Skip to content

Commit

Permalink
[v16.x backport] src: add --openssl-legacy-provider option
Browse files Browse the repository at this point in the history
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.

Building:
$ ./configure --shared-openssl \
 --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
 --shared-openssl-includes=/path/openssl_quic-3.0/include \
 --shared-openssl-libname=crypto,ssl
$ make -j8

Verify options is available:
$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Fixes: #40948

Refs: #40455
PR-URL: #40478
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
danbev committed May 5, 2022
1 parent 3ceeb57 commit 055492f
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 0 deletions.
11 changes: 11 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,15 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.

### `--openssl-legacy-provider`

<!-- YAML
added: REPLACEME
-->

Enable OpenSSL 3.0 legacy provider when dynamically linking to OpenSSL 3.x.
For more information please see [OSSL\_PROVIDER-legacy][OSSL_PROVIDER-legacy].

### `--pending-deprecation`

<!-- YAML
Expand Down Expand Up @@ -1592,6 +1601,7 @@ Node.js options that are allowed are:
* `--no-warnings`
* `--node-memory-debug`
* `--openssl-config`
* `--openssl-legacy-provider`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
Expand Down Expand Up @@ -1952,6 +1962,7 @@ $ node --max-old-space-size=1536 index.js
[ECMAScript module loader]: esm.md#loaders
[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
[Modules loaders]: packages.md#modules-loaders
[OSSL_PROVIDER-legacy]: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
[REPL]: repl.md
[ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
[Source Map]: https://sourcemaps.info/spec.html
Expand Down
10 changes: 10 additions & 0 deletions src/crypto/crypto_util.cc
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,16 @@ void InitCryptoOnce() {
}
#endif

#if OPENSSL_VERSION_MAJOR >= 3
// --openssl-legacy-provider
if (per_process::cli_options->openssl_legacy_provider) {
OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
if (legacy_provider == nullptr) {
fprintf(stderr, "Unable to load legacy provider.\n");
}
}
#endif

OPENSSL_init_ssl(0, settings);
OPENSSL_INIT_free(settings);
settings = nullptr;
Expand Down
3 changes: 3 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
#include "node_binding.h"
#include "node_external_reference.h"
#include "node_internals.h"
#if HAVE_OPENSSL
#include "openssl/opensslv.h"
#endif

#include <errno.h>
#include <sstream>
Expand Down
7 changes: 7 additions & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@
#include "node_mutex.h"
#include "util.h"

#if HAVE_OPENSSL
#include "openssl/opensslv.h"
#endif

namespace node {

class HostPort {
Expand Down Expand Up @@ -252,6 +256,9 @@ class PerProcessOptions : public Options {
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
#endif
#if OPENSSL_VERSION_MAJOR >= 3
bool openssl_legacy_provider = false;
#endif

// Per-process because reports can be triggered outside a known V8 context.
bool report_on_fatalerror = false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,18 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
}
}

if (!common.hasOpenSSL3) {
documented.delete('--openssl-legacy-provider');
}

// Filter out options that are conditionally present.
const conditionalOpts = [
{
include: common.hasCrypto,
filter: (opt) => {
return [
'--openssl-config',
common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',
Expand Down

0 comments on commit 055492f

Please sign in to comment.