meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch - openbmc/openbmc - Gitiles

 From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
 From: Daniel Bevenius <daniel.bevenius@gmail.com>
 Date: Sat, 16 Oct 2021 08:50:16 +0200
 Subject: [PATCH] src: add --openssl-legacy-provider option

 This commit adds an option to Node.js named --openssl-legacy-provider
 and if specified will load OpenSSL 3.0 Legacy provider.

 $ ./node --help
 ...
 --openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

 Example usage:

 $ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
 Hash {
   _options: undefined,
   [Symbol(kHandle)]: Hash {},
   [Symbol(kState)]: { [Symbol(kFinalized)]: false }
 }

 Co-authored-by: Richard Lau <rlau@redhat.com>
 Signed-off-by: Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
 Upstream-Status: Backport [https://github.com/nodejs/node/issues/40455]
 ---
  doc/api/cli.md                                         | 10 ++++++++++
  src/crypto/crypto_util.cc                              | 10 ++++++++++
  src/node_options.cc                                    | 10 ++++++++++
  src/node_options.h                                     |  7 +++++++
  .../test-process-env-allowed-flags-are-documented.js   |  5 +++++
  5 files changed, 42 insertions(+)

 diff --git a/doc/api/cli.md b/doc/api/cli.md
 index 74057706bf8d..608b9cdeddf1 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
 @@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
  used to enable FIPS-compliant crypto if Node.js is built
  against FIPS-enabled OpenSSL.

 +### `--openssl-legacy-provider`
 +<!-- YAML
 +added: REPLACEME
 +-->
 +
 +Enable OpenSSL 3.0 legacy provider. For more information please see
 +[providers readme][].
 +
  ### `--pending-deprecation`

  <!-- YAML
 @@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
  * `--no-warnings`
  * `--node-memory-debug`
  * `--openssl-config`
 +* `--openssl-legacy-provider`
  * `--pending-deprecation`
  * `--policy-integrity`
  * `--preserve-symlinks-main`
 @@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
  [emit_warning]: process.md#processemitwarningwarning-options
  [jitless]: https://v8.dev/blog/jitless
  [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
 +[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
  [remote code execution]: https://www.owasp.org/index.php/Code_Injection
  [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
  [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
 index 7e0c8ba3eb60..796ea3025e41 100644
 --- a/src/crypto/crypto_util.cc
 +++ b/src/crypto/crypto_util.cc
 @@ -148,6 +148,16 @@ void InitCryptoOnce() {
    }
  #endif

 +#if OPENSSL_VERSION_MAJOR >= 3
 +  // --openssl-legacy-provider
 +  if (per_process::cli_options->openssl_legacy_provider) {
 +    OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
 +    if (legacy_provider == nullptr) {
 +      fprintf(stderr, "Unable to load legacy provider.\n");
 +    }
 +  }
 +#endif
 +
    OPENSSL_init_ssl(0, settings);
    OPENSSL_INIT_free(settings);
    settings = nullptr;
 diff --git a/src/node_options.cc b/src/node_options.cc
 index 00bdc6688a4c..3363860919a9 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -4,6 +4,9 @@
  #include "env-inl.h"
  #include "node_binding.h"
  #include "node_internals.h"
 +#if HAVE_OPENSSL
 +#include "openssl/opensslv.h"
 +#endif

  #include <errno.h>
  #include <sstream>
 diff --git a/src/node_options.h b/src/node_options.h
 index fd772478d04d..1c0e018ab16f 100644
 --- a/src/node_options.h
 +++ b/src/node_options.h
 @@ -11,6 +11,10 @@
  #include "node_mutex.h"
  #include "util.h"

 +#if HAVE_OPENSSL
 +#include "openssl/opensslv.h"
 +#endif
 +
  namespace node {

  class HostPort {
 @@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
    bool enable_fips_crypto = false;
    bool force_fips_crypto = false;
  #endif
 +#if OPENSSL_VERSION_MAJOR >= 3
 +  bool openssl_legacy_provider = false;
 +#endif

    // Per-process because reports can be triggered outside a known V8 context.
    bool report_on_fatalerror = false;
 diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
 index 64626b71f019..8a4e35997907 100644
 --- a/test/parallel/test-process-env-allowed-flags-are-documented.js
 +++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
 @@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
    }
  }

 +if (!common.hasOpenSSL3) {
 +  documented.delete('--openssl-legacy-provider');
 +}
 +
  // Filter out options that are conditionally present.
  const conditionalOpts = [
    {
 @@ -50,6 +54,7 @@ const conditionalOpts = [
      filter: (opt) => {
        return [
          '--openssl-config',
 +        common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
          '--tls-cipher-list',
          '--use-bundled-ca',
          '--use-openssl-ca',
	From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
	From: Daniel Bevenius <daniel.bevenius@gmail.com>
	Date: Sat, 16 Oct 2021 08:50:16 +0200
	Subject: [PATCH] src: add --openssl-legacy-provider option

	This commit adds an option to Node.js named --openssl-legacy-provider
	and if specified will load OpenSSL 3.0 Legacy provider.

	$ ./node --help
	...
	--openssl-legacy-provider enable OpenSSL 3.0 legacy provider

	Example usage:

	$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
	Hash {
	_options: undefined,
	[Symbol(kHandle)]: Hash {},
	[Symbol(kState)]: { [Symbol(kFinalized)]: false }
	}

	Co-authored-by: Richard Lau <rlau@redhat.com>
	Signed-off-by: Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
	Upstream-Status: Backport [https://github.com/nodejs/node/issues/40455]
	---
	doc/api/cli.md \| 10 ++++++++++
	src/crypto/crypto_util.cc \| 10 ++++++++++
	src/node_options.cc \| 10 ++++++++++
	src/node_options.h \| 7 +++++++
	.../test-process-env-allowed-flags-are-documented.js \| 5 +++++
	5 files changed, 42 insertions(+)

	diff --git a/doc/api/cli.md b/doc/api/cli.md
	index 74057706bf8d..608b9cdeddf1 100644
	--- a/doc/api/cli.md
	+++ b/doc/api/cli.md
	@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
	used to enable FIPS-compliant crypto if Node.js is built
	against FIPS-enabled OpenSSL.

	+### `--openssl-legacy-provider`
	+<!-- YAML
	+added: REPLACEME
	+-->
	+
	+Enable OpenSSL 3.0 legacy provider. For more information please see
	+[providers readme][].
	+
	### `--pending-deprecation`

	<!-- YAML
	@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
	* `--no-warnings`
	* `--node-memory-debug`
	* `--openssl-config`
	+* `--openssl-legacy-provider`
	* `--pending-deprecation`
	* `--policy-integrity`
	* `--preserve-symlinks-main`
	@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
	[emit_warning]: process.md#processemitwarningwarning-options
	[jitless]: https://v8.dev/blog/jitless
	[libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
	+[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
	[remote code execution]: https://www.owasp.org/index.php/Code_Injection
	[security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
	[timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
	diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
	index 7e0c8ba3eb60..796ea3025e41 100644
	--- a/src/crypto/crypto_util.cc
	+++ b/src/crypto/crypto_util.cc
	@@ -148,6 +148,16 @@ void InitCryptoOnce() {
	}
	#endif

	+#if OPENSSL_VERSION_MAJOR >= 3
	+ // --openssl-legacy-provider
	+ if (per_process::cli_options->openssl_legacy_provider) {
	+ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
	+ if (legacy_provider == nullptr) {
	+ fprintf(stderr, "Unable to load legacy provider.\n");
	+ }
	+ }
	+#endif
	+
	OPENSSL_init_ssl(0, settings);
	OPENSSL_INIT_free(settings);
	settings = nullptr;
	diff --git a/src/node_options.cc b/src/node_options.cc
	index 00bdc6688a4c..3363860919a9 100644
	--- a/src/node_options.cc
	+++ b/src/node_options.cc
	@@ -4,6 +4,9 @@
	#include "env-inl.h"
	#include "node_binding.h"
	#include "node_internals.h"
	+#if HAVE_OPENSSL
	+#include "openssl/opensslv.h"
	+#endif

	#include <errno.h>
	#include <sstream>
	diff --git a/src/node_options.h b/src/node_options.h
	index fd772478d04d..1c0e018ab16f 100644
	--- a/src/node_options.h
	+++ b/src/node_options.h
	@@ -11,6 +11,10 @@
	#include "node_mutex.h"
	#include "util.h"

	+#if HAVE_OPENSSL
	+#include "openssl/opensslv.h"
	+#endif
	+
	namespace node {

	class HostPort {
	@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
	bool enable_fips_crypto = false;
	bool force_fips_crypto = false;
	#endif
	+#if OPENSSL_VERSION_MAJOR >= 3
	+ bool openssl_legacy_provider = false;
	+#endif

	// Per-process because reports can be triggered outside a known V8 context.
	bool report_on_fatalerror = false;
	diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
	index 64626b71f019..8a4e35997907 100644
	--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
	+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
	@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
	}
	}

	+if (!common.hasOpenSSL3) {
	+ documented.delete('--openssl-legacy-provider');
	+}
	+
	// Filter out options that are conditionally present.
	const conditionalOpts = [
	{
	@@ -50,6 +54,7 @@ const conditionalOpts = [
	filter: (opt) => {
	return [
	'--openssl-config',
	+ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
	'--tls-cipher-list',
	'--use-bundled-ca',
	'--use-openssl-ca',