-
Notifications
You must be signed in to change notification settings - Fork 7.3k
Conversation
Currently, a TypeError is incorrectly thrown if the second argument is an object. This commit allows the args argument to be properly omitted. Fixes: #6068 Reviewed-by: Trevor Norris <trev.norris@gmail.com>
Expands the paragraph in the transform stream implementation docs about the callback that is passed to the _transform method to include details about how two arguments may be passed, error and data. A code example is also included. Reviewed-By: Fedor Indutny <fedor@indutny.com>
Otherwise the warning could be printed on some systems. fix #8419
PR-URL: #8553 Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: #8551 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: #8551 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Because of constant-timeness change made in openssl-1.0.1j the error is no longer returned from EVP_DecryptFinal_ex. Now it just return 0, and thus the error message does not contain proper error code. Adapt to this change, there is not much that we could do about it.
This change disables SSLv2/SSLv3 use by default, and introduces a command line flag to opt into using SSLv2/SSLv3. SSLv2 and SSLv3 are considered unsafe, and should only be used in situations where compatibility with other components is required and they cannot be upgrade to support newer forms of TLS.
The order of the callbacks is non-deterministic, so don't expect the error messages to come back in the same order every time, instead just verify they are expected messages.
In the case of a pipe'd input, i.e. from the CI the fd will be a PIPE and when listen() is called it will return ENOTSOCK instead of EINVAL. Backport: cd2d3ae
Always set ssl2/ssl3 disabled based on whether they are enabled in Node. In some corner-case scenario, node with OPENSSL_NO_SSL3 defined could be linked to openssl that has SSL3 enabled.
adds a note to the crypto docs passing along the advice that openssl gives about what key derivation function they recommend. PR-URL: #8580 Reviewed-By: Fedor Indutny <fedor@indutny.com>
Force-enable SSLv2/v3 when `secureProtocol` is explicitly set to `SSLv2_method` or `SSLv3_method`. see discussion at #8551
* openssl: Update to 1.0.1j (Addressing multiple CVEs) * uv: Update to v0.10.29 * child_process: properly support optional args (cjihrig) * crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla) This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either `--enable-ssl2` or `--enable-ssl3` respectively. This does not change the behavior for users specifically requesting `SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.
Specifying honorCipherOrder should not change the SSLv2/SSLv3 defaults for a TLS server. Use secureOptions logic in both lib/tls.js and lib/crypto.js
Reuse the secureProtocol and secureOptions of the server when creating the secure context for incoming clients.
Add a test that goes through the whole matrix of: - command line options (--enable-ssl*) - secureOptions - secureProtocols and makes sure that compatible test setups actually work as expected. The test works by spawning two processes for each test case: one client and one server. The test passes if a SSL/TLS connection from the client to the server is successful and the test case was supposed to pass, or if the connection couldn't be established and the test case was supposed to fail. The test is currently located in the directory 'test/external' because it has external dependencies.
Fixes usage of global object 'Buffer' in lib/* files by ensuring that each file does an explicit require('buffer').Buffer. Previously, when running a repl, due to usage of global 'Buffer', any redefinition of Buffer would cause a crash eg var Buffer = {}. Fixes: #8588 PR-URL: #8603 Reviewed-by: Trevor Norris <trev.norris@gmail.com>
09b06be
to
71656a9
Compare
71656a9
to
fdba3aa
Compare
Reverted caeb677 for being unable to port the change to deps/v8. The change will be ported directly in a later commit. Conflicts: ChangeLog configure doc/api/child_process.markdown doc/api/tls.markdown doc/api/url.markdown lib/assert.js lib/child_process.js lib/crypto.js lib/dgram.js lib/http.js lib/net.js lib/timers.js lib/tls.js src/node.cc src/node.h src/node.js src/node_crypto.cc src/node_version.h test/common.js test/simple/test-child-process-spawn-typeerror.js tools/certdata.txt
fdba3aa
to
ae6444d
Compare
I pushed misterdjules@dc9f78d to my fork. It fixes the tests failing on our CentOS Jenkins agent, and doesn't introduce any regression. |
@misterdjules the commit LGTM. I wouldn't mind a more in depth explanation of why this is necessary (I get that there are env variables that are being lost). Was this not a problem in the past, or was it just not noticed? |
@cjihrig CentOS 5.7 ships with a recent g++, but a less recent C++ standard library. It turns out that node binaries built from the v0.12 branch require a newer C++ standard library than the one installed on CentOS 5.7. Running a binary that requires a newer C++ standard library than the one installed on the system can be done by using the If tests that spawn child processes reset their environment variables (which they do if they pass an empty object as their environment), the child process cannot find the newer C++ standard library, and thus the linking fails at runtime. In my opinion it is semantically correct to append to the environment instead of overriding it during tests. We really mean that we want these additional variables to be present, not that we want the child processes' environment to be reset. It affects CI platforms, but also any development setup where environment variables are required to make node run properly. Now why do node binaries built from the v0.12 branch need a newer C++ standard library? Here's the C++ standard library against which a node binary built from the v0.10 branch is linked:
That shows that the system's standard C++ library is at version 8, and it supports binaries using up to the version Now, if we build a node binary from the v0.12 branch and we try to run it on the same machine, here's what we get:
The runtime linker can't find the a C++ standard library that has the version 3.4.15. As we saw above, the system's standard C++ library is at version 3.4.8, so that's expected. Now, let's see why this binary requires a newer version of the C++ standard library:
So it would seem that Node.js' v0.12 branch requires a newer version of the standard C++ library just because it uses
|
@misterdjules thanks for the detailed explanation |
@misterdjules Yes, thanks for uncovering the source of that error. |
@trevnorris FYI, @cjihrig fixed |
@misterdjules Should I just squash that onto this commit? |
@trevnorris yes, you can just squash it and close the PR. The only thing left to do on that PR is reword the commit message. |
@trevnorris I'm off until January 4th, until then I won't have time to look at any PR or issue on GitHub. Did you get my latest email @nodejs.org about this merge and about my time off? |
@trevnorris going to fix that crypto thing. |
@trevnorris What's the status on this merge? What do we need to do to move this forward? |
@trevnorris @tjfontaine Just FYI, I started the merge from scratch as it's not clear if we can re-use the resolve conflicts info from the previous merge. I'll keep you posted on my progress. |
Being done in #9018. |
There were a lot of changes to crypto. @indutny has one of those fixes.
Also an issue with additional tests to child process in v0.10 that are failing in v0.12.
/cc @tjfontaine @chrisdickinson