FIPS 140-2 does not permit the use of MD5 and RC4, skip or tests
that use them, or substitute with stronger crypto where applicable.
PR-URL: https://github.com/nodejs/node/pull/3757
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
The module loading system will not append node_modules to a
path already ending in node_modules. This used to be documented,
but it was lost.
Fixes: https://github.com/nodejs/node/issues/3873
PR-URL: https://github.com/nodejs/node/pull/3920
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Generating 1024-bit primes on rpi test machines sometimes
causes timeouts. Avoid this situation by using 256-bit
primes when not running in FIPS mode.
Fixes: https://github.com/nodejs/node/issues/3881
PR-URL: https://github.com/nodejs/node/pull/3902
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
Move portion of `test-child-process-spawnsync-input.js` (that has been
flaky on CentOS in CI) to its own file. This allows us to more easily
eliminate the cause of the flakiness without affecting other unrelated
portions of the test.
Fixes: https://github.com/nodejs/node/issues/3863
PR-URL: https://github.com/nodejs/node/pull/3889
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, this test was not supported on OS X. This change makes sure
that it is no longer skipped.
PR-URL: https://github.com/nodejs/node/pull/3901
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
- refactor test to accept multiple error messages per platform
- add new message to be found in Solaris 11.3 as per #3798
PR-URL: https://github.com/nodejs/node/pull/3855
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
In debugger, the usage of `repl` very ugly. I'd like there is a `p`
like gdb. So the `exec` is coming.
Usage:
```
$ ./iojs debug ~/git/node_research/server.js
< Debugger listening on port 5858
connecting to 127.0.0.1:5858 ... ok
break in /Users/jacksontian/git/node_research/server.js:1
> 1 var http = require('http');
2
3 http.createServer(function (req, res) {
debug> exec process.title
/Users/jacksontian/git/io.js/out/Release/iojs
debug>
```
And the `repl`:
```
debug> repl
Press Ctrl + C to leave debug repl
> process.title
'/Users/jacksontian/git/io.js/out/Release/iojs'
debug>
(^C again to quit)
```
The enter and leave debug repl is superfluous.
R-URL: https://github.com/nodejs/node/pull/1491
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
* Include reference to CVE-2015-8027
* Fix "socket may no longer have a socket" reference
* Expand on non-existent parser causing the error
* Soften language for CVE-2015-3193 as impact may not be as great as
expected, also trim to match v4.2.3 language
* Clarify that CVE-2015-3194 affects TLS servers using _client
certificate authentication_
* Include reference to CVE-2015-6764
PR-URL: https://github.com/nodejs/node/pull/4156
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Security Update
Notable items:
* **http**: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against DH, an attack against RSA
and DSA is considered possible but unlikely, EC algorithms are not
affected. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/11
This just replaces all sources of openssl-1.0.2e.tar.gz into
deps/openssl/openssl
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
deps: fix asm build error of openssl in x86_win32
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html
node needs to stop using masm and move to nasm or yasm on Win32.
openssl: fix keypress requirement in apps on win32
Reapply b910613792 .
deps: add -no_rand_screen to openssl s_client
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
deps: update openssl config files
Regenrate config files for supported platforms with Makefile.
deps: update openssl asm and asm_obsolete files
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-4.8.4. Also asm files in asm_obsolete dir to support old compiler
and assmebler are regenerated without CC and ASM envs.
PR-URL: https://github.com/nodejs/node/pull/4134
Reviewed-By: Fedor Indutny <fedor@indutny.com>
FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().
PR-URL: https://github.com/nodejs/node/pull/3755
Reviewed-By: Fedor Indutny <fedor@indutny.com>
None of these regular expressions will change, so there is no need to
generate them every time in hot code paths.
Provides a small performance improvement in module loading. (5-10%)
PR-URL: https://github.com/nodejs/node/pull/3869
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reorders, with no contextual changes, the repl documentation with class
definitions at the top and alphabetically.
PR-URL: https://github.com/nodejs/node/pull/3859
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
common.checkSpawnSyncRet is only used in one test. Move it out of
common.js and into that test (test-child-process-spawnsync-input.js).
PR-URL: https://github.com/nodejs/node/pull/3871
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Documentation currently states that setting noAssert and passing a value
larger than can fit in the Buffer will cause data to be silently
dropped. Change implementation to match documented behavior.
Fixes: https://github.com/nodejs/node/issues/3766
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Moved all the URLs in API docs to the bottom of the files as
reference-style links.
PR-URL: https://github.com/nodejs/node/pull/3845
Reviewed-By: James M Snell <jasnell@gmail.com>
`test/internet/test-dgram-broadcast-multi-process.js` fails if it is in
a FreeBSD jail. This issue is with the way FreeBSD jails work and not
with Node. Skip the test if in a FreeBSD jail.
PR-URL: https://github.com/nodejs/node/pull/3839
Fixes: https://github.com/nodejs/node/issues/2472
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
Fix configure_library() to produce correct LDFLAGS when configuring with
prebuilt 3rd-party libraries (libuv, openssl, etc) using `pkg-config' or
`--shared-{LIBRARY}-includes=xxx --shared-{LIBRARY}-libpath=xxx'.
PR-URL: https://github.com/nodejs/node/pull/3135
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Use path join to construct the path instead of concatenating strings.
Replace backslash with double backslash so that they are escaped
correctly in the string passed to REPL.
PR-URL: https://github.com/nodejs/node/pull/3608
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Use stronger crypto (larger keys, etc.) for arbitrary tests so
they will pass in both FIPS and non-FIPS mode without altering
the original intent of the test cases.
PR-URL: https://github.com/nodejs/node/pull/3758
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
This test assures that if flush is called while the zlib object needs
to be drained that it will defer the callback until after the drain.
PR-URL: https://github.com/nodejs/node/pull/3534
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
When stream.flush() is called without a callback, an empty listener is
being added. Since flush may be called multiple times to push SSE's
down to the client, multiple noop listeners are being added. This in
turn causes the memory leak detected message.
PR-URL: https://github.com/nodejs/node/pull/3534
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Utility function for tests to check if OpenSSL is using
a FIPS verified cryptographic provider.
PR-URL: https://github.com/nodejs/node/pull/3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Check that invalid DSA key sizes are rejected in FIPS mode.
PR-URL: https://github.com/nodejs/node/pull/3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 180-4 requires specific (L,N) values. OpenSSL will crash if an
invalid combination is used, so we must check the input sanity first.
PR-URL: https://github.com/nodejs/node/pull/3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message:
[tools] Make gen-postmortem-metadata.py more reliable
Instead of basing matches off of whitespace, walk the
inheritance chain and include any classes that inherit
from Object.
R=machenbach@chromium.org,jkummerow@chromium.org
NOTRY=true
Review URL: https://codereview.chromium.org/1435643002
Cr-Commit-Position: refs/heads/master@{#31964}
This adds some missing classes to postmortem info like
JSMap and JSSet.
PR-URL: https://github.com/nodejs/node/pull/3792
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
test fails intermittently due to the assertion that the 'disconnect'
event should come before the 'exit' event. This is caused be the
non-deteministic behaviour of pollset_poll[1] on AIX
(see deps/uv/src/unix/aix.c). This API makes no garauntee for the order
in which file descriptors are returned. On linux epoll_wait[2] is used,
which also does not make a garauntee on order of file descriptors
returned. In the failing case we recieve our file descriptor with a
callback of uv__signal_event (which causes JavaScript to receive the
exit event) before our file descriptor with uv__stream_io as its
callback (which in turn causes JavaScript receive the disconnect event).
This change simply removes the assertion that the disconnect event
happens before exit event and processes the test regardless of which
event comes first.
[1] https://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.ai
x.basetrf1/pollset.htm
[2] http://linux.die.net/man/2/epoll_pwait
PR-URL: https://github.com/nodejs/node/pull/3666
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The examples for implementing the simplified constructor API
was missing some details on its correct usages.
PR-URL: https://github.com/nodejs/node/pull/3602
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chris Dickinson <chris@neversaw.us>
message.headers states that the headers are read-only, when in fact they
are not. This change rewords the docs to a more appropriate description,
while not promoting this kind of behavior.
Fixes: #3146
PR-URL: https://github.com/nodejs/node/pull/3814
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit documents how duplicate HTTP headers are handled.
PR-URL: https://github.com/nodejs/node/pull/3810
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>