6.x backport: crypto: support OPENSSL_CONF again (and its dependencies)

.eslintrc.yaml

@@ -62,17 +62,21 @@ rules:
   no-new-require: 2
   no-path-concat: 2
   no-restricted-modules: [2, sys, _linklist]
-  no-restricted-properties: [2, {
-    object: assert,
-    property: deepEqual,
-    message: Please use assert.deepStrictEqual().
-  }, {
-    property: __defineGetter__,
-    message: __defineGetter__ is deprecated.
-  }, {
-    property: __defineSetter__,
-    message: __defineSetter__ is deprecated.
-  }]
+  no-restricted-properties:
+    - 2
+    - object: assert
+      property: deepEqual
+      message: Use assert.deepStrictEqual().
+    - object: assert
+      property: equal
+      message: Use assert.strictEqual() rather than assert.equal().
+    - object: assert
+      property: notEqual
+      message: Use assert.notStrictEqual() rather than assert.notEqual().
+    - property: __defineGetter__
+      message: __defineGetter__ is deprecated.
+    - property: __defineSetter__,
+      message: __defineSetter__ is deprecated.
 
   # Stylistic Issues
   # http://eslint.org/docs/rules/#stylistic-issues

BUILDING.md

@@ -8,6 +8,71 @@ If you consistently can reproduce a test failure, search for it in the
 [Node.js issue tracker](https://github.com/nodejs/node/issues) or
 file a new issue.
 
+## Supported platforms
+
+This list of supported platforms is current as of the branch / release to
+which it is attached.
+
+### Input
+
+Node.js relies on V8 and libuv. Therefore, we adopt a subset of their
+supported platforms.
+
+### Strategy
+
+Support is divided into three tiers:
+
+* **Tier 1**: Full test coverage and maintenance by the Node.js core team and
+  the broader community.
+* **Tier 2**: Full test coverage but more limited maintenance,
+  often provided by the vendor of the platform.
+* **Experimental**: Known to compile but not necessarily reliably or with
+  a full passing test suite. These are often working to be promoted to Tier
+  2 but are not quite ready. There is at least one individual actively
+  providing maintenance and the team is striving to broaden quality and
+  reliability of support.
+
+### Supported platforms
+
+|  System      | Support type | Version                          | Architectures        | Notes            |
+|--------------|--------------|----------------------------------|----------------------|------------------|
+| GNU/Linux    | Tier 1       | kernel >= 2.6.18, glibc >= 2.5   | x86, x64, arm, arm64 |                  |
+| macOS        | Tier 1       | >= 10.10                         | x64                  |                  |
+| Windows      | Tier 1       | >= Windows 7 or >= Windows2008R2 | x86, x64             |                  |
+| SmartOS      | Tier 2       | >= 14 < 16.4                     | x86, x64             | see note1        |
+| FreeBSD      | Tier 2       | >= 10                            | x64                  |                  |
+| GNU/Linux    | Tier 2       | kernel >= 4.2.0, glibc >= 2.19   | ppc64be              |                  |
+| GNU/Linux    | Tier 2       | kernel >= 3.13.0, glibc >= 2.19  | ppc64le              |                  |
+| AIX          | Tier 2       | >= 6.1 TL09                      | ppc64be              |                  |
+| GNU/Linux    | Tier 2       | kernel >= 3.10, glibc >= 2.17    | s390x                |                  |
+| macOS        | Experimental | >= 10.8 < 10.10                  | x64                  | no test coverage |
+| Linux (musl) | Experimental | musl >= 1.0                      | x64                  |                  |
+
+note1 - The gcc4.8-libs package needs to be installed, because node
+  binaries have been built with GCC 4.8, for which runtime libraries are not
+  installed by default. For these node versions, the recommended binaries
+  are the ones available in pkgsrc, not the one available from nodejs.org.
+  Note that the binaries downloaded from the pkgsrc repositories are not
+  officially supported by the Node.js project, and instead are supported
+  by Joyent. SmartOS images >= 16.4 are not supported because
+  GCC 4.8 runtime libraries are not available in their pkgsrc repository
+
+### Supported toolchains
+
+Depending on host platform, the selection of toolchains may vary.
+
+#### Unix
+
+* GCC 4.8 or newer
+* Clang 3.4 or newer
+
+#### Windows
+
+* Building Node: Visual Studio 2015 or Visual C++ Build Tools 2015 or newer
+* Building native add-ons: Visual Studio 2013 or Visual C++ Build Tools 2015
+  or newer
+
+## Building Node.js on supported platforms
 
 ### Unix / OS X
 
@@ -20,9 +85,9 @@ Prerequisites:
 
 On OS X, you will also need:
 * [Xcode](https://developer.apple.com/xcode/download/)
-  * You also need to install the `Command Line Tools` via Xcode. You can find
+  - You also need to install the `Command Line Tools` via Xcode. You can find
     this under the menu `Xcode -> Preferences -> Downloads`
-  * This step will install `gcc` and the related toolchain containing `make`
+  - This step will install `gcc` and the related toolchain containing `make`
 
 * After building, you may want to setup [firewall rules](tools/macosx-firewall.sh)
 to avoid popups asking to accept incoming network connections when running tests:
@@ -51,7 +116,8 @@ the `-j4` flag. See the
 [GNU Make Documentation](https://www.gnu.org/software/make/manual/html_node/Parallel.html)
 for more information.
 
-Note that the above requires that `python` resolve to Python 2.6 or 2.7 and not a newer version.
+Note that the above requires that `python` resolve to Python 2.6 or 2.7
+and not a newer version.
 
 To run the tests:
 
@@ -252,9 +318,11 @@ It is possible to build Node.js with
 
 **Note**: building in this way does **not** allow you to claim that the
 runtime is FIPS 140-2 validated. Instead you can indicate that the runtime
-uses a validated module. See the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
+uses a validated module. See the
+[security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
 page 60 for more details. In addition, the validation for the underlying module
-is only valid if it is deployed in accordance with its [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
+is only valid if it is deployed in accordance with its
+[security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
 If you need FIPS validated cryptography it is recommended that you read both
 the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
 and [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).

README.md

@@ -132,7 +132,7 @@ the binary verification command above.
 ## Building Node.js
 
 See [BUILDING.md](BUILDING.md) for instructions on how to build
-Node.js from source.
+Node.js from source along with a list of officially supported platforms.
 
 ## Security
 

benchmark/streams/writable-manywrites.js

@@ -0,0 +1,23 @@
+'use strict';
+
+const common = require('../common');
+const Writable = require('stream').Writable;
+
+const bench = common.createBenchmark(main, {
+  n: [2e6]
+});
+
+function main(conf) {
+  const n = +conf.n;
+  const b = Buffer.allocUnsafe(1024);
+  const s = new Writable();
+  s._write = function(chunk, encoding, cb) {
+    cb();
+  };
+
+  bench.start();
+  for (var k = 0; k < n; ++k) {
+    s.write(b);
+  }
+  bench.end(n);
+}

configure

@@ -894,7 +894,6 @@ def configure_node(o):
     o['variables']['library_files'] = options.linked_module
 
   o['variables']['asan'] = int(options.enable_asan or 0)
-  o['variables']['v8_inspector'] = b(not options.without_inspector)
   o['variables']['debug_devtools'] = 'node'
 
   if options.use_xcode and options.use_ninja:
@@ -1268,6 +1267,12 @@ def configure_intl(o):
         pprint.pformat(icu_config, indent=2) + '\n')
   return  # end of configure_intl
 
+def configure_inspector(o):
+  disable_inspector = (options.without_inspector or
+                       options.with_intl in (None, 'none') or
+                       options.without_ssl)
+  o['variables']['v8_inspector'] = b(not disable_inspector)
+
 output = {
   'variables': {},
   'include_dirs': [],
@@ -1298,6 +1303,7 @@ configure_v8(output)
 configure_openssl(output)
 configure_intl(output)
 configure_static(output)
+configure_inspector(output)
 
 # variables should be a root level element,
 # move everything else to target_defaults

doc/STYLE_GUIDE.md

@@ -57,7 +57,7 @@
 * When using underscores, asterisks and backticks please use proper escaping (**\\\_**, **\\\*** and **\\\`** instead of **\_**, **\*** and **\`**)
 * References to constructor functions should use PascalCase
 * References to constructor instances should be camelCased
-* References to methods should be used with parenthesis: `socket.end()` instead of `socket.end`
+* References to methods should be used with parentheses: `socket.end()` instead of `socket.end`
 
 [plugin]: http://editorconfig.org/#download
 [Oxford comma]: https://en.wikipedia.org/wiki/Serial_comma

doc/api/buffer.md

@@ -348,15 +348,16 @@ deprecated: v6.0.0
 > [`Buffer.from(arrayBuffer[, byteOffset [, length]])`][`Buffer.from(arrayBuffer)`]
 > instead.
 
-* `arrayBuffer` {ArrayBuffer} The `.buffer` property of a [`TypedArray`] or
-  [`ArrayBuffer`]
-* `byteOffset` {Integer} Where to start copying from `arrayBuffer`. **Default:** `0`
-* `length` {Integer} How many bytes to copy from `arrayBuffer`.
+* `arrayBuffer` {ArrayBuffer} An [`ArrayBuffer`] or the `.buffer` property of a
+  [`TypedArray`].
+* `byteOffset` {Integer} Index of first byte to expose. **Default:** `0`
+* `length` {Integer} Number of bytes to expose.
   **Default:** `arrayBuffer.length - byteOffset`
 
-When passed a reference to the `.buffer` property of a [`TypedArray`] instance,
-the newly created `Buffer` will share the same allocated memory as the
-[`TypedArray`].
+This creates a view of the [`ArrayBuffer`] without copying the underlying
+memory. For example, when passed a reference to the `.buffer` property of a
+[`TypedArray`] instance, the newly created `Buffer` will share the same
+allocated memory as the [`TypedArray`].
 
 The optional `byteOffset` and `length` arguments specify a memory range within
 the `arrayBuffer` that will be shared by the `Buffer`.
@@ -726,15 +727,16 @@ A `TypeError` will be thrown if `array` is not an `Array`.
 added: v5.10.0
 -->
 
-* `arrayBuffer` {ArrayBuffer} The `.buffer` property of a [`TypedArray`] or
-  [`ArrayBuffer`]
-* `byteOffset` {Integer} Where to start copying from `arrayBuffer`. **Default:** `0`
-* `length` {Integer} How many bytes to copy from `arrayBuffer`.
+* `arrayBuffer` {ArrayBuffer} An [`ArrayBuffer`] or the `.buffer` property of a
+  [`TypedArray`].
+* `byteOffset` {Integer} Index of first byte to expose. **Default:** `0`
+* `length` {Integer} Number of bytes to expose.
   **Default:** `arrayBuffer.length - byteOffset`
 
-When passed a reference to the `.buffer` property of a [`TypedArray`] instance,
-the newly created `Buffer` will share the same allocated memory as the
-[`TypedArray`].
+This creates a view of the [`ArrayBuffer`] without copying the underlying
+memory. For example, when passed a reference to the `.buffer` property of a
+[`TypedArray`] instance, the newly created `Buffer` will share the same
+allocated memory as the [`TypedArray`].
 
 Example:
 

doc/api/cli.md

@@ -314,13 +314,26 @@ When set, the well known "root" CAs (like VeriSign) will be extended with the
 extra certificates in `file`. The file should consist of one or more trusted
 certificates in PEM format. A message will be emitted (once) with
 [`process.emitWarning()`][emit_warning] if the file is missing or
-misformatted, but any errors are otherwise ignored.
+malformed, but any errors are otherwise ignored.
 
 Note that neither the well known nor extra certificates are used when the `ca`
 options property is explicitly specified for a TLS or HTTPS client or server.
 
+### `OPENSSL_CONF=file`
+<!-- YAML
+added: REPLACEME
+-->
+
+Load an OpenSSL configuration file on startup. Among other uses, this can be
+used to enable FIPS-compliant crypto if Node.js is built with `./configure
+\-\-openssl\-fips`.
+
+If the [`--openssl-config`][] command line option is used, the environment
+variable is ignored.
+
 [emit_warning]: process.html#process_process_emitwarning_warning_name_ctor
 [Buffer]: buffer.html#buffer_buffer
 [debugger]: debugger.html
 [REPL]: repl.html
 [SlowBuffer]: buffer.html#buffer_class_slowbuffer
+[`--openssl-config`]: #cli_openssl_config_file