lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19323 Commits
131 Branches
446 Tags
325 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
node/lib/_tls_common.js

225 lines
6.5 KiB
Raw Permalink Normal View History

meta: restore original copyright header A prior io.js era commit inappropriately removed the original copyright statements from the source. This restores those in any files still remaining from that edit. Ref: https://github.com/nodejs/TSC/issues/174 Ref: https://github.com/nodejs/node/pull/10599 PR-URL: https://github.com/nodejs/node/pull/10155 Note: This PR was required, reviewed-by and approved by the Node.js Foundation Legal Committee and the TSC. There is no `Approved-By:` meta data.
8 years ago
// Copyright Joyent, Inc. and other Node contributors.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to permit
// persons to whom the Software is furnished to do so, subject to the
// following conditions:
//
// The above copyright notice and this permission notice shall be included
// in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
lib: turn on strict mode Turn on strict mode for the files in the lib/ directory. It helps catch bugs and can have a positive effect on performance. PR-URL: https://github.com/node-forward/node/pull/64 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
10 years ago
'use strict';
tls: deprecate parseCertString & move to internal `tls.parseCertString()` exposed by accident. Now move this function to `internal/tls` and mark the original one as deprecated. PR-URL: https://github.com/nodejs/node/pull/14249 Refs: https://github.com/nodejs/node/issues/14193 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
7 years ago
const { parseCertString } = require('internal/tls');
lib: faster type checks for some types PR-URL: https://github.com/nodejs/node/pull/15663 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Benedikt Meurer <benedikt.meurer@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
7 years ago
const { isArrayBufferView } = require('internal/util/types');
lib: use const to define constants This commit replaces a number of var statements throughout the lib code with const statements. PR-URL: https://github.com/iojs/io.js/pull/541 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
10 years ago
const tls = require('tls');
tls: type checking for `key`, `cert` and `ca` options PR-URL: https://github.com/nodejs/node/pull/14807 Fixes: https://github.com/nodejs/node/issues/12802 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
7 years ago
const errors = require('internal/errors');
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
lib: use destructuring for some constants This change is to unify the declaration for constants into using destructuring on the top-level-module scope, reducing some redundant code. PR-URL: https://github.com/nodejs/node/pull/16063 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
7 years ago
const { SSL_OP_CIPHER_SERVER_PREFERENCE } = process.binding('constants').crypto;
src: refactor require('constants') The require('constants') module is currently undocumented and mashes together unrelated constants. This refactors the require('constants') in favor of distinct os.constants, fs.constants, and crypto.constants that are specific to the modules for which they are relevant. The next step is to document those within the specific modules. PR-URL: https://github.com/nodejs/node/pull/6534 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Robert Lindstaedt <robert.lindstaedt@gmail.com>
9 years ago
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
// Lazily loaded
var crypto = null;
lib: use const to define constants This commit replaces a number of var statements throughout the lib code with const statements. PR-URL: https://github.com/iojs/io.js/pull/541 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
10 years ago
const binding = process.binding('crypto');
const NativeSecureContext = binding.SecureContext;
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
tls: do not refer to secureOptions as flags Its confusing to have multiple names for the same thing, use secureOptions consistently. PR-URL: https://github.com/nodejs/node/pull/9800 Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
8 years ago
function SecureContext(secureProtocol, secureOptions, context) {
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
if (!(this instanceof SecureContext)) {
tls: do not refer to secureOptions as flags Its confusing to have multiple names for the same thing, use secureOptions consistently. PR-URL: https://github.com/nodejs/node/pull/9800 Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
8 years ago
return new SecureContext(secureProtocol, secureOptions, context);
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
}
if (context) {
this.context = context;
} else {
this.context = new NativeSecureContext();
if (secureProtocol) {
this.context.init(secureProtocol);
} else {
this.context.init();
}
}
tls: do not refer to secureOptions as flags Its confusing to have multiple names for the same thing, use secureOptions consistently. PR-URL: https://github.com/nodejs/node/pull/9800 Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
8 years ago
if (secureOptions) this.context.setOptions(secureOptions);
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
}
tls: type checking for `key`, `cert` and `ca` options PR-URL: https://github.com/nodejs/node/pull/14807 Fixes: https://github.com/nodejs/node/issues/12802 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
7 years ago
function validateKeyCert(value, type) {
lib: faster type checks for some types PR-URL: https://github.com/nodejs/node/pull/15663 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Benedikt Meurer <benedikt.meurer@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
7 years ago
if (typeof value !== 'string' && !isArrayBufferView(value))
tls: type checking for `key`, `cert` and `ca` options PR-URL: https://github.com/nodejs/node/pull/14807 Fixes: https://github.com/nodejs/node/issues/12802 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
7 years ago
throw new errors.TypeError(
'ERR_INVALID_ARG_TYPE', type,
['string', 'Buffer', 'TypedArray', 'DataView']
);
}
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
exports.SecureContext = SecureContext;
exports.createSecureContext = function createSecureContext(options, context) {
if (!options) options = {};
crypto: add `honorCipherOrder` argument Add `honorCipherOrder` argument to `crypto.createCredentials`. fix #7249
10 years ago
var secureOptions = options.secureOptions;
if (options.honorCipherOrder)
src: refactor require('constants') The require('constants') module is currently undocumented and mashes together unrelated constants. This refactors the require('constants') in favor of distinct os.constants, fs.constants, and crypto.constants that are specific to the modules for which they are relevant. The next step is to document those within the specific modules. PR-URL: https://github.com/nodejs/node/pull/6534 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Robert Lindstaedt <robert.lindstaedt@gmail.com>
9 years ago
secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
crypto: add `honorCipherOrder` argument Add `honorCipherOrder` argument to `crypto.createCredentials`. fix #7249
10 years ago
var c = new SecureContext(options.secureProtocol, secureOptions, context);
tls: improve createSecureContext in _tls_common - this shares the iterator variable `i` expictly. - this converts some var to const. PR-URL: https://github.com/nodejs/node/pull/8781 Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: James M Snell <jasnell@gmail.com>
8 years ago
var i;
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
7 years ago
var val;
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
if (context) return c;
tls: support OCSP on client and server
11 years ago
// NOTE: It's important to add CA before the cert to be able to load
// cert's issuer in C++ code.
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
7 years ago
var ca = options.ca;
tls: re-allow falsey option values 5723c4c5f06f138 was an unintentional breaking change in that it changed the behaviour of `tls.createSecureContext()` to throw on false-y input rather than ignoring it. This breaks real-world applications like `npm`. This restores the previous behaviour. PR-URL: https://github.com/nodejs/node/pull/15131 Ref: https://github.com/nodejs/node/pull/15053 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com> Reviewed-By: MichaëZasso <targos@protonmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Timothy Gu <timothygu99@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
7 years ago
if (ca) {
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
7 years ago
if (Array.isArray(ca)) {
for (i = 0; i < ca.length; ++i) {
val = ca[i];
validateKeyCert(val, 'ca');
c.context.addCACert(val);
}
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
} else {
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
validateKeyCert(ca, 'ca');
c.context.addCACert(ca);
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
}
} else {
c.context.addRootCerts();
}
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
var cert = options.cert;
tls: re-allow falsey option values 5723c4c5f06f138 was an unintentional breaking change in that it changed the behaviour of `tls.createSecureContext()` to throw on false-y input rather than ignoring it. This breaks real-world applications like `npm`. This restores the previous behaviour. PR-URL: https://github.com/nodejs/node/pull/15131 Ref: https://github.com/nodejs/node/pull/15053 Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: Alexey Orlenko &lt;eaglexrlnk@gmail.com&gt; Reviewed-By: MichaëZasso &lt;targos@protonmail.com&gt; Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; Reviewed-By: Timothy Gu &lt;timothygu99@gmail.com&gt; Reviewed-By: Brian White &lt;mscdex@mscdex.net&gt;
7 years ago
if (cert) {
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
if (Array.isArray(cert)) {
for (i = 0; i < cert.length; ++i) {
val = cert[i];
validateKeyCert(val, 'cert');
c.context.setCert(val);
}
tls: support multiple keys/certs Required to serve website with both ECDSA/RSA certificates.
10 years ago
} else {
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
validateKeyCert(cert, 'cert');
c.context.setCert(cert);
tls: support multiple keys/certs Required to serve website with both ECDSA/RSA certificates.
10 years ago
}
}
tls: support OCSP on client and server
11 years ago
crypto: throw if the key doesn&#39;t match cert fix joyent/node#8770 Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; PR-URL: https://github.com/node-forward/node/pull/66
10 years ago
// NOTE: It is important to set the key after the cert.
lib: correct typo in createSecureContext Minor correction in the comment regarding ssl_set_pkey. PR-URL: https://github.com/nodejs/node/pull/13653 Reviewed-By: Vse Mozhet Byt &lt;vsemozhetbyt@gmail.com&gt; Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: Evan Lucas &lt;evanlucas@me.com&gt; Reviewed-By: Gibson Fahnestock &lt;gibfahn@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
// `ssl_set_pkey` returns `0` when the key does not match the cert, but
crypto: throw if the key doesn&#39;t match cert fix joyent/node#8770 Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; PR-URL: https://github.com/node-forward/node/pull/66
10 years ago
// `ssl_set_cert` returns `1` and nullifies the key in the SSL structure
// which leads to the crash later on.
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
var key = options.key;
var passphrase = options.passphrase;
tls: re-allow falsey option values 5723c4c5f06f138 was an unintentional breaking change in that it changed the behaviour of `tls.createSecureContext()` to throw on false-y input rather than ignoring it. This breaks real-world applications like `npm`. This restores the previous behaviour. PR-URL: https://github.com/nodejs/node/pull/15131 Ref: https://github.com/nodejs/node/pull/15053 Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: Alexey Orlenko &lt;eaglexrlnk@gmail.com&gt; Reviewed-By: MichaëZasso &lt;targos@protonmail.com&gt; Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; Reviewed-By: Timothy Gu &lt;timothygu99@gmail.com&gt; Reviewed-By: Brian White &lt;mscdex@mscdex.net&gt;
7 years ago
if (key) {
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
if (Array.isArray(key)) {
for (i = 0; i < key.length; ++i) {
val = key[i];
// eslint-disable-next-line eqeqeq
const pem = (val != undefined && val.pem !== undefined ? val.pem : val);
validateKeyCert(pem, 'key');
c.context.setKey(pem, val.passphrase || passphrase);
}
crypto: throw if the key doesn&#39;t match cert fix joyent/node#8770 Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; PR-URL: https://github.com/node-forward/node/pull/66
10 years ago
} else {
tls: replace forEach with for PR-URL: https://github.com/nodejs/node/pull/15053 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
validateKeyCert(key, 'key');
c.context.setKey(key, passphrase);
crypto: throw if the key doesn&#39;t match cert fix joyent/node#8770 Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; PR-URL: https://github.com/node-forward/node/pull/66
10 years ago
}
}
tls: support OCSP on client and server
11 years ago
if (options.ciphers)
c.context.setCiphers(options.ciphers);
else
c.context.setCiphers(tls.DEFAULT_CIPHERS);
lib: reduce util.is*() usage Many of the util.is*() methods used to check data types simply compare against a single value or the result of typeof. This commit replaces calls to these methods with equivalent checks. This commit does not touch calls to the more complex methods (isRegExp(), isDate(), etc.). Fixes: https://github.com/iojs/io.js/issues/607 PR-URL: https://github.com/iojs/io.js/pull/647 Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt;
10 years ago
if (options.ecdhCurve === undefined)
tls: support OCSP on client and server
11 years ago
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
else if (options.ecdhCurve)
c.context.setECDHCurve(options.ecdhCurve);
tls: output warning of setDHParam to console.trace To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in #1739. PR-URL: https://github.com/nodejs/node/pull/1831 Reviewed-By: indutny - Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: bnoordhuis - Ben Noordhuis &lt;info@bnoordhuis.nl&gt;
10 years ago
if (options.dhparam) {
tls: improve createSecureContext in _tls_common - this shares the iterator variable `i` expictly. - this converts some var to const. PR-URL: https://github.com/nodejs/node/pull/8781 Reviewed-By: Brian White &lt;mscdex@mscdex.net&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
8 years ago
const warning = c.context.setDHParam(options.dhparam);
tls: output warning of setDHParam to console.trace To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in #1739. PR-URL: https://github.com/nodejs/node/pull/1831 Reviewed-By: indutny - Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: bnoordhuis - Ben Noordhuis &lt;info@bnoordhuis.nl&gt;
10 years ago
if (warning)
tls: use emitWarning() for dhparam &lt; 2048 bits When a dhparam less than 2048 bits was used, a warning was being printed directly to console.error using an internalUtil.trace function that was not used anywhere else. This replaces it with a proper process warning and removes the internalUtil.trace function. PR-URL: https://github.com/nodejs/node/pull/11447 Reviewed-By: Shigeki Ohtsu &lt;ohtsu@iij.ad.jp&gt; Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;
8 years ago
process.emitWarning(warning, 'SecurityWarning');
tls: output warning of setDHParam to console.trace To make it easy to figure out where the warning comes from. Also fix style and variable name that was made in #1739. PR-URL: https://github.com/nodejs/node/pull/1831 Reviewed-By: indutny - Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: bnoordhuis - Ben Noordhuis &lt;info@bnoordhuis.nl&gt;
10 years ago
}
tls, crypto: add DHE support In case of an invalid DH parameter file, it is sliently discarded. To use auto DH parameter in a server and DHE key length check in a client, we need to wait for the next release of OpenSSL-1.0.2. Reviewed-By: Fedor Indutny &lt;fedor@indutny.com&gt;
10 years ago
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
if (options.crl) {
lib: reduce util.is*() usage Many of the util.is*() methods used to check data types simply compare against a single value or the result of typeof. This commit replaces calls to these methods with equivalent checks. This commit does not touch calls to the more complex methods (isRegExp(), isDate(), etc.). Fixes: https://github.com/iojs/io.js/issues/607 PR-URL: https://github.com/iojs/io.js/pull/647 Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt;
10 years ago
if (Array.isArray(options.crl)) {
tls: improve createSecureContext in _tls_common - this shares the iterator variable `i` expictly. - this converts some var to const. PR-URL: https://github.com/nodejs/node/pull/8781 Reviewed-By: Brian White &lt;mscdex@mscdex.net&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
8 years ago
for (i = 0; i < options.crl.length; i++) {
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
c.context.addCRL(options.crl[i]);
}
} else {
c.context.addCRL(options.crl);
}
}
if (options.sessionIdContext) {
c.context.setSessionIdContext(options.sessionIdContext);
}
if (options.pfx) {
if (!crypto)
crypto = require('crypto');
tls: multiple PFX in createSecureContext Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: https://github.com/nodejs/node/pull/14793 Fixes: https://github.com/nodejs/node/issues/14756 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
if (Array.isArray(options.pfx)) {
for (i = 0; i < options.pfx.length; i++) {
const pfx = options.pfx[i];
const raw = pfx.buf ? pfx.buf : pfx;
const buf = crypto._toBuf(raw);
const passphrase = pfx.passphrase || options.passphrase;
if (passphrase) {
c.context.loadPKCS12(buf, crypto._toBuf(passphrase));
} else {
c.context.loadPKCS12(buf);
}
}
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
} else {
tls: multiple PFX in createSecureContext Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: https://github.com/nodejs/node/pull/14793 Fixes: https://github.com/nodejs/node/issues/14756 Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;
7 years ago
const buf = crypto._toBuf(options.pfx);
const passphrase = options.passphrase;
if (passphrase) {
c.context.loadPKCS12(buf, crypto._toBuf(passphrase));
} else {
c.context.loadPKCS12(buf);
}
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
}
}
crypto: freelist_max_len is gone in OpenSSL 1.1.0 The freelist_max_len member of SSL* (and the freelist itself) has been removed in OpenSSL 1.1.0. Thus this change will be necessary at some point but, for now, it makes it a little easier to build with 1.1.0 without breaking anything for previous versions of OpenSSL. PR-URL: https://github.com/nodejs/node/pull/10859 Reviewed-By: Sam Roberts &lt;vieuxtech@gmail.com&gt; Reviewed-By: Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt;
8 years ago
// Do not keep read/write buffers in free list for OpenSSL < 1.1.0. (For
// OpenSSL 1.1.0, buffers are malloced and freed without the use of a
// freelist.)
tls: destroy singleUse context immediately Destroy singleUse context right after it is going out of use. Fix: https://github.com/iojs/io.js/issues/1522 PR-URL: https://github.com/iojs/io.js/pull/1529 Reviewed-By: Shigeki Ohtsu &lt;ohtsu@iij.ad.jp&gt;
10 years ago
if (options.singleUse) {
c.singleUse = true;
tls: zero SSL_CTX freelist for a singleUse socket When connecting to server with `keepAlive` turned off - make sure that the read/write buffers won&#39;t be kept in a single use SSL_CTX instance after the socket will be destroyed. Fix: https://github.com/iojs/io.js/issues/1522 PR-URL: https://github.com/iojs/io.js/pull/1529 Reviewed-By: Shigeki Ohtsu &lt;ohtsu@iij.ad.jp&gt;
10 years ago
c.context.setFreeListLength(0);
tls: destroy singleUse context immediately Destroy singleUse context right after it is going out of use. Fix: https://github.com/iojs/io.js/issues/1522 PR-URL: https://github.com/iojs/io.js/pull/1529 Reviewed-By: Shigeki Ohtsu &lt;ohtsu@iij.ad.jp&gt;
10 years ago
}
tls: zero SSL_CTX freelist for a singleUse socket When connecting to server with `keepAlive` turned off - make sure that the read/write buffers won&#39;t be kept in a single use SSL_CTX instance after the socket will be destroyed. Fix: https://github.com/iojs/io.js/issues/1522 PR-URL: https://github.com/iojs/io.js/pull/1529 Reviewed-By: Shigeki Ohtsu &lt;ohtsu@iij.ad.jp&gt;
10 years ago
crypto: move `createCredentials` to tls Move `createCredentials` to `tls` module and rename it to `createSecureContext`. Make it use default values from `tls` module: `DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`. fix #7249
11 years ago
return c;
};
tls: support OCSP on client and server
11 years ago
exports.translatePeerCertificate = function translatePeerCertificate(c) {
if (!c)
return null;
tls: deprecate parseCertString &amp; move to internal `tls.parseCertString()` exposed by accident. Now move this function to `internal/tls` and mark the original one as deprecated. PR-URL: https://github.com/nodejs/node/pull/14249 Refs: https://github.com/nodejs/node/issues/14193 Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt;
7 years ago
if (c.issuer != null) c.issuer = parseCertString(c.issuer);
tls: fix empty issuer/subject/infoAccess parsing Also issuerCertificate but that did not fit on the status line. Fixes: https://github.com/nodejs/node/issues/11771 PR-URL: https://github.com/nodejs/node/pull/14473 Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Matteo Collina &lt;matteo.collina@gmail.com&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt;
7 years ago
if (c.issuerCertificate != null && c.issuerCertificate !== c) {
tls: `getPeerCertificate(detailed)` Add `raw` property to certificate, add mode to output full certificate chain.
11 years ago
c.issuerCertificate = translatePeerCertificate(c.issuerCertificate);
}
tls: deprecate parseCertString &amp; move to internal `tls.parseCertString()` exposed by accident. Now move this function to `internal/tls` and mark the original one as deprecated. PR-URL: https://github.com/nodejs/node/pull/14249 Refs: https://github.com/nodejs/node/issues/14193 Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt;
7 years ago
if (c.subject != null) c.subject = parseCertString(c.subject);
tls: fix empty issuer/subject/infoAccess parsing Also issuerCertificate but that did not fit on the status line. Fixes: https://github.com/nodejs/node/issues/11771 PR-URL: https://github.com/nodejs/node/pull/14473 Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Matteo Collina &lt;matteo.collina@gmail.com&gt; Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt;
7 years ago
if (c.infoAccess != null) {
tls: support OCSP on client and server
11 years ago
var info = c.infoAccess;
tls: fix object prototype type confusion Use `Object.create(null)` for dictionary objects so that keys from certificate strings or the authorityInfoAccess field cannot conflict with Object.prototype properties. PR-URL: https://github.com/nodejs/node/pull/14447 Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; Reviewed-By: Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt; Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt;
7 years ago
c.infoAccess = Object.create(null);
tls: support OCSP on client and server
11 years ago
// XXX: More key validation?
info.replace(/([^\n:]*):([^\n]*)(?:\n|$)/g, function(all, key, val) {
tls: fix object prototype type confusion Use `Object.create(null)` for dictionary objects so that keys from certificate strings or the authorityInfoAccess field cannot conflict with Object.prototype properties. PR-URL: https://github.com/nodejs/node/pull/14447 Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; Reviewed-By: Fedor Indutny &lt;fedor.indutny@gmail.com&gt; Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt; Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt;
7 years ago
if (key in c.infoAccess)
tls: support OCSP on client and server
11 years ago
c.infoAccess[key].push(val);
else
c.infoAccess[key] = [val];
});
}
return c;
};