another try

fix #6663

deps/openssl/openssl.gyp

@@ -12,18 +12,6 @@
     {
       'target_name': 'openssl',
       'type': '<(library)',
-      'defines': [
-        # No clue what these are for.
-        'L_ENDIAN',
-        'PURIFY',
-        '_REENTRANT',
-
-        # Heartbeat is a TLS extension, that couldn't be turned off or
-        # asked to be not advertised. Unfortunately this is unacceptable for
-        # Microsoft's IIS, which seems to be ignoring whole ClientHello after
-        # seeing this extension.
-        'OPENSSL_NO_HEARTBEATS',
-      ],
       'sources': [
         'openssl/ssl/bio_ssl.c',
         'openssl/ssl/d1_both.c',
@@ -935,32 +923,12 @@
           ]
         }],
         ['OS=="win"', {
-          'defines': [
-            'MK1MF_BUILD',
-            'WIN32_LEAN_AND_MEAN'
-          ],
           'link_settings': {
             'libraries': [
               '-lgdi32.lib',
               '-luser32.lib',
             ]
           }
-        }, {
-          'defines': [
-            # ENGINESDIR must be defined if OPENSSLDIR is.
-            'ENGINESDIR="/dev/null"',
-            # Set to ubuntu default path for convenience. If necessary, override
-            # this at runtime with the SSL_CERT_DIR environment variable.
-            'OPENSSLDIR="/etc/ssl"',
-            'TERMIOS',
-          ],
-          'cflags': ['-Wno-missing-field-initializers'],
-        }],
-        ['is_clang==1 or gcc_version>=43', {
-          'cflags': ['-Wno-old-style-declaration'],
-        }],
-        ['OS=="solaris"', {
-          'defines': ['__EXTENSIONS__'],
         }],
         ['target_arch=="arm"', {
           'sources': ['openssl/crypto/armcap.c'],
@@ -981,7 +949,153 @@
         'include_dirs': ['openssl/include'],
       },
     },
+    {
+      'target_name': 'openssl-cli',
+      'type': 'executable',
+      'dependencies': [
+        'openssl',
+      ],
+      'defines': [
+        'MONOLITH',
+      ],
+      'sources': [
+        'openssl/apps/app_rand.c',
+        'openssl/apps/apps.c',
+        'openssl/apps/asn1pars.c',
+        'openssl/apps/ca.c',
+        'openssl/apps/ciphers.c',
+        'openssl/apps/cms.c',
+        'openssl/apps/crl.c',
+        'openssl/apps/crl2p7.c',
+        'openssl/apps/dgst.c',
+        'openssl/apps/dh.c',
+        'openssl/apps/dhparam.c',
+        'openssl/apps/dsa.c',
+        'openssl/apps/dsaparam.c',
+        'openssl/apps/ec.c',
+        'openssl/apps/ecparam.c',
+        'openssl/apps/enc.c',
+        'openssl/apps/engine.c',
+        'openssl/apps/errstr.c',
+        'openssl/apps/gendh.c',
+        'openssl/apps/gendsa.c',
+        'openssl/apps/genpkey.c',
+        'openssl/apps/genrsa.c',
+        'openssl/apps/nseq.c',
+        'openssl/apps/ocsp.c',
+        'openssl/apps/openssl.c',
+        'openssl/apps/passwd.c',
+        'openssl/apps/pkcs12.c',
+        'openssl/apps/pkcs7.c',
+        'openssl/apps/pkcs8.c',
+        'openssl/apps/pkey.c',
+        'openssl/apps/pkeyparam.c',
+        'openssl/apps/pkeyutl.c',
+        'openssl/apps/prime.c',
+        'openssl/apps/rand.c',
+        'openssl/apps/req.c',
+        'openssl/apps/rsa.c',
+        'openssl/apps/rsautl.c',
+        'openssl/apps/s_cb.c',
+        'openssl/apps/s_client.c',
+        'openssl/apps/s_server.c',
+        'openssl/apps/s_socket.c',
+        'openssl/apps/s_time.c',
+        'openssl/apps/sess_id.c',
+        'openssl/apps/smime.c',
+        'openssl/apps/speed.c',
+        'openssl/apps/spkac.c',
+        'openssl/apps/srp.c',
+        'openssl/apps/ts.c',
+        'openssl/apps/verify.c',
+        'openssl/apps/version.c',
+        'openssl/apps/x509.c',
+      ],
+      'conditions': [
+        ['OS=="solaris"', {
+          'libraries': [
+            '-lsocket',
+            '-lnsl',
+          ]
+        }],
+        ['OS=="win"', {
+          'link_settings': {
+            'libraries': [
+              '-lws2_32.lib',
+              '-lgdi32.lib',
+              '-ladvapi32.lib',
+              '-lcrypt32.lib',
+              '-luser32.lib',
+            ],
+          },
+        }]
+      ]
+    }
   ],
+  'target_defaults': {
+    'include_dirs': [
+      '.',
+      'openssl',
+      'openssl/crypto',
+      'openssl/crypto/asn1',
+      'openssl/crypto/evp',
+      'openssl/crypto/md2',
+      'openssl/crypto/modes',
+      'openssl/crypto/store',
+      'openssl/include',
+    ],
+    'defines': [
+      # No clue what these are for.
+      'L_ENDIAN',
+      'PURIFY',
+      '_REENTRANT',
+
+      # Heartbeat is a TLS extension, that couldn't be turned off or
+      # asked to be not advertised. Unfortunately this is unacceptable for
+      # Microsoft's IIS, which seems to be ignoring whole ClientHello after
+      # seeing this extension.
+      'OPENSSL_NO_HEARTBEATS',
+    ],
+    'conditions': [
+      ['OS=="win"', {
+        'defines': [
+          'MK1MF_BUILD',
+          'WIN32_LEAN_AND_MEAN',
+          'OPENSSL_SYSNAME_WIN32',
+        ],
+      }, {
+        'defines': [
+          # ENGINESDIR must be defined if OPENSSLDIR is.
+          'ENGINESDIR="/dev/null"',
+          'TERMIOS',
+        ],
+        'cflags': ['-Wno-missing-field-initializers'],
+        'conditions': [
+          ['OS=="mac"', {
+            'defines': [
+              # Set to ubuntu default path for convenience. If necessary,
+              # override this at runtime with the SSL_CERT_DIR environment
+              # variable.
+              'OPENSSLDIR="/System/Library/OpenSSL/"',
+            ],
+          }, {
+            'defines': [
+              # Set to ubuntu default path for convenience. If necessary,
+              # override this at runtime with the SSL_CERT_DIR environment
+              # variable.
+              'OPENSSLDIR="/etc/ssl"',
+            ],
+          }],
+        ]
+      }],
+      ['is_clang==1 or gcc_version>=43', {
+        'cflags': ['-Wno-old-style-declaration'],
+      }],
+      ['OS=="solaris"', {
+        'defines': ['__EXTENSIONS__'],
+      }],
+    ],
+  },
 }
 
 # Local Variables:

deps/openssl/openssl/apps/s_client.c

@@ -178,6 +178,13 @@ typedef unsigned int u_int;
 #include <fcntl.h>
 #endif
 
+/* Use Windows API with STD_INPUT_HANDLE when checking for input?
+   Don't look at OPENSSL_SYS_MSDOS for this, since it is always defined if
+   OPENSSL_SYS_WINDOWS is defined */
+#if defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WINCE) && defined(STD_INPUT_HANDLE)
+#define OPENSSL_USE_STD_INPUT_HANDLE
+#endif
+
 #undef PROG
 #define PROG	s_client_main
 
@@ -1604,10 +1611,10 @@ SSL_set_tlsext_status_ids(con, ids);
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
-#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
-					if(!i && (!_kbhit() || !read_tty) ) continue;
-#else
+#if defined(OPENSSL_USE_STD_INPUT_HANDLE)
 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
+#else
+					if(!i && (!_kbhit() || !read_tty) ) continue;
 #endif
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					 NULL,timeoutp);
@@ -1812,10 +1819,10 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 			}
 
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
-		else if (_kbhit())
-#else
+#if defined(OPENSSL_USE_STD_INPUT_HANDLE)
 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
+#else
+		else if (_kbhit())
 #endif
 #elif defined (OPENSSL_SYS_NETWARE)
 		else if (_kbhit())

node.gyp

@@ -177,7 +177,12 @@
           ],
           'conditions': [
             [ 'node_shared_openssl=="false"', {
-              'dependencies': [ './deps/openssl/openssl.gyp:openssl' ],
+              'dependencies': [
+                './deps/openssl/openssl.gyp:openssl',
+
+                # For tests
+                './deps/openssl/openssl.gyp:openssl-cli'
+              ],
             }]]
         }, {
           'defines': [ 'HAVE_OPENSSL=0' ]

test/common.js

@@ -30,8 +30,10 @@ exports.PORT = +process.env.NODE_COMMON_PORT || 12346;
 
 if (process.platform === 'win32') {
   exports.PIPE = '\\\\.\\pipe\\libuv-test';
+  exports.opensslCli = path.join(process.execPath, '..', 'openssl-cli.exe');
 } else {
   exports.PIPE = exports.tmpDir + '/test.sock';
+  exports.opensslCli = path.join(process.execPath, '..', 'openssl-cli');
 }
 
 var util = require('util');

test/pummel/test-https-ci-reneg-attack.js

@@ -29,11 +29,6 @@ var fs = require('fs');
 // renegotiation limits to test
 var LIMITS = [0, 1, 2, 3, 5, 10, 16];
 
-if (process.platform === 'win32') {
-  console.log('Skipping test, you probably don\'t have openssl installed.');
-  process.exit();
-}
-
 (function() {
   var n = 0;
   function next() {
@@ -65,7 +60,7 @@ function test(next) {
 
   server.listen(common.PORT, function() {
     var args = ('s_client -connect 127.0.0.1:' + common.PORT).split(' ');
-    var child = spawn('openssl', args);
+    var child = spawn(common.opensslCli, args);
 
     child.stdout.pipe(process.stdout);
     child.stderr.pipe(process.stderr);

test/pummel/test-tls-ci-reneg-attack.js

@@ -28,11 +28,6 @@ var fs = require('fs');
 // renegotiation limits to test
 var LIMITS = [0, 1, 2, 3, 5, 10, 16];
 
-if (process.platform === 'win32') {
-  console.log('Skipping test, you probably don\'t have openssl installed.');
-  process.exit();
-}
-
 (function() {
   var n = 0;
   function next() {
@@ -63,7 +58,7 @@ function test(next) {
 
   server.listen(common.PORT, function() {
     var args = ('s_client -connect 127.0.0.1:' + common.PORT).split(' ');
-    var child = spawn('openssl', args);
+    var child = spawn(common.opensslCli, args);
 
     child.stdout.pipe(process.stdout);
     child.stderr.pipe(process.stderr);

test/pummel/test-tls-securepair-client.js

@@ -34,21 +34,7 @@ var tls = require('tls');
 var exec = require('child_process').exec;
 var spawn = require('child_process').spawn;
 
-maybe(test1);
-
-// There is a bug with 'openssl s_server' which makes it not flush certain
-// important events to stdout when done over a pipe. Therefore we skip this
-// test for all openssl versions less than 1.0.0.
-function maybe(cb) {
-  exec('openssl version', function(err, data) {
-    if (err) throw err;
-    if (/OpenSSL 0\./.test(data)) {
-      console.error('Skipping due to old OpenSSL version.');
-      return;
-    }
-    cb();
-  });
-}
+test1();
 
 // simple/test-tls-securepair-client
 function test1() {
@@ -81,10 +67,10 @@ function test(keyfn, certfn, check, next) {
   certfn = join(common.fixturesDir, certfn);
   var cert = fs.readFileSync(certfn).toString();
 
-  var server = spawn('openssl', ['s_server',
-                                 '-accept', PORT,
-                                 '-cert', certfn,
-                                 '-key', keyfn]);
+  var server = spawn(common.opensslCli, ['s_server',
+                                         '-accept', PORT,
+                                         '-cert', certfn,
+                                         '-key', keyfn]);
   server.stdout.pipe(process.stdout);
   server.stderr.pipe(process.stdout);
 

test/pummel/test-tls-session-timeout.js

@@ -23,13 +23,7 @@ if (!process.versions.openssl) {
   console.error('Skipping because node compiled without OpenSSL.');
   process.exit(0);
 }
-require('child_process').exec('openssl version', function(err) {
-  if (err !== null) {
-    console.error('Skipping because openssl command is not available.');
-    process.exit(0);
-  }
-  doTest();
-});
+doTest();
 
 // This test consists of three TLS requests --
 // * The first one should result in a new connection because we don't have
@@ -83,7 +77,7 @@ function doTest() {
       '-sess_in', sessionFileName,
       '-sess_out', sessionFileName
     ];
-    var client = spawn('openssl', flags, {
+    var client = spawn(common.opensslCli, flags, {
       stdio: ['ignore', 'pipe', 'ignore']
     });
 

test/simple/test-tls-ecdh-disable.js

@@ -25,11 +25,6 @@ var exec = require('child_process').exec;
 var tls = require('tls');
 var fs = require('fs');
 
-if (process.platform === 'win32') {
-  console.log("Skipping test, you probably don't have openssl installed.");
-  process.exit();
-}
-
 var options = {
   key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
   cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
@@ -49,7 +44,7 @@ var server = tls.createServer(options, function(conn) {
 });
 
 server.listen(common.PORT, '127.0.0.1', function() {
-  var cmd = 'openssl s_client -cipher ' + options.ciphers +
+  var cmd = common.opensslCli + ' s_client -cipher ' + options.ciphers +
             ' -connect 127.0.0.1:' + common.PORT;
 
   exec(cmd, function(err, stdout, stderr) {

test/simple/test-tls-ecdh.js

@@ -25,11 +25,6 @@ var exec = require('child_process').exec;
 var tls = require('tls');
 var fs = require('fs');
 
-if (process.platform === 'win32') {
-  console.log("Skipping test, you probably don't have openssl installed.");
-  process.exit();
-}
-
 var options = {
   key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
   cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
@@ -52,7 +47,7 @@ var server = tls.createServer(options, function(conn) {
 });
 
 server.listen(common.PORT, '127.0.0.1', function() {
-  var cmd = 'openssl s_client -cipher ' + options.ciphers +
+  var cmd = common.opensslCli + ' s_client -cipher ' + options.ciphers +
             ' -connect 127.0.0.1:' + common.PORT;
 
   exec(cmd, function(err, stdout, stderr) {

test/simple/test-tls-securepair-server.js

@@ -115,7 +115,7 @@ var opensslExitCode = -1;
 
 server.listen(common.PORT, function() {
   // To test use: openssl s_client -connect localhost:8000
-  var client = spawn('openssl', ['s_client', '-connect', '127.0.0.1:' +
+  var client = spawn(common.opensslCli, ['s_client', '-connect', '127.0.0.1:' +
         common.PORT]);
 
 

test/simple/test-tls-server-verify.js

@@ -198,7 +198,7 @@ function runClient(options, cb) {
   }
 
   // To test use: openssl s_client -connect localhost:8000
-  var client = spawn('openssl', args);
+  var client = spawn(common.opensslCli, args);
 
   var out = '';
 

test/simple/test-tls-session-cache.js

@@ -23,15 +23,10 @@ if (!process.versions.openssl) {
   console.error('Skipping because node compiled without OpenSSL.');
   process.exit(0);
 }
-require('child_process').exec('openssl version', function(err) {
-  if (err !== null) {
-    console.error('Skipping because openssl command is not available.');
-    process.exit(0);
-  }
-  doTest({ tickets: false } , function() {
-    doTest({ tickets: true } , function() {
-      console.error('all done');
-    });
+
+doTest({ tickets: false } , function() {
+  doTest({ tickets: true } , function() {
+    console.error('all done');
   });
 });
 
@@ -56,7 +51,6 @@ function doTest(testOptions, callback) {
   var requestCount = 0;
   var resumeCount = 0;
   var session;
-  var badOpenSSL = false;
 
   var server = tls.createServer(options, function(cleartext) {
     cleartext.on('error', function(er) {
@@ -87,7 +81,7 @@ function doTest(testOptions, callback) {
     }, 100);
   });
   server.listen(common.PORT, function() {
-    var client = spawn('openssl', [
+    var client = spawn(common.opensslCli, [
       's_client',
       '-tls1',
       '-connect', 'localhost:' + common.PORT,
@@ -104,12 +98,7 @@ function doTest(testOptions, callback) {
     });
     client.on('exit', function(code) {
       console.error('done');
-      if (/^unknown option/.test(err)) {
-        // using an incompatible version of openssl
-        assert(code);
-        badOpenSSL = true;
-      } else
-        assert.equal(code, 0);
+      assert.equal(code, 0);
       server.close(function() {
         setTimeout(callback, 100);
       });
@@ -117,16 +106,14 @@ function doTest(testOptions, callback) {
   });
 
   process.on('exit', function() {
-    if (!badOpenSSL) {
-      if (testOptions.tickets) {
-        assert.equal(requestCount, 6);
-        assert.equal(resumeCount, 0);
-      } else {
-        // initial request + reconnect requests (5 times)
-        assert.ok(session);
-        assert.equal(requestCount, 6);
-        assert.equal(resumeCount, 5);
-      }
+    if (testOptions.tickets) {
+      assert.equal(requestCount, 6);
+      assert.equal(resumeCount, 0);
+    } else {
+      // initial request + reconnect requests (5 times)
+      assert.ok(session);
+      assert.equal(requestCount, 6);
+      assert.equal(resumeCount, 5);
     }
   });
 }

test/simple/test-tls-set-ciphers.js

@@ -25,11 +25,6 @@ var exec = require('child_process').exec;
 var tls = require('tls');
 var fs = require('fs');
 
-if (process.platform === 'win32') {
-  console.log("Skipping test, you probably don't have openssl installed.");
-  process.exit();
-}
-
 var options = {
   key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
   cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
@@ -51,7 +46,7 @@ var server = tls.createServer(options, function(conn) {
 });
 
 server.listen(common.PORT, '127.0.0.1', function() {
-  var cmd = 'openssl s_client -cipher ' + options.ciphers +
+  var cmd = common.opensslCli + ' s_client -cipher ' + options.ciphers +
             ' -connect 127.0.0.1:' + common.PORT;
 
   exec(cmd, function(err, stdout, stderr) {