Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 1 | From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Bevenius <daniel.bevenius@gmail.com> |
| 3 | Date: Sat, 16 Oct 2021 08:50:16 +0200 |
| 4 | Subject: [PATCH] src: add --openssl-legacy-provider option |
| 5 | |
| 6 | This commit adds an option to Node.js named --openssl-legacy-provider |
| 7 | and if specified will load OpenSSL 3.0 Legacy provider. |
| 8 | |
| 9 | $ ./node --help |
| 10 | ... |
| 11 | --openssl-legacy-provider enable OpenSSL 3.0 legacy provider |
| 12 | |
| 13 | Example usage: |
| 14 | |
| 15 | $ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' |
| 16 | Hash { |
| 17 | _options: undefined, |
| 18 | [Symbol(kHandle)]: Hash {}, |
| 19 | [Symbol(kState)]: { [Symbol(kFinalized)]: false } |
| 20 | } |
| 21 | |
| 22 | Co-authored-by: Richard Lau <rlau@redhat.com> |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 23 | Signed-off-by: Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| 24 | Upstream-Status: Backport [https://github.com/nodejs/node/issues/40455] |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 25 | --- |
| 26 | doc/api/cli.md | 10 ++++++++++ |
| 27 | src/crypto/crypto_util.cc | 10 ++++++++++ |
| 28 | src/node_options.cc | 10 ++++++++++ |
| 29 | src/node_options.h | 7 +++++++ |
| 30 | .../test-process-env-allowed-flags-are-documented.js | 5 +++++ |
| 31 | 5 files changed, 42 insertions(+) |
| 32 | |
| 33 | diff --git a/doc/api/cli.md b/doc/api/cli.md |
| 34 | index 74057706bf8d..608b9cdeddf1 100644 |
| 35 | --- a/doc/api/cli.md |
| 36 | +++ b/doc/api/cli.md |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 37 | @@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 38 | used to enable FIPS-compliant crypto if Node.js is built |
| 39 | against FIPS-enabled OpenSSL. |
| 40 | |
| 41 | +### `--openssl-legacy-provider` |
| 42 | +<!-- YAML |
| 43 | +added: REPLACEME |
| 44 | +--> |
| 45 | + |
| 46 | +Enable OpenSSL 3.0 legacy provider. For more information please see |
| 47 | +[providers readme][]. |
| 48 | + |
| 49 | ### `--pending-deprecation` |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 50 | |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 51 | <!-- YAML |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 52 | @@ -1544,6 +1552,7 @@ Node.js options that are allowed are: |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 53 | * `--no-warnings` |
| 54 | * `--node-memory-debug` |
| 55 | * `--openssl-config` |
| 56 | +* `--openssl-legacy-provider` |
| 57 | * `--pending-deprecation` |
| 58 | * `--policy-integrity` |
| 59 | * `--preserve-symlinks-main` |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 60 | @@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js |
| 61 | [emit_warning]: process.md#processemitwarningwarning-options |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 62 | [jitless]: https://v8.dev/blog/jitless |
| 63 | [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html |
| 64 | +[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md |
| 65 | [remote code execution]: https://www.owasp.org/index.php/Code_Injection |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 66 | [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 67 | [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 68 | diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc |
| 69 | index 7e0c8ba3eb60..796ea3025e41 100644 |
| 70 | --- a/src/crypto/crypto_util.cc |
| 71 | +++ b/src/crypto/crypto_util.cc |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 72 | @@ -148,6 +148,16 @@ void InitCryptoOnce() { |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 73 | } |
| 74 | #endif |
| 75 | |
| 76 | +#if OPENSSL_VERSION_MAJOR >= 3 |
| 77 | + // --openssl-legacy-provider |
| 78 | + if (per_process::cli_options->openssl_legacy_provider) { |
| 79 | + OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy"); |
| 80 | + if (legacy_provider == nullptr) { |
| 81 | + fprintf(stderr, "Unable to load legacy provider.\n"); |
| 82 | + } |
| 83 | + } |
| 84 | +#endif |
| 85 | + |
| 86 | OPENSSL_init_ssl(0, settings); |
| 87 | OPENSSL_INIT_free(settings); |
| 88 | settings = nullptr; |
| 89 | diff --git a/src/node_options.cc b/src/node_options.cc |
| 90 | index 00bdc6688a4c..3363860919a9 100644 |
| 91 | --- a/src/node_options.cc |
| 92 | +++ b/src/node_options.cc |
| 93 | @@ -4,6 +4,9 @@ |
| 94 | #include "env-inl.h" |
| 95 | #include "node_binding.h" |
| 96 | #include "node_internals.h" |
| 97 | +#if HAVE_OPENSSL |
| 98 | +#include "openssl/opensslv.h" |
| 99 | +#endif |
| 100 | |
| 101 | #include <errno.h> |
| 102 | #include <sstream> |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 103 | diff --git a/src/node_options.h b/src/node_options.h |
| 104 | index fd772478d04d..1c0e018ab16f 100644 |
| 105 | --- a/src/node_options.h |
| 106 | +++ b/src/node_options.h |
| 107 | @@ -11,6 +11,10 @@ |
| 108 | #include "node_mutex.h" |
| 109 | #include "util.h" |
| 110 | |
| 111 | +#if HAVE_OPENSSL |
| 112 | +#include "openssl/opensslv.h" |
| 113 | +#endif |
| 114 | + |
| 115 | namespace node { |
| 116 | |
| 117 | class HostPort { |
| 118 | @@ -251,6 +255,9 @@ class PerProcessOptions : public Options { |
| 119 | bool enable_fips_crypto = false; |
| 120 | bool force_fips_crypto = false; |
| 121 | #endif |
| 122 | +#if OPENSSL_VERSION_MAJOR >= 3 |
| 123 | + bool openssl_legacy_provider = false; |
| 124 | +#endif |
| 125 | |
| 126 | // Per-process because reports can be triggered outside a known V8 context. |
| 127 | bool report_on_fatalerror = false; |
| 128 | diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js |
| 129 | index 64626b71f019..8a4e35997907 100644 |
| 130 | --- a/test/parallel/test-process-env-allowed-flags-are-documented.js |
| 131 | +++ b/test/parallel/test-process-env-allowed-flags-are-documented.js |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 132 | @@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) { |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 133 | } |
| 134 | } |
| 135 | |
| 136 | +if (!common.hasOpenSSL3) { |
| 137 | + documented.delete('--openssl-legacy-provider'); |
| 138 | +} |
| 139 | + |
| 140 | // Filter out options that are conditionally present. |
| 141 | const conditionalOpts = [ |
| 142 | { |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 143 | @@ -50,6 +54,7 @@ const conditionalOpts = [ |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 144 | filter: (opt) => { |
| 145 | return [ |
| 146 | '--openssl-config', |
| 147 | + common.hasOpenSSL3 ? '--openssl-legacy-provider' : '', |
| 148 | '--tls-cipher-list', |
| 149 | '--use-bundled-ca', |
| 150 | '--use-openssl-ca', |
| 151 | |