Skip to content

Commit

Permalink
src: add --openssl-legacy-provider option
Browse files Browse the repository at this point in the history
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider.

$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Example usage:

$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Co-authored-by: Richard Lau <[email protected]>

Refs: #40455
  • Loading branch information
danbev committed Oct 18, 2021
1 parent 9bb7bd8 commit 86d1c0c
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 0 deletions.
10 changes: 10 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -670,6 +670,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.

### `--openssl-legacy-provider`
<!-- YAML
added: REPLACEME
-->

Enable OpenSSL 3.0 legacy provider. For more information please see
[providers readme][].

### `--pending-deprecation`
<!-- YAML
added: v8.0.0
Expand Down Expand Up @@ -1463,6 +1471,7 @@ Node.js options that are allowed are:
* `--no-warnings`
* `--node-memory-debug`
* `--openssl-config`
* `--openssl-legacy-provider`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
Expand Down Expand Up @@ -1837,6 +1846,7 @@ $ node --max-old-space-size=1536 index.js
[emit_warning]: process.md#processemitwarningwarning-options
[jitless]: https://v8.dev/blog/jitless
[libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
[remote code execution]: https://www.owasp.org/index.php/Code_Injection
[security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
[timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Expand Down
10 changes: 10 additions & 0 deletions src/crypto/crypto_util.cc
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,16 @@ void InitCryptoOnce() {
}
#endif

#if OPENSSL_VERSION_MAJOR >= 3
// --openssl-legacy-provider
if (per_process::cli_options->openssl_legacy_provider) {
OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
if (legacy_provider == nullptr) {
fprintf(stderr, "Unable to load legacy provider.\n");
}
}
#endif

OPENSSL_init_ssl(0, settings);
OPENSSL_INIT_free(settings);
settings = nullptr;
Expand Down
10 changes: 10 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@
#include "env-inl.h"
#include "node_binding.h"
#include "node_internals.h"
#if HAVE_OPENSSL
#include "openssl/opensslv.h"
#endif

#include <errno.h>
#include <sstream>
Expand Down Expand Up @@ -814,6 +817,13 @@ PerProcessOptionsParser::PerProcessOptionsParser(
&PerProcessOptions::secure_heap_min,
kAllowedInEnvironment);
#endif
#if OPENSSL_VERSION_MAJOR >= 3
AddOption("--openssl-legacy-provider",
"enable OpenSSL 3.0 legacy provider",
&PerProcessOptions::openssl_legacy_provider,
kAllowedInEnvironment);

#endif // OPENSSL_VERSION_MAJOR
AddOption("--use-largepages",
"Map the Node.js static code to large pages. Options are "
"'off' (the default value, meaning do not map), "
Expand Down
7 changes: 7 additions & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@
#include "node_mutex.h"
#include "util.h"

#if HAVE_OPENSSL
#include "openssl/opensslv.h"
#endif

namespace node {

class HostPort {
Expand Down Expand Up @@ -252,6 +256,9 @@ class PerProcessOptions : public Options {
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
#endif
#if OPENSSL_VERSION_MAJOR >= 3
bool openssl_legacy_provider = false;
#endif

// Per-process because reports can be triggered outside a known V8 context.
bool report_on_fatalerror = false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,18 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
}
}

if (!common.hasOpenSSL3) {
documented.delete('--openssl-legacy-provider');
}

// Filter out options that are conditionally present.
const conditionalOpts = [
{
include: common.hasCrypto,
filter: (opt) => {
return [
'--openssl-config',
common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',
Expand Down

0 comments on commit 86d1c0c

Please sign in to comment.