unwrap<SecureContext>(ret.As<Object>());
+ conn->SetSNIContext(sc);
+ } else {
+@@ -2594,8 +2459,6 @@
+
+ InitNPN(sc);
+
+- SSL_set_cert_cb(conn->ssl_, SSLWrap<Connection>::SSLCertCallback, conn);
+-
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ if (is_server) {
+ SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
+diff -Naur node-v4.6.1.orig/src/node_crypto.h node-v4.6.1/src/node_crypto.h
+--- node-v4.6.1.orig/src/node_crypto.h 2017-04-12 12:40:43.541229235 -0700
++++ node-v4.6.1/src/node_crypto.h 2017-04-12 12:55:08.867710808 -0700
+@@ -179,10 +179,7 @@
+ kind_(kind),
+ next_sess_(nullptr),
+ session_callbacks_(false),
+- new_session_wait_(false),
+- cert_cb_(nullptr),
+- cert_cb_arg_(nullptr),
+- cert_cb_running_(false) {
++ new_session_wait_(false) {
+ ssl_ = SSL_new(sc->ctx_);
+ env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize);
+ CHECK_NE(ssl_, nullptr);
+@@ -199,9 +196,6 @@
+ npn_protos_.Reset();
+ selected_npn_proto_.Reset();
+ #endif
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- sni_context_.Reset();
+-#endif
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+ ocsp_response_.Reset();
+ #endif // NODE__HAVE_TLSEXT_STATUS_CB
+@@ -212,11 +206,8 @@
+ inline bool is_server() const { return kind_ == kServer; }
+ inline bool is_client() const { return kind_ == kClient; }
+ inline bool is_waiting_new_session() const { return new_session_wait_; }
+- inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; }
+
+ protected:
+- typedef void (*CertCb)(void* arg);
+-
+ // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and
+ // some for buffers.
+ // NOTE: Actually it is much more than this
+@@ -244,7 +235,6 @@
+ static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
+@@ -273,12 +263,10 @@
+ void* arg);
+ #endif // OPENSSL_NPN_NEGOTIATED
+ static int TLSExtStatusCallback(SSL* s, void* arg);
+- static int SSLCertCallback(SSL* s, void* arg);
+ static void SSLGetter(v8::Local<v8::String> property,
+ const v8::PropertyCallbackInfo<v8::Value>& info);
+
+ void DestroySSL();
+- void WaitForCertCb(CertCb cb, void* arg);
+ void SetSNIContext(SecureContext* sc);
+ int SetCACerts(SecureContext* sc);
+
+@@ -293,11 +281,6 @@
+ bool session_callbacks_;
+ bool new_session_wait_;
+
+- // SSL_set_cert_cb
+- CertCb cert_cb_;
+- void* cert_cb_arg_;
+- bool cert_cb_running_;
+-
+ ClientHelloParser hello_parser_;
+
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+@@ -309,10 +292,6 @@
+ v8::Persistent<v8::Value> selected_npn_proto_;
+ #endif // OPENSSL_NPN_NEGOTIATED
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- v8::Persistent<v8::Value> sni_context_;
+-#endif
+-
+ friend class SecureContext;
+ };
+
+@@ -324,6 +303,7 @@
+ ~Connection() override {
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ sniObject_.Reset();
++ sniContext_.Reset();
+ servername_.Reset();
+ #endif
+ }
+@@ -338,6 +318,7 @@
+
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ v8::Persistent<v8::Object> sniObject_;
++ v8::Persistent<v8::Value> sniContext_;
+ v8::Persistent<v8::String> servername_;
+ #endif
+
+diff -Naur node-v4.6.1.orig/src/tls_wrap.cc node-v4.6.1/src/tls_wrap.cc
+--- node-v4.6.1.orig/src/tls_wrap.cc 2017-04-12 12:40:43.557229429 -0700
++++ node-v4.6.1/src/tls_wrap.cc 2017-04-12 13:36:49.323009154 -0700
+@@ -141,8 +141,6 @@
+
+ InitNPN(sc_);
+
+- SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this);
+-
+ if (is_server()) {
+ SSL_set_accept_state(ssl_);
+ } else if (is_client()) {
+@@ -353,7 +351,6 @@
+ case SSL_ERROR_NONE:
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+- case SSL_ERROR_WANT_X509_LOOKUP:
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ return scope.Escape(env()->zero_return_string());
+@@ -769,6 +766,11 @@
+ "EnableSessionCallbacks after destroySSL");
+ }
+ wrap->enable_session_callbacks();
++ EnableHelloParser(args);
++}
++
++void TLSWrap::EnableHelloParser(const FunctionCallbackInfo<Value>& args) {
++ TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
+ NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength);
+ wrap->hello_parser_.Start(SSLWrap<TLSWrap>::OnClientHello,
+ OnClientHelloParseEnd,
+@@ -793,12 +795,6 @@
+ }
+
+
+-void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) {
+- TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
+- wrap->WaitForCertCb(OnClientHelloParseEnd, wrap);
+-}
+-
+-
+ void TLSWrap::OnClientHelloParseEnd(void* arg) {
+ TLSWrap* c = static_cast<TLSWrap*>(arg);
+ c->Cycle();
+@@ -896,8 +892,8 @@
+ env->SetProtoMethod(t, "start", Start);
+ env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
+ env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
++ env->SetProtoMethod(t, "enableHelloParser", EnableHelloParser);
+ env->SetProtoMethod(t, "destroySSL", DestroySSL);
+- env->SetProtoMethod(t, "enableCertCb", EnableCertCb);
+
+ StreamBase::AddMethods<TLSWrap>(env, t, StreamBase::kFlagHasWritev);
+ SSLWrap<TLSWrap>::AddMethods(env, t);
+diff -Naur node-v4.6.1.orig/src/tls_wrap.h node-v4.6.1/src/tls_wrap.h
+--- node-v4.6.1.orig/src/tls_wrap.h 2017-04-12 12:40:43.558229441 -0700
++++ node-v4.6.1/src/tls_wrap.h 2017-04-12 13:35:51.214213644 -0700
+@@ -132,7 +132,7 @@
+ static void SetVerifyMode(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EnableSessionCallbacks(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void EnableCertCb(
++ static void EnableHelloParser(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args);
+
+@@ -160,6 +160,10 @@
+ // If true - delivered EOF to the js-land, either after `close_notify`, or
+ // after the `UV_EOF` on socket.
+ bool eof_;
++
++#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
++ v8::Persistent<v8::Value> sni_context_;
++#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ };
+
+ } // namespace node
+diff -Naur node-v4.6.1.orig/test/parallel/test-tls-cnnic-whitelist.js node-v4.6.1/test/parallel/test-tls-cnnic-whitelist.js
+--- node-v4.6.1.orig/test/parallel/test-tls-cnnic-whitelist.js 2017-04-12 12:40:43.865233168 -0700
++++ node-v4.6.1/test/parallel/test-tls-cnnic-whitelist.js 2017-04-12 12:58:14.901936343 -0700
+@@ -53,7 +53,9 @@
+ port: undefined,
+ rejectUnauthorized: true
+ },
+- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
++ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
++ errorCode: 'CERT_UNTRUSTED'
++ // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+ }
+ ];
+
+diff -Naur node-v4.6.1.orig/test/parallel/test-tls-sni-server-client.js node-v4.6.1/test/parallel/test-tls-sni-server-client.js
+--- node-v4.6.1.orig/test/parallel/test-tls-sni-server-client.js 2017-04-12 12:40:43.878233326 -0700
++++ node-v4.6.1/test/parallel/test-tls-sni-server-client.js 2017-04-12 13:00:18.804418594 -0700
+@@ -36,39 +36,37 @@
+ 'asterisk.test.com': {
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert')
+- },
+- 'chain.example.com': {
+- key: loadPEM('agent6-key'),
+- // NOTE: Contains ca3 chain cert
+- cert: loadPEM('agent6-cert')
+ }
+ };
+
+ var clientsOptions = [{
+ port: undefined,
++ key: loadPEM('agent1-key'),
++ cert: loadPEM('agent1-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'a.b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent3-key'),
++ cert: loadPEM('agent3-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.wrong.com',
+ rejectUnauthorized: false
+-}, {
+- port: undefined,
+- ca: [loadPEM('ca1-cert')],
+- servername: 'chain.example.com',
+- rejectUnauthorized: false
+ }];
+
+ const serverResults = [];
+@@ -80,7 +78,6 @@
+
+ server.addContext('a.example.com', SNIContexts['a.example.com']);
+ server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
+-server.addContext('chain.example.com', SNIContexts['chain.example.com']);
+
+ server.listen(0, startTest);
+
+@@ -109,8 +106,7 @@
+
+ process.on('exit', function() {
+ assert.deepEqual(serverResults, [
+- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
+- 'chain.example.com'
++ 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com'
+ ]);
+- assert.deepEqual(clientResults, [true, true, false, false, true]);
++ assert.deepEqual(clientResults, [true, true, false, false]);
+ });
diff --git a/net-libs/nodejs/files/nodejs-8.1.0-libressl.patch b/net-libs/nodejs/files/nodejs-8.1.0-libressl.patch
new file mode 100644
index 0000000..31493be
--- /dev/null
+++ b/net-libs/nodejs/files/nodejs-8.1.0-libressl.patch
@@ -0,0 +1,697 @@
+diff -Naur node-v4.6.1.orig/lib/_tls_wrap.js node-v4.6.1/lib/_tls_wrap.js
+--- node-v4.6.1.orig/lib/_tls_wrap.js 2017-04-12 12:40:43.517228944 -0700
++++ node-v4.6.1/lib/_tls_wrap.js 2017-04-12 12:49:51.155877106 -0700
+@@ -165,30 +165,33 @@
+ if (err)
+ return self.destroy(err);
+
+- self._handle.endParser();
+- });
+-}
+-
+-
+-function oncertcb(info) {
+- var self = this;
+- var servername = info.servername;
+-
+- loadSNI(self, servername, function(err, ctx) {
+- if (err)
+- return self.destroy(err);
+- requestOCSP(self, info, ctx, function(err) {
++ // Servername came from SSL session
++ // NOTE: TLS Session ticket doesn't include servername information
++ //
++ // Another note, From RFC3546:
++ //
++ // If, on the other hand, the older
++ // session is resumed, then the server MUST ignore extensions appearing
++ // in the client hello, and send a server hello containing no
++ // extensions; in this case the extension functionality negotiated
++ // during the original session initiation is applied to the resumed
++ // session.
++ //
++ // Therefore we should account session loading when dealing with servername
++ var servername = session && session.servername || hello.servername;
++ loadSNI(self, servername, function(err, ctx) {
+ if (err)
+ return self.destroy(err);
+
+- if (!self._handle)
+- return self.destroy(new Error('Socket is closed'));
++ requestOCSP(self, info, ctx, function(err) {
++ if (err)
++ return self.destroy(err);
++
++ if (!self._handle)
++ return self.destroy(new Error('Socket is closed'));
+
+- try {
+- self._handle.certCbDone();
+- } catch (e) {
+- self.destroy(e);
+- }
++ self._handle.endParser();
++ });
+ });
+ });
+ }
+@@ -410,18 +413,15 @@
+ ssl.onhandshakestart = () => onhandshakestart.call(this);
+ ssl.onhandshakedone = () => onhandshakedone.call(this);
+ ssl.onclienthello = (hello) => onclienthello.call(this, hello);
+- ssl.oncertcb = (info) => oncertcb.call(this, info);
+ ssl.onnewsession = (key, session) => onnewsession.call(this, key, session);
+ ssl.lastHandshakeTime = 0;
+ ssl.handshakes = 0;
+
+- if (this.server) {
+- if (this.server.listenerCount('resumeSession') > 0 ||
+- this.server.listenerCount('newSession') > 0) {
+- ssl.enableSessionCallbacks();
+- }
+- if (this.server.listenerCount('OCSPRequest') > 0)
+- ssl.enableCertCb();
++ if (this.server &&
++ (this.server.listenerCount('resumeSession') > 0 ||
++ this.server.listenerCount('newSession') > 0 ||
++ this.server.listenerCount('OCSPRequest') > 0)) {
++ ssl.enableSessionCallbacks();
+ }
+ } else {
+ ssl.onhandshakestart = function() {};
+@@ -463,7 +463,7 @@
+ options.server._contexts.length)) {
+ assert(typeof options.SNICallback === 'function');
+ this._SNICallback = options.SNICallback;
+- ssl.enableCertCb();
++ ssl.enableHelloParser();
+ }
+
+ if (process.features.tls_npn && options.NPNProtocols)
+diff -Naur node-v4.6.1.orig/src/env.h node-v4.6.1/src/env.h
+--- node-v4.6.1.orig/src/env.h 2017-04-12 12:40:43.536229174 -0700
++++ node-v4.6.1/src/env.h 2017-04-12 12:50:02.055009418 -0700
+@@ -57,7 +57,6 @@
+ V(bytes_read_string, "bytesRead") \
+ V(callback_string, "callback") \
+ V(change_string, "change") \
+- V(oncertcb_string, "oncertcb") \
+ V(onclose_string, "_onclose") \
+ V(code_string, "code") \
+ V(compare_string, "compare") \
+diff -Naur node-v4.6.1.orig/src/node.cc node-v4.6.1/src/node.cc
+--- node-v4.6.1.orig/src/node.cc 2017-06-08 05:31:34.000000000 -0500
++++ node-v4.6.1/src/node.cc 2017-06-30 10:26:59.945166636 -0500
+@@ -202,7 +202,7 @@
+ false;
+ #endif
+
+-# if NODE_FIPS_MODE
++# if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ // used by crypto module
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+@@ -3676,7 +3676,7 @@
+ " (default)"
+ #endif
+ "\n"
+-#if NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ " --enable-fips enable FIPS crypto at startup\n"
+ " --force-fips force FIPS crypto (cannot be disabled)\n"
+ #endif /* NODE_FIPS_MODE */
+@@ -3926,7 +3926,7 @@
+ } else if (strncmp(arg, "--use-bundled-ca", 16) == 0) {
+ use_bundled_ca = true;
+ ssl_openssl_cert_store = false;
+-#if NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ } else if (strcmp(arg, "--enable-fips") == 0) {
+ enable_fips_crypto = true;
+ } else if (strcmp(arg, "--force-fips") == 0) {
+@@ -4624,7 +4624,7 @@
+ if (SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+ crypto::UseExtraCaCerts(extra_ca_certs);
+ }
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ // In the case of FIPS builds we should make sure
+ // the random source is properly initialized first.
+ OPENSSL_init();
+diff -Naur node-v4.6.1.orig/src/node_crypto.cc node-v4.6.1/src/node_crypto.cc
+--- node-v4.6.1.orig/src/node_crypto.cc 2017-04-12 12:40:43.541229235 -0700
++++ node-v4.6.1/src/node_crypto.cc 2017-04-12 12:52:59.371161636 -0700
+@@ -160,8 +160,6 @@
+ #endif
+
+ template void SSLWrap<TLSWrap>::DestroySSL();
+-template int SSLWrap<TLSWrap>::SSLCertCallback(SSL* s, void* arg);
+-template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
+
+
+ static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
+@@ -525,8 +523,7 @@
+ for (int i = 0; i < sk_X509_num(extra_certs); i++) {
+ X509* ca = sk_X509_value(extra_certs, i);
+
+- // NOTE: Increments reference count on `ca`
+- r = SSL_CTX_add1_chain_cert(ctx, ca);
++ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+
+ if (!r) {
+ ret = 0;
+@@ -717,7 +717,7 @@
+ }
+
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)) || defined(LIBRESSL_VERSION_NUMBER)
+ // This section contains OpenSSL 1.1.0 functions reimplemented for OpenSSL
+ // 1.0.2 so that the following code can be written without lots of #if lines.
+
+@@ -725,11 +725,12 @@
+ CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
+ return 1;
+ }
+-
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ static int X509_up_ref(X509* cert) {
+ CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+ return 1;
+ }
++#endif
+ #endif // OPENSSL_VERSION_NUMBER < 0x10100000L && !OPENSSL_IS_BORINGSSL
+
+
+@@ -1194,7 +1194,7 @@
+ SecureContext* wrap;
+ ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+
+- wrap->ctx_->freelist_max_len = args[0]->Int32Value();
++ //wrap->ctx_->freelist_max_len = args[0]->Int32Value();
+ #endif
+ }
+
+@@ -1188,7 +1185,6 @@
+ env->SetProtoMethod(t, "verifyError", VerifyError);
+ env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
+ env->SetProtoMethod(t, "endParser", EndParser);
+- env->SetProtoMethod(t, "certCbDone", CertCbDone);
+ env->SetProtoMethod(t, "renegotiate", Renegotiate);
+ env->SetProtoMethod(t, "shutdownSSL", Shutdown);
+ env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
+@@ -2411,126 +2411,6 @@
+
+
+ template <class Base>
+-void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
+- cert_cb_ = cb;
+- cert_cb_arg_ = arg;
+-}
+-
+-
+-template <class Base>
+-int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) {
+- Base* w = static_cast<Base*>(SSL_get_app_data(s));
+-
+- if (!w->is_server())
+- return 1;
+-
+- if (!w->is_waiting_cert_cb())
+- return 1;
+-
+- if (w->cert_cb_running_)
+- return -1;
+-
+- Environment* env = w->env();
+- HandleScope handle_scope(env->isolate());
+- Context::Scope context_scope(env->context());
+- w->cert_cb_running_ = true;
+-
+- Local<Object> info = Object::New(env->isolate());
+-
+- const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+- if (servername == nullptr) {
+- info->Set(env->servername_string(), String::Empty(env->isolate()));
+- } else {
+- Local<String> str = OneByteString(env->isolate(), servername,
+- strlen(servername));
+- info->Set(env->servername_string(), str);
+- }
+-
+- bool ocsp = false;
+-#ifdef NODE__HAVE_TLSEXT_STATUS_CB
+- ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp;
+-#endif
+-
+- info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp));
+-
+- Local<Value> argv[] = { info };
+- w->MakeCallback(env->oncertcb_string(), arraysize(argv), argv);
+-
+- if (!w->cert_cb_running_)
+- return 1;
+-
+- // Performing async action, wait...
+- return -1;
+-}
+-
+-
+-template <class Base>
+-void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
+- Base* w;
+- ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
+- Environment* env = w->env();
+-
+- CHECK(w->is_waiting_cert_cb() && w->cert_cb_running_);
+-
+- Local<Object> object = w->object();
+- Local<Value> ctx = object->Get(env->sni_context_string());
+- Local<FunctionTemplate> cons = env->secure_context_constructor_template();
+-
+- // Not an object, probably undefined or null
+- if (!ctx->IsObject())
+- goto fire_cb;
+-
+- if (cons->HasInstance(ctx)) {
+- SecureContext* sc;
+- ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>());
+- w->sni_context_.Reset();
+- w->sni_context_.Reset(env->isolate(), ctx);
+-
+- int rv;
+-
+- // NOTE: reference count is not increased by this API methods
+- X509* x509 = SSL_CTX_get0_certificate(sc->ctx_);
+- EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_);
+- STACK_OF(X509)* chain;
+-
+- rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain);
+- if (rv)
+- rv = SSL_use_certificate(w->ssl_, x509);
+- if (rv)
+- rv = SSL_use_PrivateKey(w->ssl_, pkey);
+- if (rv && chain != nullptr)
+- rv = SSL_set1_chain(w->ssl_, chain);
+- if (rv)
+- rv = w->SetCACerts(sc);
+- if (!rv) {
+- unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
+- if (!err)
+- return env->ThrowError("CertCbDone");
+- return ThrowCryptoError(env, err);
+- }
+- } else {
+- // Failure: incorrect SNI context object
+- Local<Value> err = Exception::TypeError(env->sni_context_err_string());
+- w->MakeCallback(env->onerror_string(), 1, &err);
+- return;
+- }
+-
+- fire_cb:
+- CertCb cb;
+- void* arg;
+-
+- cb = w->cert_cb_;
+- arg = w->cert_cb_arg_;
+-
+- w->cert_cb_running_ = false;
+- w->cert_cb_ = nullptr;
+- w->cert_cb_arg_ = nullptr;
+-
+- cb(arg);
+-}
+-
+-
+-template <class Base>
+ void SSLWrap<Base>::SSLGetter(Local<String> property,
+ const PropertyCallbackInfo<Value>& info) {
+ Base* base;
+@@ -2232,10 +2105,6 @@
+
+ template <class Base>
+ int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
+- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
+- if (err != 1)
+- return err;
+-
+ STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
+ SSL_CTX_get_client_CA_list(sc->ctx_));
+
+@@ -2329,10 +2198,6 @@
+ DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
+ return 0;
+
+- } else if (err == SSL_ERROR_WANT_X509_LOOKUP) {
+- DEBUG_PRINT("[%p] SSL: %s want x509 lookup\n", ssl_, func);
+- return 0;
+-
+ } else if (err == SSL_ERROR_ZERO_RETURN) {
+ HandleScope scope(ssl_env()->isolate());
+
+@@ -2875,7 +2755,8 @@
+ SSL* ssl = static_cast<SSL*>(
+ X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+
+- if (SSL_is_server(ssl))
++ //if (SSL_is_server(ssl))
++ if(ssl->server)
+ return CHECK_OK;
+
+ // Client needs to check if the server cert is listed in the
+@@ -2540,7 +2405,7 @@
+
+ // Call the SNI callback and use its return value as context
+ if (!conn->sniObject_.IsEmpty()) {
+- conn->sni_context_.Reset();
++ conn->sniContext_.Reset();
+
+ Local<Object> sni_obj = PersistentToLocal(env->isolate(),
+ conn->sniObject_);
+@@ -2918,7 +2799,7 @@
+ Local<FunctionTemplate> secure_context_constructor_template =
+ env->secure_context_constructor_template();
+ if (secure_context_constructor_template->HasInstance(ret)) {
+- conn->sni_context_.Reset(env->isolate(), ret);
++ conn->sniContext_.Reset(env->isolate(), ret);
+ SecureContext* sc;
+ ASSIGN_OR_RETURN_UNWRAP(&sc, ret.As<Object>(), SSL_TLSEXT_ERR_NOACK);
+ conn->SetSNIContext(sc);
+@@ -2594,8 +2459,6 @@
+
+ InitNPN(sc);
+
+- SSL_set_cert_cb(conn->ssl_, SSLWrap<Connection>::SSLCertCallback, conn);
+-
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ if (is_server) {
+ SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
+@@ -3335,7 +3335,7 @@
+ int key_buf_len) {
+ HandleScope scope(env()->isolate());
+
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ if (FIPS_mode()) {
+ return env()->ThrowError(
+ "crypto.createCipher() is not supported in FIPS mode.");
+@@ -4185,7 +4185,7 @@
+ if (pkey == nullptr || 0 != ERR_peek_error())
+ goto exit;
+
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ /* Validate DSA2 parameters from FIPS 186-4 */
+ if (FIPS_mode() && EVP_PKEY_DSA == pkey->type) {
+ size_t L = BN_num_bits(pkey->pkey.dsa->p);
+@@ -6132,7 +6132,7 @@
+ CRYPTO_set_locking_callback(crypto_lock_cb);
+ CRYPTO_THREADID_set_callback(crypto_threadid_cb);
+
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ /* Override FIPS settings in cnf file, if needed. */
+ unsigned long err = 0; // NOLINT(runtime/int)
+ if (enable_fips_crypto || force_fips_crypto) {
+@@ -6201,16 +6201,20 @@
+ #endif // !OPENSSL_NO_ENGINE
+
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ if (FIPS_mode()) {
+ args.GetReturnValue().Set(1);
+ } else {
+ args.GetReturnValue().Set(0);
+ }
++#else
++ args.GetReturnValue().Set(0);
++#endif
+ }
+
+ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+ Environment* env = Environment::GetCurrent(args);
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ bool mode = args[0]->BooleanValue();
+ if (force_fips_crypto) {
+ return env->ThrowError(
+diff -Naur node-v4.6.1.orig/src/node_crypto.h node-v4.6.1/src/node_crypto.h
+--- node-v4.6.1.orig/src/node_crypto.h 2017-04-12 12:40:43.541229235 -0700
++++ node-v4.6.1/src/node_crypto.h 2017-04-12 12:55:08.867710808 -0700
+@@ -179,10 +179,7 @@
+ kind_(kind),
+ next_sess_(nullptr),
+ session_callbacks_(false),
+- new_session_wait_(false),
+- cert_cb_(nullptr),
+- cert_cb_arg_(nullptr),
+- cert_cb_running_(false) {
++ new_session_wait_(false) {
+ ssl_ = SSL_new(sc->ctx_);
+ env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize);
+ CHECK_NE(ssl_, nullptr);
+@@ -200,9 +200,6 @@
+ next_sess_ = nullptr;
+ }
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- sni_context_.Reset();
+-#endif
+
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+ ocsp_response_.Reset();
+@@ -212,11 +206,8 @@
+ inline bool is_server() const { return kind_ == kServer; }
+ inline bool is_client() const { return kind_ == kClient; }
+ inline bool is_waiting_new_session() const { return new_session_wait_; }
+- inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; }
+
+ protected:
+- typedef void (*CertCb)(void* arg);
+-
+ // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and
+ // some for buffers.
+ // NOTE: Actually it is much more than this
+@@ -244,7 +235,6 @@
+ static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
+@@ -273,12 +263,10 @@
+ void* arg);
+ #endif // OPENSSL_NPN_NEGOTIATED
+ static int TLSExtStatusCallback(SSL* s, void* arg);
+- static int SSLCertCallback(SSL* s, void* arg);
+ static void SSLGetter(v8::Local<v8::String> property,
+ const v8::PropertyCallbackInfo<v8::Value>& info);
+
+ void DestroySSL();
+- void WaitForCertCb(CertCb cb, void* arg);
+ void SetSNIContext(SecureContext* sc);
+ int SetCACerts(SecureContext* sc);
+
+@@ -293,11 +281,6 @@
+ bool session_callbacks_;
+ bool new_session_wait_;
+
+- // SSL_set_cert_cb
+- CertCb cert_cb_;
+- void* cert_cb_arg_;
+- bool cert_cb_running_;
+-
+ ClientHelloParser hello_parser_;
+
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+@@ -309,10 +292,6 @@
+ v8::Persistent<v8::Value> selected_npn_proto_;
+ #endif // OPENSSL_NPN_NEGOTIATED
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- v8::Persistent<v8::Value> sni_context_;
+-#endif
+-
+ friend class SecureContext;
+ };
+
+@@ -324,6 +303,7 @@
+ ~Connection() override {
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ sniObject_.Reset();
++ sniContext_.Reset();
+ servername_.Reset();
+ #endif
+ }
+@@ -338,6 +318,7 @@
+
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ v8::Persistent<v8::Object> sniObject_;
++ v8::Persistent<v8::Value> sniContext_;
+ v8::Persistent<v8::String> servername_;
+ #endif
+
+diff -Naur node-v4.6.1.orig/src/tls_wrap.cc node-v4.6.1/src/tls_wrap.cc
+--- node-v4.6.1.orig/src/tls_wrap.cc 2017-04-12 12:40:43.557229429 -0700
++++ node-v4.6.1/src/tls_wrap.cc 2017-04-12 13:36:49.323009154 -0700
+@@ -141,8 +141,6 @@
+
+ InitNPN(sc_);
+
+- SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this);
+-
+ if (is_server()) {
+ SSL_set_accept_state(ssl_);
+ } else if (is_client()) {
+@@ -353,7 +351,6 @@
+ case SSL_ERROR_NONE:
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+- case SSL_ERROR_WANT_X509_LOOKUP:
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ return scope.Escape(env()->zero_return_string());
+@@ -769,6 +766,11 @@
+ "EnableSessionCallbacks after destroySSL");
+ }
+ wrap->enable_session_callbacks();
++ EnableHelloParser(args);
++}
++
++void TLSWrap::EnableHelloParser(const FunctionCallbackInfo<Value>& args) {
++ TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
+ NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength);
+ wrap->hello_parser_.Start(SSLWrap<TLSWrap>::OnClientHello,
+ OnClientHelloParseEnd,
+@@ -833,13 +833,6 @@
+ }
+
+
+-void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) {
+- TLSWrap* wrap;
+- ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+- wrap->WaitForCertCb(OnClientHelloParseEnd, wrap);
+-}
+-
+-
+ void TLSWrap::OnClientHelloParseEnd(void* arg) {
+ TLSWrap* c = static_cast<TLSWrap*>(arg);
+ c->Cycle();
+@@ -896,8 +892,8 @@
+ env->SetProtoMethod(t, "start", Start);
+ env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
+ env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
++ env->SetProtoMethod(t, "enableHelloParser", EnableHelloParser);
+ env->SetProtoMethod(t, "destroySSL", DestroySSL);
+- env->SetProtoMethod(t, "enableCertCb", EnableCertCb);
+
+ StreamBase::AddMethods<TLSWrap>(env, t, StreamBase::kFlagHasWritev);
+ SSLWrap<TLSWrap>::AddMethods(env, t);
+diff -Naur node-v4.6.1.orig/src/tls_wrap.h node-v4.6.1/src/tls_wrap.h
+--- node-v4.6.1.orig/src/tls_wrap.h 2017-04-12 12:40:43.558229441 -0700
++++ node-v4.6.1/src/tls_wrap.h 2017-04-12 13:35:51.214213644 -0700
+@@ -132,7 +132,7 @@
+ static void SetVerifyMode(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EnableSessionCallbacks(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void EnableCertCb(
++ static void EnableHelloParser(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args);
+
+@@ -160,6 +160,10 @@
+ // If true - delivered EOF to the js-land, either after `close_notify`, or
+ // after the `UV_EOF` on socket.
+ bool eof_;
++
++#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
++ v8::Persistent<v8::Value> sni_context_;
++#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ };
+
+ } // namespace node
+diff -Naur node-v4.6.1.orig/test/parallel/test-tls-cnnic-whitelist.js node-v4.6.1/test/parallel/test-tls-cnnic-whitelist.js
+--- node-v4.6.1.orig/test/parallel/test-tls-cnnic-whitelist.js 2017-04-12 12:40:43.865233168 -0700
++++ node-v4.6.1/test/parallel/test-tls-cnnic-whitelist.js 2017-04-12 12:58:14.901936343 -0700
+@@ -53,7 +53,9 @@
+ port: undefined,
+ rejectUnauthorized: true
+ },
+- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
++ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
++ errorCode: 'CERT_UNTRUSTED'
++ // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+ }
+ ];
+
+diff -Naur node-v4.6.1.orig/test/parallel/test-tls-sni-server-client.js node-v4.6.1/test/parallel/test-tls-sni-server-client.js
+--- node-v4.6.1.orig/test/parallel/test-tls-sni-server-client.js 2017-04-12 12:40:43.878233326 -0700
++++ node-v4.6.1/test/parallel/test-tls-sni-server-client.js 2017-04-12 13:00:18.804418594 -0700
+@@ -56,39 +56,37 @@
+ 'asterisk.test.com': {
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert')
+- },
+- 'chain.example.com': {
+- key: loadPEM('agent6-key'),
+- // NOTE: Contains ca3 chain cert
+- cert: loadPEM('agent6-cert')
+ }
+ };
+
+ const clientsOptions = [{
+ port: undefined,
++ key: loadPEM('agent1-key'),
++ cert: loadPEM('agent1-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'a.b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent3-key'),
++ cert: loadPEM('agent3-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.wrong.com',
+ rejectUnauthorized: false
+-}, {
+- port: undefined,
+- ca: [loadPEM('ca1-cert')],
+- servername: 'chain.example.com',
+- rejectUnauthorized: false
+ }];
+
+ const serverResults = [];
+@@ -80,7 +78,6 @@
+
+ server.addContext('a.example.com', SNIContexts['a.example.com']);
+ server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
+-server.addContext('chain.example.com', SNIContexts['chain.example.com']);
+
+ server.listen(0, startTest);
+
+@@ -128,8 +126,7 @@
+
+ process.on('exit', function() {
+ assert.deepStrictEqual(serverResults, [
+- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
+- 'chain.example.com'
++ 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com'
+ ]);
+- assert.deepStrictEqual(clientResults, [true, true, false, false, true]);
++ assert.deepStrictEqual(clientResults, [true, true, false, false]);
+ });
diff --git a/net-libs/nodejs/files/nodejs-8.1.1-libressl.patch b/net-libs/nodejs/files/nodejs-8.1.1-libressl.patch
new file mode 100644
index 0000000..31493be
--- /dev/null
+++ b/net-libs/nodejs/files/nodejs-8.1.1-libressl.patch
@@ -0,0 +1,697 @@
+diff -Naur node-v4.6.1.orig/lib/_tls_wrap.js node-v4.6.1/lib/_tls_wrap.js
+--- node-v4.6.1.orig/lib/_tls_wrap.js 2017-04-12 12:40:43.517228944 -0700
++++ node-v4.6.1/lib/_tls_wrap.js 2017-04-12 12:49:51.155877106 -0700
+@@ -165,30 +165,33 @@
+ if (err)
+ return self.destroy(err);
+
+- self._handle.endParser();
+- });
+-}
+-
+-
+-function oncertcb(info) {
+- var self = this;
+- var servername = info.servername;
+-
+- loadSNI(self, servername, function(err, ctx) {
+- if (err)
+- return self.destroy(err);
+- requestOCSP(self, info, ctx, function(err) {
++ // Servername came from SSL session
++ // NOTE: TLS Session ticket doesn't include servername information
++ //
++ // Another note, From RFC3546:
++ //
++ // If, on the other hand, the older
++ // session is resumed, then the server MUST ignore extensions appearing
++ // in the client hello, and send a server hello containing no
++ // extensions; in this case the extension functionality negotiated
++ // during the original session initiation is applied to the resumed
++ // session.
++ //
++ // Therefore we should account session loading when dealing with servername
++ var servername = session && session.servername || hello.servername;
++ loadSNI(self, servername, function(err, ctx) {
+ if (err)
+ return self.destroy(err);
+
+- if (!self._handle)
+- return self.destroy(new Error('Socket is closed'));
++ requestOCSP(self, info, ctx, function(err) {
++ if (err)
++ return self.destroy(err);
++
++ if (!self._handle)
++ return self.destroy(new Error('Socket is closed'));
+
+- try {
+- self._handle.certCbDone();
+- } catch (e) {
+- self.destroy(e);
+- }
++ self._handle.endParser();
++ });
+ });
+ });
+ }
+@@ -410,18 +413,15 @@
+ ssl.onhandshakestart = () => onhandshakestart.call(this);
+ ssl.onhandshakedone = () => onhandshakedone.call(this);
+ ssl.onclienthello = (hello) => onclienthello.call(this, hello);
+- ssl.oncertcb = (info) => oncertcb.call(this, info);
+ ssl.onnewsession = (key, session) => onnewsession.call(this, key, session);
+ ssl.lastHandshakeTime = 0;
+ ssl.handshakes = 0;
+
+- if (this.server) {
+- if (this.server.listenerCount('resumeSession') > 0 ||
+- this.server.listenerCount('newSession') > 0) {
+- ssl.enableSessionCallbacks();
+- }
+- if (this.server.listenerCount('OCSPRequest') > 0)
+- ssl.enableCertCb();
++ if (this.server &&
++ (this.server.listenerCount('resumeSession') > 0 ||
++ this.server.listenerCount('newSession') > 0 ||
++ this.server.listenerCount('OCSPRequest') > 0)) {
++ ssl.enableSessionCallbacks();
+ }
+ } else {
+ ssl.onhandshakestart = function() {};
+@@ -463,7 +463,7 @@
+ options.server._contexts.length)) {
+ assert(typeof options.SNICallback === 'function');
+ this._SNICallback = options.SNICallback;
+- ssl.enableCertCb();
++ ssl.enableHelloParser();
+ }
+
+ if (process.features.tls_npn && options.NPNProtocols)
+diff -Naur node-v4.6.1.orig/src/env.h node-v4.6.1/src/env.h
+--- node-v4.6.1.orig/src/env.h 2017-04-12 12:40:43.536229174 -0700
++++ node-v4.6.1/src/env.h 2017-04-12 12:50:02.055009418 -0700
+@@ -57,7 +57,6 @@
+ V(bytes_read_string, "bytesRead") \
+ V(callback_string, "callback") \
+ V(change_string, "change") \
+- V(oncertcb_string, "oncertcb") \
+ V(onclose_string, "_onclose") \
+ V(code_string, "code") \
+ V(compare_string, "compare") \
+diff -Naur node-v4.6.1.orig/src/node.cc node-v4.6.1/src/node.cc
+--- node-v4.6.1.orig/src/node.cc 2017-06-08 05:31:34.000000000 -0500
++++ node-v4.6.1/src/node.cc 2017-06-30 10:26:59.945166636 -0500
+@@ -202,7 +202,7 @@
+ false;
+ #endif
+
+-# if NODE_FIPS_MODE
++# if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ // used by crypto module
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+@@ -3676,7 +3676,7 @@
+ " (default)"
+ #endif
+ "\n"
+-#if NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ " --enable-fips enable FIPS crypto at startup\n"
+ " --force-fips force FIPS crypto (cannot be disabled)\n"
+ #endif /* NODE_FIPS_MODE */
+@@ -3926,7 +3926,7 @@
+ } else if (strncmp(arg, "--use-bundled-ca", 16) == 0) {
+ use_bundled_ca = true;
+ ssl_openssl_cert_store = false;
+-#if NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ } else if (strcmp(arg, "--enable-fips") == 0) {
+ enable_fips_crypto = true;
+ } else if (strcmp(arg, "--force-fips") == 0) {
+@@ -4624,7 +4624,7 @@
+ if (SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+ crypto::UseExtraCaCerts(extra_ca_certs);
+ }
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ // In the case of FIPS builds we should make sure
+ // the random source is properly initialized first.
+ OPENSSL_init();
+diff -Naur node-v4.6.1.orig/src/node_crypto.cc node-v4.6.1/src/node_crypto.cc
+--- node-v4.6.1.orig/src/node_crypto.cc 2017-04-12 12:40:43.541229235 -0700
++++ node-v4.6.1/src/node_crypto.cc 2017-04-12 12:52:59.371161636 -0700
+@@ -160,8 +160,6 @@
+ #endif
+
+ template void SSLWrap<TLSWrap>::DestroySSL();
+-template int SSLWrap<TLSWrap>::SSLCertCallback(SSL* s, void* arg);
+-template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
+
+
+ static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
+@@ -525,8 +523,7 @@
+ for (int i = 0; i < sk_X509_num(extra_certs); i++) {
+ X509* ca = sk_X509_value(extra_certs, i);
+
+- // NOTE: Increments reference count on `ca`
+- r = SSL_CTX_add1_chain_cert(ctx, ca);
++ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+
+ if (!r) {
+ ret = 0;
+@@ -717,7 +717,7 @@
+ }
+
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)) || defined(LIBRESSL_VERSION_NUMBER)
+ // This section contains OpenSSL 1.1.0 functions reimplemented for OpenSSL
+ // 1.0.2 so that the following code can be written without lots of #if lines.
+
+@@ -725,11 +725,12 @@
+ CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
+ return 1;
+ }
+-
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ static int X509_up_ref(X509* cert) {
+ CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+ return 1;
+ }
++#endif
+ #endif // OPENSSL_VERSION_NUMBER < 0x10100000L && !OPENSSL_IS_BORINGSSL
+
+
+@@ -1194,7 +1194,7 @@
+ SecureContext* wrap;
+ ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+
+- wrap->ctx_->freelist_max_len = args[0]->Int32Value();
++ //wrap->ctx_->freelist_max_len = args[0]->Int32Value();
+ #endif
+ }
+
+@@ -1188,7 +1185,6 @@
+ env->SetProtoMethod(t, "verifyError", VerifyError);
+ env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
+ env->SetProtoMethod(t, "endParser", EndParser);
+- env->SetProtoMethod(t, "certCbDone", CertCbDone);
+ env->SetProtoMethod(t, "renegotiate", Renegotiate);
+ env->SetProtoMethod(t, "shutdownSSL", Shutdown);
+ env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
+@@ -2411,126 +2411,6 @@
+
+
+ template <class Base>
+-void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
+- cert_cb_ = cb;
+- cert_cb_arg_ = arg;
+-}
+-
+-
+-template <class Base>
+-int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) {
+- Base* w = static_cast<Base*>(SSL_get_app_data(s));
+-
+- if (!w->is_server())
+- return 1;
+-
+- if (!w->is_waiting_cert_cb())
+- return 1;
+-
+- if (w->cert_cb_running_)
+- return -1;
+-
+- Environment* env = w->env();
+- HandleScope handle_scope(env->isolate());
+- Context::Scope context_scope(env->context());
+- w->cert_cb_running_ = true;
+-
+- Local<Object> info = Object::New(env->isolate());
+-
+- const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+- if (servername == nullptr) {
+- info->Set(env->servername_string(), String::Empty(env->isolate()));
+- } else {
+- Local<String> str = OneByteString(env->isolate(), servername,
+- strlen(servername));
+- info->Set(env->servername_string(), str);
+- }
+-
+- bool ocsp = false;
+-#ifdef NODE__HAVE_TLSEXT_STATUS_CB
+- ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp;
+-#endif
+-
+- info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp));
+-
+- Local<Value> argv[] = { info };
+- w->MakeCallback(env->oncertcb_string(), arraysize(argv), argv);
+-
+- if (!w->cert_cb_running_)
+- return 1;
+-
+- // Performing async action, wait...
+- return -1;
+-}
+-
+-
+-template <class Base>
+-void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
+- Base* w;
+- ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
+- Environment* env = w->env();
+-
+- CHECK(w->is_waiting_cert_cb() && w->cert_cb_running_);
+-
+- Local<Object> object = w->object();
+- Local<Value> ctx = object->Get(env->sni_context_string());
+- Local<FunctionTemplate> cons = env->secure_context_constructor_template();
+-
+- // Not an object, probably undefined or null
+- if (!ctx->IsObject())
+- goto fire_cb;
+-
+- if (cons->HasInstance(ctx)) {
+- SecureContext* sc;
+- ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>());
+- w->sni_context_.Reset();
+- w->sni_context_.Reset(env->isolate(), ctx);
+-
+- int rv;
+-
+- // NOTE: reference count is not increased by this API methods
+- X509* x509 = SSL_CTX_get0_certificate(sc->ctx_);
+- EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_);
+- STACK_OF(X509)* chain;
+-
+- rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain);
+- if (rv)
+- rv = SSL_use_certificate(w->ssl_, x509);
+- if (rv)
+- rv = SSL_use_PrivateKey(w->ssl_, pkey);
+- if (rv && chain != nullptr)
+- rv = SSL_set1_chain(w->ssl_, chain);
+- if (rv)
+- rv = w->SetCACerts(sc);
+- if (!rv) {
+- unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
+- if (!err)
+- return env->ThrowError("CertCbDone");
+- return ThrowCryptoError(env, err);
+- }
+- } else {
+- // Failure: incorrect SNI context object
+- Local<Value> err = Exception::TypeError(env->sni_context_err_string());
+- w->MakeCallback(env->onerror_string(), 1, &err);
+- return;
+- }
+-
+- fire_cb:
+- CertCb cb;
+- void* arg;
+-
+- cb = w->cert_cb_;
+- arg = w->cert_cb_arg_;
+-
+- w->cert_cb_running_ = false;
+- w->cert_cb_ = nullptr;
+- w->cert_cb_arg_ = nullptr;
+-
+- cb(arg);
+-}
+-
+-
+-template <class Base>
+ void SSLWrap<Base>::SSLGetter(Local<String> property,
+ const PropertyCallbackInfo<Value>& info) {
+ Base* base;
+@@ -2232,10 +2105,6 @@
+
+ template <class Base>
+ int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
+- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
+- if (err != 1)
+- return err;
+-
+ STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
+ SSL_CTX_get_client_CA_list(sc->ctx_));
+
+@@ -2329,10 +2198,6 @@
+ DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
+ return 0;
+
+- } else if (err == SSL_ERROR_WANT_X509_LOOKUP) {
+- DEBUG_PRINT("[%p] SSL: %s want x509 lookup\n", ssl_, func);
+- return 0;
+-
+ } else if (err == SSL_ERROR_ZERO_RETURN) {
+ HandleScope scope(ssl_env()->isolate());
+
+@@ -2875,7 +2755,8 @@
+ SSL* ssl = static_cast<SSL*>(
+ X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+
+- if (SSL_is_server(ssl))
++ //if (SSL_is_server(ssl))
++ if(ssl->server)
+ return CHECK_OK;
+
+ // Client needs to check if the server cert is listed in the
+@@ -2540,7 +2405,7 @@
+
+ // Call the SNI callback and use its return value as context
+ if (!conn->sniObject_.IsEmpty()) {
+- conn->sni_context_.Reset();
++ conn->sniContext_.Reset();
+
+ Local<Object> sni_obj = PersistentToLocal(env->isolate(),
+ conn->sniObject_);
+@@ -2918,7 +2799,7 @@
+ Local<FunctionTemplate> secure_context_constructor_template =
+ env->secure_context_constructor_template();
+ if (secure_context_constructor_template->HasInstance(ret)) {
+- conn->sni_context_.Reset(env->isolate(), ret);
++ conn->sniContext_.Reset(env->isolate(), ret);
+ SecureContext* sc;
+ ASSIGN_OR_RETURN_UNWRAP(&sc, ret.As<Object>(), SSL_TLSEXT_ERR_NOACK);
+ conn->SetSNIContext(sc);
+@@ -2594,8 +2459,6 @@
+
+ InitNPN(sc);
+
+- SSL_set_cert_cb(conn->ssl_, SSLWrap<Connection>::SSLCertCallback, conn);
+-
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ if (is_server) {
+ SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
+@@ -3335,7 +3335,7 @@
+ int key_buf_len) {
+ HandleScope scope(env()->isolate());
+
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ if (FIPS_mode()) {
+ return env()->ThrowError(
+ "crypto.createCipher() is not supported in FIPS mode.");
+@@ -4185,7 +4185,7 @@
+ if (pkey == nullptr || 0 != ERR_peek_error())
+ goto exit;
+
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ /* Validate DSA2 parameters from FIPS 186-4 */
+ if (FIPS_mode() && EVP_PKEY_DSA == pkey->type) {
+ size_t L = BN_num_bits(pkey->pkey.dsa->p);
+@@ -6132,7 +6132,7 @@
+ CRYPTO_set_locking_callback(crypto_lock_cb);
+ CRYPTO_THREADID_set_callback(crypto_threadid_cb);
+
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ /* Override FIPS settings in cnf file, if needed. */
+ unsigned long err = 0; // NOLINT(runtime/int)
+ if (enable_fips_crypto || force_fips_crypto) {
+@@ -6201,16 +6201,20 @@
+ #endif // !OPENSSL_NO_ENGINE
+
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ if (FIPS_mode()) {
+ args.GetReturnValue().Set(1);
+ } else {
+ args.GetReturnValue().Set(0);
+ }
++#else
++ args.GetReturnValue().Set(0);
++#endif
+ }
+
+ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+ Environment* env = Environment::GetCurrent(args);
+-#ifdef NODE_FIPS_MODE
++#if NODE_FIPS_MODE && !defined(LIBRESSL_VERSION_NUMBER)
+ bool mode = args[0]->BooleanValue();
+ if (force_fips_crypto) {
+ return env->ThrowError(
+diff -Naur node-v4.6.1.orig/src/node_crypto.h node-v4.6.1/src/node_crypto.h
+--- node-v4.6.1.orig/src/node_crypto.h 2017-04-12 12:40:43.541229235 -0700
++++ node-v4.6.1/src/node_crypto.h 2017-04-12 12:55:08.867710808 -0700
+@@ -179,10 +179,7 @@
+ kind_(kind),
+ next_sess_(nullptr),
+ session_callbacks_(false),
+- new_session_wait_(false),
+- cert_cb_(nullptr),
+- cert_cb_arg_(nullptr),
+- cert_cb_running_(false) {
++ new_session_wait_(false) {
+ ssl_ = SSL_new(sc->ctx_);
+ env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize);
+ CHECK_NE(ssl_, nullptr);
+@@ -200,9 +200,6 @@
+ next_sess_ = nullptr;
+ }
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- sni_context_.Reset();
+-#endif
+
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+ ocsp_response_.Reset();
+@@ -212,11 +206,8 @@
+ inline bool is_server() const { return kind_ == kServer; }
+ inline bool is_client() const { return kind_ == kClient; }
+ inline bool is_waiting_new_session() const { return new_session_wait_; }
+- inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; }
+
+ protected:
+- typedef void (*CertCb)(void* arg);
+-
+ // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and
+ // some for buffers.
+ // NOTE: Actually it is much more than this
+@@ -244,7 +235,6 @@
+ static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
+@@ -273,12 +263,10 @@
+ void* arg);
+ #endif // OPENSSL_NPN_NEGOTIATED
+ static int TLSExtStatusCallback(SSL* s, void* arg);
+- static int SSLCertCallback(SSL* s, void* arg);
+ static void SSLGetter(v8::Local<v8::String> property,
+ const v8::PropertyCallbackInfo<v8::Value>& info);
+
+ void DestroySSL();
+- void WaitForCertCb(CertCb cb, void* arg);
+ void SetSNIContext(SecureContext* sc);
+ int SetCACerts(SecureContext* sc);
+
+@@ -293,11 +281,6 @@
+ bool session_callbacks_;
+ bool new_session_wait_;
+
+- // SSL_set_cert_cb
+- CertCb cert_cb_;
+- void* cert_cb_arg_;
+- bool cert_cb_running_;
+-
+ ClientHelloParser hello_parser_;
+
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+@@ -309,10 +292,6 @@
+ v8::Persistent<v8::Value> selected_npn_proto_;
+ #endif // OPENSSL_NPN_NEGOTIATED
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- v8::Persistent<v8::Value> sni_context_;
+-#endif
+-
+ friend class SecureContext;
+ };
+
+@@ -324,6 +303,7 @@
+ ~Connection() override {
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ sniObject_.Reset();
++ sniContext_.Reset();
+ servername_.Reset();
+ #endif
+ }
+@@ -338,6 +318,7 @@
+
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ v8::Persistent<v8::Object> sniObject_;
++ v8::Persistent<v8::Value> sniContext_;
+ v8::Persistent<v8::String> servername_;
+ #endif
+
+diff -Naur node-v4.6.1.orig/src/tls_wrap.cc node-v4.6.1/src/tls_wrap.cc
+--- node-v4.6.1.orig/src/tls_wrap.cc 2017-04-12 12:40:43.557229429 -0700
++++ node-v4.6.1/src/tls_wrap.cc 2017-04-12 13:36:49.323009154 -0700
+@@ -141,8 +141,6 @@
+
+ InitNPN(sc_);
+
+- SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this);
+-
+ if (is_server()) {
+ SSL_set_accept_state(ssl_);
+ } else if (is_client()) {
+@@ -353,7 +351,6 @@
+ case SSL_ERROR_NONE:
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+- case SSL_ERROR_WANT_X509_LOOKUP:
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ return scope.Escape(env()->zero_return_string());
+@@ -769,6 +766,11 @@
+ "EnableSessionCallbacks after destroySSL");
+ }
+ wrap->enable_session_callbacks();
++ EnableHelloParser(args);
++}
++
++void TLSWrap::EnableHelloParser(const FunctionCallbackInfo<Value>& args) {
++ TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
+ NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength);
+ wrap->hello_parser_.Start(SSLWrap<TLSWrap>::OnClientHello,
+ OnClientHelloParseEnd,
+@@ -833,13 +833,6 @@
+ }
+
+
+-void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) {
+- TLSWrap* wrap;
+- ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+- wrap->WaitForCertCb(OnClientHelloParseEnd, wrap);
+-}
+-
+-
+ void TLSWrap::OnClientHelloParseEnd(void* arg) {
+ TLSWrap* c = static_cast<TLSWrap*>(arg);
+ c->Cycle();
+@@ -896,8 +892,8 @@
+ env->SetProtoMethod(t, "start", Start);
+ env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
+ env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
++ env->SetProtoMethod(t, "enableHelloParser", EnableHelloParser);
+ env->SetProtoMethod(t, "destroySSL", DestroySSL);
+- env->SetProtoMethod(t, "enableCertCb", EnableCertCb);
+
+ StreamBase::AddMethods<TLSWrap>(env, t, StreamBase::kFlagHasWritev);
+ SSLWrap<TLSWrap>::AddMethods(env, t);
+diff -Naur node-v4.6.1.orig/src/tls_wrap.h node-v4.6.1/src/tls_wrap.h
+--- node-v4.6.1.orig/src/tls_wrap.h 2017-04-12 12:40:43.558229441 -0700
++++ node-v4.6.1/src/tls_wrap.h 2017-04-12 13:35:51.214213644 -0700
+@@ -132,7 +132,7 @@
+ static void SetVerifyMode(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EnableSessionCallbacks(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void EnableCertCb(
++ static void EnableHelloParser(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args);
+
+@@ -160,6 +160,10 @@
+ // If true - delivered EOF to the js-land, either after `close_notify`, or
+ // after the `UV_EOF` on socket.
+ bool eof_;
++
++#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
++ v8::Persistent<v8::Value> sni_context_;
++#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ };
+
+ } // namespace node
+diff -Naur node-v4.6.1.orig/test/parallel/test-tls-cnnic-whitelist.js node-v4.6.1/test/parallel/test-tls-cnnic-whitelist.js
+--- node-v4.6.1.orig/test/parallel/test-tls-cnnic-whitelist.js 2017-04-12 12:40:43.865233168 -0700
++++ node-v4.6.1/test/parallel/test-tls-cnnic-whitelist.js 2017-04-12 12:58:14.901936343 -0700
+@@ -53,7 +53,9 @@
+ port: undefined,
+ rejectUnauthorized: true
+ },
+- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
++ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
++ errorCode: 'CERT_UNTRUSTED'
++ // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+ }
+ ];
+
+diff -Naur node-v4.6.1.orig/test/parallel/test-tls-sni-server-client.js node-v4.6.1/test/parallel/test-tls-sni-server-client.js
+--- node-v4.6.1.orig/test/parallel/test-tls-sni-server-client.js 2017-04-12 12:40:43.878233326 -0700
++++ node-v4.6.1/test/parallel/test-tls-sni-server-client.js 2017-04-12 13:00:18.804418594 -0700
+@@ -56,39 +56,37 @@
+ 'asterisk.test.com': {
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert')
+- },
+- 'chain.example.com': {
+- key: loadPEM('agent6-key'),
+- // NOTE: Contains ca3 chain cert
+- cert: loadPEM('agent6-cert')
+ }
+ };
+
+ const clientsOptions = [{
+ port: undefined,
++ key: loadPEM('agent1-key'),
++ cert: loadPEM('agent1-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'a.b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent3-key'),
++ cert: loadPEM('agent3-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.wrong.com',
+ rejectUnauthorized: false
+-}, {
+- port: undefined,
+- ca: [loadPEM('ca1-cert')],
+- servername: 'chain.example.com',
+- rejectUnauthorized: false
+ }];
+
+ const serverResults = [];
+@@ -80,7 +78,6 @@
+
+ server.addContext('a.example.com', SNIContexts['a.example.com']);
+ server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
+-server.addContext('chain.example.com', SNIContexts['chain.example.com']);
+
+ server.listen(0, startTest);
+
+@@ -128,8 +126,7 @@
+
+ process.on('exit', function() {
+ assert.deepStrictEqual(serverResults, [
+- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
+- 'chain.example.com'
++ 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com'
+ ]);
+- assert.deepStrictEqual(clientResults, [true, true, false, false, true]);
++ assert.deepStrictEqual(clientResults, [true, true, false, false]);
+ });
diff --git a/net-libs/nodejs/files/nodejs-8.11.1-libressl.patch b/net-libs/nodejs/files/nodejs-8.11.1-libressl.patch
new file mode 100644
index 0000000..0fe414b
--- /dev/null
+++ b/net-libs/nodejs/files/nodejs-8.11.1-libressl.patch
@@ -0,0 +1,894 @@
+diff -Naur node-v8.11.1.orig/lib/_tls_wrap.js node-v8.11.1/lib/_tls_wrap.js
+--- node-v8.11.1.orig/lib/_tls_wrap.js 2018-07-18 17:37:43.066250635 +0800
++++ node-v8.11.1/lib/_tls_wrap.js 2018-07-18 17:38:37.198012271 +0800
+@@ -181,30 +181,33 @@
+ if (err)
+ return self.destroy(err);
+
+- self._handle.endParser();
+- });
+-}
+-
+-
+-function oncertcb(info) {
+- var self = this;
+- var servername = info.servername;
+-
+- loadSNI(self, servername, function(err, ctx) {
+- if (err)
+- return self.destroy(err);
+- requestOCSP(self, info, ctx, function(err) {
++ // Servername came from SSL session
++ // NOTE: TLS Session ticket doesn't include servername information
++ //
++ // Another note, From RFC3546:
++ //
++ // If, on the other hand, the older
++ // session is resumed, then the server MUST ignore extensions appearing
++ // in the client hello, and send a server hello containing no
++ // extensions; in this case the extension functionality negotiated
++ // during the original session initiation is applied to the resumed
++ // session.
++ //
++ // Therefore we should account session loading when dealing with servername
++ var servername = session && session.servername || hello.servername;
++ loadSNI(self, servername, function(err, ctx) {
+ if (err)
+ return self.destroy(err);
+
+- if (!self._handle)
+- return self.destroy(new Error('Socket is closed'));
++ requestOCSP(self, info, ctx, function(err) {
++ if (err)
++ return self.destroy(err);
+
+- try {
+- self._handle.certCbDone();
+- } catch (e) {
+- self.destroy(e);
+- }
++ if (!self._handle)
++ return self.destroy(new Error('Socket is closed'));
++
++ self._handle.endParser();
++ });
+ });
+ });
+ }
+@@ -451,18 +454,15 @@
+ ssl.onhandshakestart = () => onhandshakestart.call(this);
+ ssl.onhandshakedone = () => onhandshakedone.call(this);
+ ssl.onclienthello = (hello) => onclienthello.call(this, hello);
+- ssl.oncertcb = (info) => oncertcb.call(this, info);
+ ssl.onnewsession = (key, session) => onnewsession.call(this, key, session);
+ ssl.lastHandshakeTime = 0;
+ ssl.handshakes = 0;
+
+- if (this.server) {
+- if (this.server.listenerCount('resumeSession') > 0 ||
+- this.server.listenerCount('newSession') > 0) {
+- ssl.enableSessionCallbacks();
+- }
+- if (this.server.listenerCount('OCSPRequest') > 0)
+- ssl.enableCertCb();
++ if (this.server &&
++ (this.server.listenerCount('resumeSession') > 0 ||
++ this.server.listenerCount('newSession') > 0 ||
++ this.server.listenerCount('OCSPRequest') > 0)) {
++ ssl.enableSessionCallbacks();
+ }
+ } else {
+ ssl.onhandshakestart = function() {};
+@@ -506,7 +506,7 @@
+ options.server._contexts.length)) {
+ assert(typeof options.SNICallback === 'function');
+ this._SNICallback = options.SNICallback;
+- ssl.enableCertCb();
++ ssl.enableHelloParser();
+ }
+
+ if (process.features.tls_npn && options.NPNProtocols)
+diff -Naur node-v8.11.1.orig/src/env.h node-v8.11.1/src/env.h
+--- node-v8.11.1.orig/src/env.h 2018-07-18 17:37:43.066250635 +0800
++++ node-v8.11.1/src/env.h 2018-07-18 17:38:37.198012271 +0800
+@@ -113,7 +113,6 @@
+ V(channel_string, "channel") \
+ V(chunks_sent_since_last_write_string, "chunksSentSinceLastWrite") \
+ V(constants_string, "constants") \
+- V(oncertcb_string, "oncertcb") \
+ V(onclose_string, "_onclose") \
+ V(code_string, "code") \
+ V(configurable_string, "configurable") \
+diff -Naur node-v8.11.1.orig/src/node.cc node-v8.11.1/src/node.cc
+--- node-v8.11.1.orig/src/node.cc 2018-07-18 17:37:43.066250635 +0800
++++ node-v8.11.1/src/node.cc 2018-07-18 17:38:37.198012271 +0800
+@@ -214,7 +214,7 @@
+ false;
+ #endif
+
+-# if NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ // used by crypto module
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+@@ -3869,7 +3869,7 @@
+ " (default)"
+ #endif
+ "\n"
+-#if NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ " --enable-fips enable FIPS crypto at startup\n"
+ " --force-fips force FIPS crypto (cannot be disabled)\n"
+ #endif /* NODE_FIPS_MODE */
+@@ -4167,7 +4167,7 @@
+ } else if (strncmp(arg, "--use-bundled-ca", 16) == 0) {
+ use_bundled_ca = true;
+ ssl_openssl_cert_store = false;
+-#if NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ } else if (strcmp(arg, "--enable-fips") == 0) {
+ enable_fips_crypto = true;
+ } else if (strcmp(arg, "--force-fips") == 0) {
+@@ -4882,7 +4882,7 @@
+ if (SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+ crypto::UseExtraCaCerts(extra_ca_certs);
+ }
+-#ifdef NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ // In the case of FIPS builds we should make sure
+ // the random source is properly initialized first.
+ OPENSSL_init();
+diff -Naur node-v8.11.1.orig/src/node_crypto.cc node-v8.11.1/src/node_crypto.cc
+--- node-v8.11.1.orig/src/node_crypto.cc 2018-07-19 00:04:56.069430789 +0800
++++ node-v8.11.1/src/node_crypto.cc 2018-07-19 00:20:25.147879168 +0800
+@@ -108,7 +108,7 @@
+ using v8::Value;
+
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ static void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e,
+ const BIGNUM** d) {
+ if (n != nullptr) {
+@@ -197,10 +197,12 @@
+ return 1;
+ }
+
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ static int X509_up_ref(X509* cert) {
+ CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+ return 1;
+ }
++#endif
+
+ #define EVP_MD_CTX_new EVP_MD_CTX_create
+ #define EVP_MD_CTX_free EVP_MD_CTX_destroy
+@@ -218,7 +220,7 @@
+ HMAC_CTX_cleanup(ctx);
+ free(ctx);
+ }
+-#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
++#endif // _OPENSSL_11_COMPAT
+
+ static const char* const root_certs[] = {
+ #include "node_root_certs.h" // NOLINT(build/include_order)
+@@ -236,7 +238,7 @@
+ template void SSLWrap<TLSWrap>::InitNPN(SecureContext* sc);
+ template void SSLWrap<TLSWrap>::SetSNIContext(SecureContext* sc);
+ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
+ SSL* s,
+ unsigned char* key,
+@@ -275,8 +277,6 @@
+ #endif
+
+ template void SSLWrap<TLSWrap>::DestroySSL();
+-template int SSLWrap<TLSWrap>::SSLCertCallback(SSL* s, void* arg);
+-template void SSLWrap<TLSWrap>::WaitForCertCb(CertCb cb, void* arg);
+
+ #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+ template int SSLWrap<TLSWrap>::SelectALPNCallback(
+@@ -288,7 +288,7 @@
+ void* arg);
+ #endif // TLSEXT_TYPE_application_layer_protocol_negotiation
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ static Mutex* mutexes;
+
+ static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
+@@ -574,7 +574,7 @@
+ SSL_CTX_sess_set_get_cb(sc->ctx_, SSLWrap<Connection>::GetSessionCallback);
+ SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback);
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
+ // exposed in the public API. To retain compatibility, install a callback
+ // which restores the old algorithm.
+@@ -693,8 +693,7 @@
+ for (int i = 0; i < sk_X509_num(extra_certs); i++) {
+ X509* ca = sk_X509_value(extra_certs, i);
+
+- // NOTE: Increments reference count on `ca`
+- r = SSL_CTX_add1_chain_cert(ctx, ca);
++ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+
+ if (!r) {
+ ret = 0;
+@@ -1043,7 +1042,7 @@
+
+ node::Utf8Value curve(env->isolate(), args[0]);
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_ecdh_auto(sc->ctx_, 1);
+ #endif
+@@ -1265,7 +1264,7 @@
+ ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+
+ Local<Object> buff = Buffer::New(wrap->env(), 48).ToLocalChecked();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ memcpy(Buffer::Data(buff), wrap->ticket_key_name_, 16);
+ memcpy(Buffer::Data(buff) + 16, wrap->ticket_key_hmac_, 16);
+ memcpy(Buffer::Data(buff) + 32, wrap->ticket_key_aes_, 16);
+@@ -1298,7 +1297,7 @@
+ return env->ThrowTypeError("Ticket keys length must be 48 bytes");
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ memcpy(wrap->ticket_key_name_, Buffer::Data(args[0]), 16);
+ memcpy(wrap->ticket_key_hmac_, Buffer::Data(args[0]) + 16, 16);
+ memcpy(wrap->ticket_key_aes_, Buffer::Data(args[0]) + 32, 16);
+@@ -1316,13 +1315,13 @@
+
+
+ void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ // |freelist_max_len| was removed in OpenSSL 1.1.0. In that version OpenSSL
+ // mallocs and frees buffers directly, without the use of a freelist.
+ SecureContext* wrap;
+ ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+
+- wrap->ctx_->freelist_max_len = args[0]->Int32Value();
++ //wrap->ctx_->freelist_max_len = args[0]->Int32Value();
+ #endif
+ }
+
+@@ -1419,7 +1418,7 @@
+ }
+
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ int SecureContext::TicketCompatibilityCallback(SSL* ssl,
+ unsigned char* name,
+ unsigned char* iv,
+@@ -1503,7 +1502,6 @@
+ env->SetProtoMethod(t, "verifyError", VerifyError);
+ env->SetProtoMethod(t, "getCurrentCipher", GetCurrentCipher);
+ env->SetProtoMethod(t, "endParser", EndParser);
+- env->SetProtoMethod(t, "certCbDone", CertCbDone);
+ env->SetProtoMethod(t, "renegotiate", Renegotiate);
+ env->SetProtoMethod(t, "shutdownSSL", Shutdown);
+ env->SetProtoMethod(t, "getTLSTicket", GetTLSTicket);
+@@ -1559,7 +1557,7 @@
+ }
+
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ template <class Base>
+ SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
+ unsigned char* key,
+@@ -2576,126 +2574,6 @@
+
+
+ template <class Base>
+-void SSLWrap<Base>::WaitForCertCb(CertCb cb, void* arg) {
+- cert_cb_ = cb;
+- cert_cb_arg_ = arg;
+-}
+-
+-
+-template <class Base>
+-int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) {
+- Base* w = static_cast<Base*>(SSL_get_app_data(s));
+-
+- if (!w->is_server())
+- return 1;
+-
+- if (!w->is_waiting_cert_cb())
+- return 1;
+-
+- if (w->cert_cb_running_)
+- return -1;
+-
+- Environment* env = w->env();
+- HandleScope handle_scope(env->isolate());
+- Context::Scope context_scope(env->context());
+- w->cert_cb_running_ = true;
+-
+- Local<Object> info = Object::New(env->isolate());
+-
+- const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+- if (servername == nullptr) {
+- info->Set(env->servername_string(), String::Empty(env->isolate()));
+- } else {
+- Local<String> str = OneByteString(env->isolate(), servername,
+- strlen(servername));
+- info->Set(env->servername_string(), str);
+- }
+-
+- bool ocsp = false;
+-#ifdef NODE__HAVE_TLSEXT_STATUS_CB
+- ocsp = SSL_get_tlsext_status_type(s) == TLSEXT_STATUSTYPE_ocsp;
+-#endif
+-
+- info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp));
+-
+- Local<Value> argv[] = { info };
+- w->MakeCallback(env->oncertcb_string(), arraysize(argv), argv);
+-
+- if (!w->cert_cb_running_)
+- return 1;
+-
+- // Performing async action, wait...
+- return -1;
+-}
+-
+-
+-template <class Base>
+-void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
+- Base* w;
+- ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
+- Environment* env = w->env();
+-
+- CHECK(w->is_waiting_cert_cb() && w->cert_cb_running_);
+-
+- Local<Object> object = w->object();
+- Local<Value> ctx = object->Get(env->sni_context_string());
+- Local<FunctionTemplate> cons = env->secure_context_constructor_template();
+-
+- // Not an object, probably undefined or null
+- if (!ctx->IsObject())
+- goto fire_cb;
+-
+- if (cons->HasInstance(ctx)) {
+- SecureContext* sc;
+- ASSIGN_OR_RETURN_UNWRAP(&sc, ctx.As<Object>());
+- w->sni_context_.Reset();
+- w->sni_context_.Reset(env->isolate(), ctx);
+-
+- int rv;
+-
+- // NOTE: reference count is not increased by this API methods
+- X509* x509 = SSL_CTX_get0_certificate(sc->ctx_);
+- EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_);
+- STACK_OF(X509)* chain;
+-
+- rv = SSL_CTX_get0_chain_certs(sc->ctx_, &chain);
+- if (rv)
+- rv = SSL_use_certificate(w->ssl_, x509);
+- if (rv)
+- rv = SSL_use_PrivateKey(w->ssl_, pkey);
+- if (rv && chain != nullptr)
+- rv = SSL_set1_chain(w->ssl_, chain);
+- if (rv)
+- rv = w->SetCACerts(sc);
+- if (!rv) {
+- unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
+- if (!err)
+- return env->ThrowError("CertCbDone");
+- return ThrowCryptoError(env, err);
+- }
+- } else {
+- // Failure: incorrect SNI context object
+- Local<Value> err = Exception::TypeError(env->sni_context_err_string());
+- w->MakeCallback(env->onerror_string(), 1, &err);
+- return;
+- }
+-
+- fire_cb:
+- CertCb cb;
+- void* arg;
+-
+- cb = w->cert_cb_;
+- arg = w->cert_cb_arg_;
+-
+- w->cert_cb_running_ = false;
+- w->cert_cb_ = nullptr;
+- w->cert_cb_arg_ = nullptr;
+-
+- cb(arg);
+-}
+-
+-
+-template <class Base>
+ void SSLWrap<Base>::SSLGetter(Local<String> property,
+ const PropertyCallbackInfo<Value>& info) {
+ Base* base;
+@@ -2728,9 +2606,6 @@
+
+ template <class Base>
+ int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
+- int err = SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_));
+- if (err != 1)
+- return err;
+
+ STACK_OF(X509_NAME)* list = SSL_dup_CA_list(
+ SSL_CTX_get_client_CA_list(sc->ctx_));
+@@ -2824,10 +2699,6 @@
+ DEBUG_PRINT("[%p] SSL: %s want read\n", ssl_, func);
+ return 0;
+
+- } else if (err == SSL_ERROR_WANT_X509_LOOKUP) {
+- DEBUG_PRINT("[%p] SSL: %s want x509 lookup\n", ssl_, func);
+- return 0;
+-
+ } else if (err == SSL_ERROR_ZERO_RETURN) {
+ HandleScope scope(ssl_env()->isolate());
+
+@@ -2982,7 +2853,7 @@
+
+ // Call the SNI callback and use its return value as context
+ if (!conn->sniObject_.IsEmpty()) {
+- conn->sni_context_.Reset();
++ conn->sniContext_.Reset();
+
+ Local<Object> sni_obj = PersistentToLocal(env->isolate(),
+ conn->sniObject_);
+@@ -2998,7 +2869,7 @@
+ Local<FunctionTemplate> secure_context_constructor_template =
+ env->secure_context_constructor_template();
+ if (secure_context_constructor_template->HasInstance(ret)) {
+- conn->sni_context_.Reset(env->isolate(), ret);
++ conn->sniContext_.Reset(env->isolate(), ret);
+ SecureContext* sc;
+ ASSIGN_OR_RETURN_UNWRAP(&sc, ret.As<Object>(), SSL_TLSEXT_ERR_NOACK);
+ conn->SetSNIContext(sc);
+@@ -3038,8 +2909,6 @@
+
+ InitNPN(sc);
+
+- SSL_set_cert_cb(conn->ssl_, SSLWrap<Connection>::SSLCertCallback, conn);
+-
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ if (is_server) {
+ SSL_CTX_set_tlsext_servername_callback(sc->ctx_, SelectSNIContextCallback_);
+@@ -3403,7 +3272,7 @@
+ int key_buf_len) {
+ HandleScope scope(env()->isolate());
+
+-#ifdef NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ if (FIPS_mode()) {
+ return env()->ThrowError(
+ "crypto.createCipher() is not supported in FIPS mode.");
+@@ -3439,8 +3308,10 @@
+ cipher_type);
+ }
+
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ if (mode == EVP_CIPH_WRAP_MODE)
+ EVP_CIPHER_CTX_set_flags(ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
++#endif
+
+ CHECK_EQ(1, EVP_CIPHER_CTX_set_key_length(ctx_, key_len));
+
+@@ -3494,8 +3365,10 @@
+
+ ctx_ = EVP_CIPHER_CTX_new();
+
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ if (mode == EVP_CIPH_WRAP_MODE)
+ EVP_CIPHER_CTX_set_flags(ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
++#endif
+
+ const bool encrypt = (kind_ == kCipher);
+ EVP_CipherInit_ex(ctx_, cipher, nullptr, nullptr, nullptr, encrypt);
+@@ -4052,7 +3925,7 @@
+
+ SignBase::Error SignBase::Init(const char* sign_type) {
+ CHECK_EQ(mdctx_, nullptr);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ // Historically, "dss1" and "DSS1" were DSA aliases for SHA-1
+ // exposed through the public API.
+ if (strcmp(sign_type, "dss1") == 0 ||
+@@ -4258,7 +4131,7 @@
+ if (pkey == nullptr || 0 != ERR_peek_error())
+ goto exit;
+
+-#ifdef NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ /* Validate DSA2 parameters from FIPS 186-4 */
+ if (FIPS_mode() && EVP_PKEY_DSA == pkey->type) {
+ size_t L = BN_num_bits(pkey->pkey.dsa->p);
+@@ -5027,7 +4900,7 @@
+
+ void DiffieHellman::SetPrivateKey(const FunctionCallbackInfo<Value>& args) {
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+- OPENSSL_VERSION_NUMBER < 0x10100070L
++ OPENSSL_VERSION_NUMBER < 0x10100070L && !defined(LIBRESSL_VERSION_NUMBER)
+ // Older versions of OpenSSL 1.1.0 have a DH_set0_key which does not work for
+ // Node. See https://github.com/openssl/openssl/pull/4384.
+ #error "OpenSSL 1.1.0 revisions before 1.1.0g are not supported"
+@@ -6111,13 +5984,13 @@
+ SSL_library_init();
+ OpenSSL_add_all_algorithms();
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ crypto_lock_init();
+ CRYPTO_set_locking_callback(crypto_lock_cb);
+ CRYPTO_THREADID_set_callback(crypto_threadid_cb);
+ #endif
+
+-#ifdef NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ /* Override FIPS settings in cnf file, if needed. */
+ unsigned long err = 0; // NOLINT(runtime/int)
+ if (enable_fips_crypto || force_fips_crypto) {
+@@ -6187,16 +6060,20 @@
+ #endif // !OPENSSL_NO_ENGINE
+
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ if (FIPS_mode()) {
+ args.GetReturnValue().Set(1);
+ } else {
+ args.GetReturnValue().Set(0);
+ }
++#else
++ args.GetReturnValue().Set(0);
++#endif
+ }
+
+ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+ Environment* env = Environment::GetCurrent(args);
+-#ifdef NODE_FIPS_MODE
++#if defined(NODE_FIPS_MODE) && !defined(LIBRESSL_VERSION_NUMBER)
+ const bool enabled = FIPS_mode();
+ const bool enable = args[0]->BooleanValue();
+ if (enable == enabled)
+diff -Naur node-v8.11.1.orig/src/node_crypto.h node-v8.11.1/src/node_crypto.h
+--- node-v8.11.1.orig/src/node_crypto.h 2018-07-18 17:37:43.066250635 +0800
++++ node-v8.11.1/src/node_crypto.h 2018-07-18 19:07:31.798362764 +0800
+@@ -55,6 +55,11 @@
+ # define NODE__HAVE_TLSEXT_STATUS_CB
+ #endif // !defined(OPENSSL_NO_TLSEXT) && defined(SSL_CTX_set_tlsext_status_cb)
+
++#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L) \
++ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
++#define _OPENSSL_11_COMPAT
++#endif
++
+ namespace node {
+ namespace crypto {
+
+@@ -103,14 +108,14 @@
+ static const int kTicketKeyNameIndex = 3;
+ static const int kTicketKeyIVIndex = 4;
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ unsigned char ticket_key_name_[16];
+ unsigned char ticket_key_aes_[16];
+ unsigned char ticket_key_hmac_[16];
+ #endif
+
+ protected:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ static const int64_t kExternalSize = sizeof(SSL_CTX);
+ #else
+ // OpenSSL 1.1.0 has opaque structures. This is an estimate based on the size
+@@ -154,7 +159,7 @@
+ HMAC_CTX* hctx,
+ int enc);
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if defined(_OPENSSL_11_COMPAT)
+ static int TicketCompatibilityCallback(SSL* ssl,
+ unsigned char* name,
+ unsigned char* iv,
+@@ -204,10 +209,7 @@
+ kind_(kind),
+ next_sess_(nullptr),
+ session_callbacks_(false),
+- new_session_wait_(false),
+- cert_cb_(nullptr),
+- cert_cb_arg_(nullptr),
+- cert_cb_running_(false) {
++ new_session_wait_(false) {
+ ssl_ = SSL_new(sc->ctx_);
+ env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize);
+ CHECK_NE(ssl_, nullptr);
+@@ -220,10 +222,6 @@
+ next_sess_ = nullptr;
+ }
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- sni_context_.Reset();
+-#endif
+-
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+ ocsp_response_.Reset();
+ #endif // NODE__HAVE_TLSEXT_STATUS_CB
+@@ -234,12 +232,9 @@
+ inline bool is_server() const { return kind_ == kServer; }
+ inline bool is_client() const { return kind_ == kClient; }
+ inline bool is_waiting_new_session() const { return new_session_wait_; }
+- inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; }
+
+ protected:
+- typedef void (*CertCb)(void* arg);
+-
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and
+ // some for buffers.
+ // NOTE: Actually it is much more than this
+@@ -254,7 +249,7 @@
+ static void InitNPN(SecureContext* sc);
+ static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ static SSL_SESSION* GetSessionCallback(SSL* s,
+ unsigned char* key,
+ int len,
+@@ -279,7 +274,6 @@
+ static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
+@@ -321,12 +315,10 @@
+ unsigned int inlen,
+ void* arg);
+ static int TLSExtStatusCallback(SSL* s, void* arg);
+- static int SSLCertCallback(SSL* s, void* arg);
+ static void SSLGetter(v8::Local<v8::String> property,
+ const v8::PropertyCallbackInfo<v8::Value>& info);
+
+ void DestroySSL();
+- void WaitForCertCb(CertCb cb, void* arg);
+ void SetSNIContext(SecureContext* sc);
+ int SetCACerts(SecureContext* sc);
+
+@@ -341,21 +333,12 @@
+ bool session_callbacks_;
+ bool new_session_wait_;
+
+- // SSL_set_cert_cb
+- CertCb cert_cb_;
+- void* cert_cb_arg_;
+- bool cert_cb_running_;
+-
+ ClientHelloParser hello_parser_;
+
+ #ifdef NODE__HAVE_TLSEXT_STATUS_CB
+ v8::Persistent<v8::Object> ocsp_response_;
+ #endif // NODE__HAVE_TLSEXT_STATUS_CB
+
+-#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+- v8::Persistent<v8::Value> sni_context_;
+-#endif
+-
+ friend class SecureContext;
+ };
+
+@@ -367,6 +350,7 @@
+ ~Connection() override {
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ sniObject_.Reset();
++ sniContext_.Reset();
+ servername_.Reset();
+ #endif
+ }
+@@ -381,6 +365,7 @@
+
+ #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ v8::Persistent<v8::Object> sniObject_;
++ v8::Persistent<v8::Value> sniContext_;
+ v8::Persistent<v8::String> servername_;
+ #endif
+
+diff -Naur node-v8.11.1.orig/src/node_crypto_bio.cc node-v8.11.1/src/node_crypto_bio.cc
+--- node-v8.11.1.orig/src/node_crypto_bio.cc 2018-03-30 07:17:17.000000000 +0800
++++ node-v8.11.1/src/node_crypto_bio.cc 2018-07-20 00:38:51.080302783 +0800
+@@ -28,7 +28,12 @@
+ namespace node {
+ namespace crypto {
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L) \
++ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
++#define _OPENSSL_11_COMPAT
++#endif
++
++#if !defined(_OPENSSL_11_COMPAT)
+ #define BIO_set_data(bio, data) bio->ptr = data
+ #define BIO_get_data(bio) bio->ptr
+ #define BIO_set_shutdown(bio, shutdown_) bio->shutdown = shutdown_
+@@ -237,7 +242,7 @@
+
+
+ const BIO_METHOD* NodeBIO::GetMethod() {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if !defined(_OPENSSL_11_COMPAT)
+ static const BIO_METHOD method = {
+ BIO_TYPE_MEM,
+ "node.js SSL buffer",
+diff -Naur node-v8.11.1.orig/src/tls_wrap.cc node-v8.11.1/src/tls_wrap.cc
+--- node-v8.11.1.orig/src/tls_wrap.cc 2018-03-30 07:17:18.000000000 +0800
++++ node-v8.11.1/src/tls_wrap.cc 2018-07-18 19:13:49.731685588 +0800
+@@ -171,8 +171,6 @@
+
+ InitNPN(sc_);
+
+- SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this);
+-
+ if (is_server()) {
+ SSL_set_accept_state(ssl_);
+ } else if (is_client()) {
+@@ -389,7 +387,6 @@
+ case SSL_ERROR_NONE:
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+- case SSL_ERROR_WANT_X509_LOOKUP:
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ return scope.Escape(env()->zero_return_string());
+@@ -830,6 +827,11 @@
+ "EnableSessionCallbacks after destroySSL");
+ }
+ wrap->enable_session_callbacks();
++ EnableHelloParser(args);
++}
++
++void TLSWrap::EnableHelloParser(const FunctionCallbackInfo<Value>& args) {
++ TLSWrap* wrap = Unwrap<TLSWrap>(args.Holder());
+ crypto::NodeBIO::FromBIO(wrap->enc_in_)->set_initial(kMaxHelloLength);
+ wrap->hello_parser_.Start(SSLWrap<TLSWrap>::OnClientHello,
+ OnClientHelloParseEnd,
+@@ -855,13 +857,6 @@
+ }
+
+
+-void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) {
+- TLSWrap* wrap;
+- ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+- wrap->WaitForCertCb(OnClientHelloParseEnd, wrap);
+-}
+-
+-
+ void TLSWrap::OnClientHelloParseEnd(void* arg) {
+ TLSWrap* c = static_cast<TLSWrap*>(arg);
+ c->Cycle();
+@@ -980,8 +975,8 @@
+ env->SetProtoMethod(t, "start", Start);
+ env->SetProtoMethod(t, "setVerifyMode", SetVerifyMode);
+ env->SetProtoMethod(t, "enableSessionCallbacks", EnableSessionCallbacks);
++ env->SetProtoMethod(t, "enableHelloParser", EnableHelloParser);
+ env->SetProtoMethod(t, "destroySSL", DestroySSL);
+- env->SetProtoMethod(t, "enableCertCb", EnableCertCb);
+ env->SetProtoMethod(t, "updateWriteQueueSize", UpdateWriteQueueSize);
+
+ StreamBase::AddMethods<TLSWrap>(env, t, StreamBase::kFlagHasWritev);
+diff -Naur node-v8.11.1.orig/src/tls_wrap.h node-v8.11.1/src/tls_wrap.h
+--- node-v8.11.1.orig/src/tls_wrap.h 2018-03-30 07:17:18.000000000 +0800
++++ node-v8.11.1/src/tls_wrap.h 2018-07-18 19:17:45.799658124 +0800
+@@ -159,7 +159,7 @@
+ static void SetVerifyMode(const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void EnableSessionCallbacks(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+- static void EnableCertCb(
++ static void EnableHelloParser(
+ const v8::FunctionCallbackInfo<v8::Value>& args);
+ static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args);
+
+@@ -187,6 +187,9 @@
+ // If true - delivered EOF to the js-land, either after `close_notify`, or
+ // after the `UV_EOF` on socket.
+ bool eof_;
++#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
++ v8::Persistent<v8::Value> sni_context_;
++#endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+
+ private:
+ static void UpdateWriteQueueSize(
+diff -Naur node-v8.11.1.orig/test/parallel/test-tls-cnnic-whitelist.js node-v8.11.1/test/parallel/test-tls-cnnic-whitelist.js
+--- node-v8.11.1.orig/test/parallel/test-tls-cnnic-whitelist.js 2018-03-30 07:17:18.000000000 +0800
++++ node-v8.11.1/test/parallel/test-tls-cnnic-whitelist.js 2018-07-18 19:17:45.799658124 +0800
+@@ -46,7 +46,9 @@
+ port: undefined,
+ rejectUnauthorized: true
+ },
+- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
++ // LibreSSL returns CERT_UNTRUSTED in this case, OpenSSL UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
++ errorCode: 'CERT_UNTRUSTED'
++ // errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+ }
+ ];
+
+diff -Naur node-v8.11.1.orig/test/parallel/test-tls-sni-server-client.js node-v8.11.1/test/parallel/test-tls-sni-server-client.js
+--- node-v8.11.1.orig/test/parallel/test-tls-sni-server-client.js 2018-03-30 07:17:18.000000000 +0800
++++ node-v8.11.1/test/parallel/test-tls-sni-server-client.js 2018-07-18 19:17:45.799658124 +0800
+@@ -49,39 +49,37 @@
+ 'asterisk.test.com': {
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert')
+- },
+- 'chain.example.com': {
+- key: loadPEM('agent6-key'),
+- // NOTE: Contains ca3 chain cert
+- cert: loadPEM('agent6-cert')
+ }
+ };
+
+ const clientsOptions = [{
+ port: undefined,
++ key: loadPEM('agent1-key'),
++ cert: loadPEM('agent1-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent2-key'),
++ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'a.b.test.com',
+ rejectUnauthorized: false
+ }, {
+ port: undefined,
++ key: loadPEM('agent3-key'),
++ cert: loadPEM('agent3-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.wrong.com',
+ rejectUnauthorized: false
+-}, {
+- port: undefined,
+- ca: [loadPEM('ca1-cert')],
+- servername: 'chain.example.com',
+- rejectUnauthorized: false
+ }];
+
+ const serverResults = [];
+@@ -93,7 +91,6 @@
+
+ server.addContext('a.example.com', SNIContexts['a.example.com']);
+ server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
+-server.addContext('chain.example.com', SNIContexts['chain.example.com']);
+
+ server.listen(0, startTest);
+
+@@ -122,8 +119,7 @@
+
+ process.on('exit', function() {
+ assert.deepStrictEqual(serverResults, [
+- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
+- 'chain.example.com'
++ 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com'
+ ]);
+- assert.deepStrictEqual(clientResults, [true, true, false, false, true]);
++ assert.deepStrictEqual(clientResults, [true, true, false, false]);
+ });
diff --git a/net-libs/nodejs/nodejs-6.11.5.ebuild b/net-libs/nodejs/nodejs-6.11.5.ebuild
new file mode 100644
index 0000000..db8bc4f
--- /dev/null
+++ b/net-libs/nodejs/nodejs-6.11.5.ebuild
@@ -0,0 +1,196 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+RESTRICT="test"
+
+PYTHON_COMPAT=( python2_7 )
+PYTHON_REQ_USE="threads"
+
+inherit bash-completion-r1 eutils flag-o-matic pax-utils python-single-r1 toolchain-funcs
+
+DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine"
+HOMEPAGE="https://nodejs.org/"
+SRC_URI="https://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz"
+
+LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT"
+SLOT="0"
+KEYWORDS="amd64 arm ~arm64 ppc ppc64 x86 ~amd64-linux ~x64-macos"
+IUSE="bundled-ssl cpu_flags_x86_sse2 debug doc icu libressl +npm +snapshot +ssl test"
+
+RDEPEND="icu? ( >=dev-libs/icu-56:= )
+ npm? ( ${PYTHON_DEPS} )
+ >=net-libs/http-parser-2.6.2:=
+ >=dev-libs/libuv-1.9.0:=
+ !bundled-ssl? ( >=dev-libs/openssl-1.0.2g:0=[-bindist] )
+ sys-libs/zlib"
+DEPEND="${RDEPEND}
+ ${PYTHON_DEPS}
+ test? ( net-misc/curl )"
+
+S="${WORKDIR}/node-v${PV}"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}
+ libressl? ( bundled-ssl )
+ bundled-ssl? ( ssl )"
+
+PATCHES=(
+ "${FILESDIR}"/gentoo-global-npm-config.patch
+)
+
+pkg_pretend() {
+ (use x86 && ! use cpu_flags_x86_sse2) && \
+ die "Your CPU doesn't support the required SSE2 instruction."
+
+ ( [[ ${MERGE_TYPE} != "binary" ]] && ! test-flag-CXX -std=c++11 ) && \
+ die "Your compiler doesn't support C++11. Use GCC 4.8, Clang 3.3 or newer."
+}
+
+src_prepare() {
+ tc-export CC CXX PKG_CONFIG
+ export V=1
+ export BUILDTYPE=Release
+
+ # fix compilation on Darwin
+ # https://code.google.com/p/gyp/issues/detail?id=260
+ sed -i -e "/append('-arch/d" tools/gyp/pylib/gyp/xcode_emulation.py || die
+
+ # make sure we use python2.* while using gyp
+ sed -i -e "s/python/${EPYTHON}/" deps/npm/node_modules/node-gyp/gyp/gyp || die
+ sed -i -e "s/|| 'python'/|| '${EPYTHON}'/" deps/npm/node_modules/node-gyp/lib/configure.js || die
+
+ # less verbose install output (stating the same as portage, basically)
+ sed -i -e "/print/d" tools/install.py || die
+
+ # proper libdir, hat tip @ryanpcmcquen https://github.com/iojs/io.js/issues/504
+ local LIBDIR=$(get_libdir)
+ sed -i -e "s|lib/|${LIBDIR}/|g" tools/install.py || die
+ sed -i -e "s/'lib'/'${LIBDIR}'/" lib/module.js || die
+ sed -i -e "s|\"lib\"|\"${LIBDIR}\"|" deps/npm/lib/npm.js || die
+
+ # Avoid writing a depfile, not useful
+ sed -i -e "/DEPFLAGS =/d" tools/gyp/pylib/gyp/generator/make.py || die
+
+ # Avoid a test that I've only been able to reproduce from emerge. It doesnt
+ # seem sandbox related either (invoking it from a sandbox works fine).
+ # The issue is that no stdin handle is openened when asked for one.
+ # It doesn't really belong upstream , so it'll just be removed until someone
+ # with more gentoo-knowledge than me (jbergstroem) figures it out.
+ rm test/parallel/test-stdout-close-unref.js || die
+
+ # debug builds. change install path, remove optimisations and override buildtype
+ if use debug; then
+ sed -i -e "s|out/Release/|out/Debug/|g" tools/install.py || die
+ BUILDTYPE=Debug
+ fi
+
+ default
+}
+
+src_configure() {
+ local myarch=""
+ local myconf=( --shared-libuv --shared-http-parser --shared-zlib )
+ use npm || myconf+=( --without-npm )
+ use icu && myconf+=( --with-intl=system-icu )
+ use snapshot && myconf+=( --with-snapshot )
+ use bundled-ssl || myconf+=( --shared-openssl )
+ use ssl || myconf+=( --without-ssl )
+ use debug && myconf+=( --debug )
+
+ case ${ABI} in
+ amd64) myarch="x64";;
+ arm) myarch="arm";;
+ arm64) myarch="arm64";;
+ ppc64) myarch="ppc64";;
+ x32) myarch="x32";;
+ x86) myarch="ia32";;
+ *) myarch="${ABI}";;
+ esac
+
+ GYP_DEFINES="linux_use_gold_flags=0
+ linux_use_bundled_binutils=0
+ linux_use_bundled_gold=0" \
+ "${PYTHON}" configure \
+ --prefix="${EPREFIX}"/usr \
+ --dest-cpu=${myarch} \
+ --without-dtrace \
+ "${myconf[@]}" || die
+}
+
+src_compile() {
+ emake -C out mksnapshot
+ pax-mark m "out/${BUILDTYPE}/mksnapshot"
+ emake -C out
+}
+
+src_install() {
+ local LIBDIR="${ED}/usr/$(get_libdir)"
+ emake install DESTDIR="${D}"
+ pax-mark -m "${ED}"usr/bin/node
+
+ # set up a symlink structure that node-gyp expects..
+ dodir /usr/include/node/deps/{v8,uv}
+ dosym . /usr/include/node/src
+ for var in deps/{uv,v8}/include; do
+ dosym ../.. /usr/include/node/${var}
+ done
+
+ if use doc; then
+ # Patch docs to make them offline readable
+ for i in `grep -rl 'fonts.googleapis.com' "${S}"/out/doc/api/*`; do
+ sed -i '/fonts.googleapis.com/ d' $i;
+ done
+ # Install docs!
+ dohtml -r "${S}"/doc/*
+ fi
+
+ if use npm; then
+ dodir /etc/npm
+
+ # Install bash completion for `npm`
+ # We need to temporarily replace default config path since
+ # npm otherwise tries to write outside of the sandbox
+ local npm_config="usr/$(get_libdir)/node_modules/npm/lib/config/core.js"
+ sed -i -e "s|'/etc'|'${ED}/etc'|g" "${ED}/${npm_config}" || die
+ local tmp_npm_completion_file="$(emktemp)"
+ "${ED}/usr/bin/npm" completion > "${tmp_npm_completion_file}"
+ newbashcomp "${tmp_npm_completion_file}" npm
+ sed -i -e "s|'${ED}/etc'|'/etc'|g" "${ED}/${npm_config}" || die
+
+ # Move man pages
+ doman "${LIBDIR}"/node_modules/npm/man/man{1,5,7}/*
+
+ # Clean up
+ rm "${LIBDIR}"/node_modules/npm/{.mailmap,.npmignore,Makefile} || die
+ rm -rf "${LIBDIR}"/node_modules/npm/{doc,html,man} || die
+
+ local find_exp="-or -name"
+ local find_name=()
+ for match in "AUTHORS*" "CHANGELOG*" "CONTRIBUT*" "README*" \
+ ".travis.yml" ".eslint*" ".wercker.yml" ".npmignore" \
+ "*.md" "*.markdown" "*.bat" "*.cmd"; do
+ find_name+=( ${find_exp} "${match}" )
+ done
+
+ # Remove various development and/or inappropriate files and
+ # useless docs of dependend packages.
+ find "${LIBDIR}"/node_modules \
+ \( -type d -name examples \) -or \( -type f \( \
+ -iname "LICEN?E*" \
+ "${find_name[@]}" \
+ \) \) -exec rm -rf "{}" \;
+ fi
+}
+
+src_test() {
+ out/${BUILDTYPE}/cctest || die
+ "${PYTHON}" tools/test.py --mode=${BUILDTYPE,,} -J message parallel sequential || die
+}
+
+pkg_postinst() {
+ einfo "The global npm config lives in /etc/npm. This deviates slightly"
+ einfo "from upstream which otherwise would have it live in /usr/etc/."
+ einfo ""
+ einfo "Protip: When using node-gyp to install native modules, you can"
+ einfo "avoid having to download extras by doing the following:"
+ einfo "$ node-gyp --nodedir /usr/include/node <command>"
+}
diff --git a/net-libs/nodejs/nodejs-8.11.1.ebuild b/net-libs/nodejs/nodejs-8.11.1.ebuild
new file mode 100644
index 0000000..fe093d5
--- /dev/null
+++ b/net-libs/nodejs/nodejs-8.11.1.ebuild
@@ -0,0 +1,208 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+RESTRICT="test"
+
+PYTHON_COMPAT=( python2_7 )
+PYTHON_REQ_USE="threads"
+
+inherit bash-completion-r1 eutils flag-o-matic pax-utils python-single-r1 toolchain-funcs
+
+DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine"
+HOMEPAGE="https://nodejs.org/"
+SRC_URI="https://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz"
+
+LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT"
+SLOT="0"
+KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x64-macos"
+IUSE="cpu_flags_x86_sse2 debug doc icu inspector libressl +npm +snapshot +ssl systemtap test"
+REQUIRED_USE="
+ ${PYTHON_REQUIRED_USE}
+ inspector? ( icu ssl )
+"
+
+RDEPEND="
+ >=dev-libs/libuv-1.19.1:=
+ >=net-libs/http-parser-2.8.0:=
+ >=net-libs/nghttp2-1.25.0
+ sys-libs/zlib
+ icu? ( >=dev-libs/icu-60.1:= )
+ ssl? (
+ !libressl? ( >=dev-libs/openssl-1.0.2n:0=[-bindist] )
+ libressl? ( dev-libs/libressl:= )
+ )
+"
+DEPEND="${RDEPEND}
+ ${PYTHON_DEPS}
+ systemtap? ( dev-util/systemtap )
+ test? ( net-misc/curl )"
+
+S="${WORKDIR}/node-v${PV}"
+
+PATCHES=(
+ "${FILESDIR}"/gentoo-global-npm-config.patch
+)
+
+pkg_pretend() {
+ (use x86 && ! use cpu_flags_x86_sse2) && \
+ die "Your CPU doesn't support the required SSE2 instruction."
+
+ ( [[ ${MERGE_TYPE} != "binary" ]] && ! test-flag-CXX -std=c++11 ) && \
+ die "Your compiler doesn't support C++11. Use GCC 4.8, Clang 3.3 or newer."
+}
+
+src_prepare() {
+ tc-export CC CXX PKG_CONFIG
+ export V=1
+ export BUILDTYPE=Release
+
+ # fix compilation on Darwin
+ # https://code.google.com/p/gyp/issues/detail?id=260
+ sed -i -e "/append('-arch/d" tools/gyp/pylib/gyp/xcode_emulation.py || die
+
+ # make sure we use python2.* while using gyp
+ sed -i -e "s/python/${EPYTHON}/" deps/npm/node_modules/node-gyp/gyp/gyp || die
+ sed -i -e "s/|| 'python2'/|| '${EPYTHON}'/" deps/npm/node_modules/node-gyp/lib/configure.js || die
+
+ # less verbose install output (stating the same as portage, basically)
+ sed -i -e "/print/d" tools/install.py || die
+
+ # proper libdir, hat tip @ryanpcmcquen https://github.com/iojs/io.js/issues/504
+ local LIBDIR=$(get_libdir)
+ sed -i -e "s|lib/|${LIBDIR}/|g" tools/install.py || die
+ sed -i -e "s/'lib'/'${LIBDIR}'/" lib/module.js deps/npm/lib/npm.js || die
+
+ # Avoid writing a depfile, not useful
+ sed -i -e "/DEPFLAGS =/d" tools/gyp/pylib/gyp/generator/make.py || die
+
+ sed -i -e "/'-O3'/d" common.gypi deps/v8/gypfiles/toolchain.gypi || die
+
+ # Avoid a test that I've only been able to reproduce from emerge. It doesnt
+ # seem sandbox related either (invoking it from a sandbox works fine).
+ # The issue is that no stdin handle is openened when asked for one.
+ # It doesn't really belong upstream , so it'll just be removed until someone
+ # with more gentoo-knowledge than me (jbergstroem) figures it out.
+ rm test/parallel/test-stdout-close-unref.js || die
+
+ # debug builds. change install path, remove optimisations and override buildtype
+ if use debug; then
+ sed -i -e "s|out/Release/|out/Debug/|g" tools/install.py || die
+ BUILDTYPE=Debug
+ fi
+
+ if use libressl; then
+ epatch "${FILESDIR}"/nodejs-8.11.1-libressl.patch
+ fi
+
+ default
+}
+
+src_configure() {
+ local myconf=( --shared-http-parser --shared-libuv --shared-nghttp2 --shared-zlib )
+ use debug && myconf+=( --debug )
+ use icu && myconf+=( --with-intl=system-icu ) || myconf+=( --with-intl=none )
+ use inspector || myconf+=( --without-inspector )
+ use npm || myconf+=( --without-npm )
+ use snapshot && myconf+=( --with-snapshot )
+ use ssl && myconf+=( --shared-openssl ) || myconf+=( --without-ssl )
+
+ local myarch=""
+ case ${ABI} in
+ amd64) myarch="x64";;
+ arm) myarch="arm";;
+ arm64) myarch="arm64";;
+ ppc64) myarch="ppc64";;
+ x32) myarch="x32";;
+ x86) myarch="ia32";;
+ *) myarch="${ABI}";;
+ esac
+
+ GYP_DEFINES="linux_use_gold_flags=0
+ linux_use_bundled_binutils=0
+ linux_use_bundled_gold=0" \
+ "${PYTHON}" configure \
+ --prefix="${EPREFIX}"/usr \
+ --dest-cpu=${myarch} \
+ $(use_with systemtap dtrace) \
+ "${myconf[@]}" || die
+}
+
+src_compile() {
+ emake -C out mksnapshot
+ pax-mark m "out/${BUILDTYPE}/mksnapshot"
+ emake -C out
+}
+
+src_install() {
+ local LIBDIR="${ED}/usr/$(get_libdir)"
+ emake install DESTDIR="${D}"
+ pax-mark -m "${ED}"usr/bin/node
+
+ # set up a symlink structure that node-gyp expects..
+ dodir /usr/include/node/deps/{v8,uv}
+ dosym . /usr/include/node/src
+ for var in deps/{uv,v8}/include; do
+ dosym ../.. /usr/include/node/${var}
+ done
+
+ if use doc; then
+ # Patch docs to make them offline readable
+ for i in `grep -rl 'fonts.googleapis.com' "${S}"/out/doc/api/*`; do
+ sed -i '/fonts.googleapis.com/ d' $i;
+ done
+ # Install docs!
+ dohtml -r "${S}"/doc/*
+ fi
+
+ if use npm; then
+ dodir /etc/npm
+
+ # Install bash completion for `npm`
+ # We need to temporarily replace default config path since
+ # npm otherwise tries to write outside of the sandbox
+ local npm_config="usr/$(get_libdir)/node_modules/npm/lib/config/core.js"
+ sed -i -e "s|'/etc'|'${ED}/etc'|g" "${ED}/${npm_config}" || die
+ local tmp_npm_completion_file="$(emktemp)"
+ "${ED}/usr/bin/npm" completion > "${tmp_npm_completion_file}"
+ newbashcomp "${tmp_npm_completion_file}" npm
+ sed -i -e "s|'${ED}/etc'|'/etc'|g" "${ED}/${npm_config}" || die
+
+ # Move man pages
+ doman "${LIBDIR}"/node_modules/npm/man/man{1,5,7}/*
+
+ # Clean up
+ rm "${LIBDIR}"/node_modules/npm/{.mailmap,.npmignore,Makefile} || die
+ rm -rf "${LIBDIR}"/node_modules/npm/{doc,html,man} || die
+
+ local find_exp="-or -name"
+ local find_name=()
+ for match in "AUTHORS*" "CHANGELOG*" "CONTRIBUT*" "README*" \
+ ".travis.yml" ".eslint*" ".wercker.yml" ".npmignore" \
+ "*.md" "*.markdown" "*.bat" "*.cmd"; do
+ find_name+=( ${find_exp} "${match}" )
+ done
+
+ # Remove various development and/or inappropriate files and
+ # useless docs of dependend packages.
+ find "${LIBDIR}"/node_modules \
+ \( -type d -name examples \) -or \( -type f \( \
+ -iname "LICEN?E*" \
+ "${find_name[@]}" \
+ \) \) -exec rm -rf "{}" \;
+ fi
+}
+
+src_test() {
+ out/${BUILDTYPE}/cctest || die
+ "${PYTHON}" tools/test.py --mode=${BUILDTYPE,,} -J message parallel sequential || die
+}
+
+pkg_postinst() {
+ einfo "The global npm config lives in /etc/npm. This deviates slightly"
+ einfo "from upstream which otherwise would have it live in /usr/etc/."
+ einfo ""
+ einfo "Protip: When using node-gyp to install native modules, you can"
+ einfo "avoid having to download extras by doing the following:"
+ einfo "$ node-gyp --nodedir /usr/include/node <command>"
+}