File 8334.diff of Package nodejs4

Author: Adam Majer <amajer@suse.de>
Summary: Add compile time option to use system CA store instead of bundled ones

diff --git a/configure b/configure
index 42dac5f..0dd5fd4 100755
--- a/configure
+++ b/configure
@@ -187,6 +187,11 @@ shared_optgroup.add_option('--shared-openssl-libpath',
     dest='shared_openssl_libpath',
     help='a directory to search for the shared OpenSSL DLLs')
 
+shared_optgroup.add_option('--use-system-ca-store',
+    action='store_true',
+    dest='use_system_ca_store',
+    help='use system supplied Root CA store instead of bundled copy')
+
 shared_optgroup.add_option('--shared-zlib',
     action='store_true',
     dest='shared_zlib',
@@ -905,6 +910,8 @@ def configure_openssl(o):
   o['variables']['node_use_openssl'] = b(not options.without_ssl)
   o['variables']['node_shared_openssl'] = b(options.shared_openssl)
   o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
+  if options.use_system_ca_store:
+    o['defines'] += ['NODE_SYSTEM_CERT_STORE']
   if options.openssl_fips:
     o['variables']['openssl_fips'] = options.openssl_fips
     fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 9cf216f..ec7f7d2 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -751,6 +751,23 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
   CHECK_EQ(sc->ca_store_, nullptr);
 
   if (!root_cert_store) {
+#if defined(NODE_SYSTEM_CERT_STORE)
+    // *Assume* OpenSSL is setup correctly, which is the case
+    // for distribution supplied versions.
+    //
+    // If this does not work, define SSL_CERT_DIR environment
+    if (SSL_CTX_set_default_verify_paths(sc->ctx_)) {
+      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+      // root_cert_store created here is already assigned to the SSL_CTX
+      // so when it is assigned again below, the reference is dropped by 1
+      // and then we will delete root store with the SSL_CTX deletion.
+      // Increase references to 2 to avoid this scenario.
+      CRYPTO_add(&root_cert_store->references, 1, CRYPTO_LOCK_X509_STORE);
+    } else {
+      // failed to load, default to nothing
+      root_cert_store = X509_STORE_new();
+    }
+#else  /* Use supplied certificates */
     root_cert_store = X509_STORE_new();
 
     for (size_t i = 0; i < arraysize(root_certs); i++) {
@@ -770,9 +787,12 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
       BIO_free_all(bp);
       X509_free(x509);
     }
+#endif  // defined(USE_SYSTEM_CERTIFICATE_STORE)
   }
 
   sc->ca_store_ = root_cert_store;
+  // increment reference count so global store is not deleted along with CTX
+  CRYPTO_add(&root_cert_store->references, 1, CRYPTO_LOCK_X509_STORE);
   SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
 }
 
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 24ac773..fd3e2ce 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -142,13 +142,6 @@ class SecureContext : public BaseObject {
   void FreeCTXMem() {
     if (ctx_) {
       env()->isolate()->AdjustAmountOfExternalAllocatedMemory(-kExternalSize);
-      if (ctx_->cert_store == root_cert_store) {
-        // SSL_CTX_free() will attempt to free the cert_store as well.
-        // Since we want our root_cert_store to stay around forever
-        // we just clear the field. Hopefully OpenSSL will not modify this
-        // struct in future versions.
-        ctx_->cert_store = nullptr;
-      }
       SSL_CTX_free(ctx_);
       if (cert_ != nullptr)
         X509_free(cert_);