Skip to content

Commit

Permalink
src: add --openssl-legacy-provider option
Browse files Browse the repository at this point in the history
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider.

$ ./node --help
...
--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider

Example usage:

$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
Hash {
  _options: undefined,
  [Symbol(kHandle)]: Hash {},
  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
}

Co-authored-by: Richard Lau <[email protected]>

Refs: #40455
PR-URL: #40478
Backport-PR-URL: #42972
Refs: #40455
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
  • Loading branch information
danbev authored and juanarbol committed May 31, 2022
1 parent b714b5d commit 55bbdd7
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 0 deletions.
10 changes: 10 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -737,6 +737,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.

### `--openssl-legacy-provider`
<!-- YAML
added: REPLACEME
-->

Enable OpenSSL 3.0 legacy provider. For more information please see
[OSSL_PROVIDER-legacy][].

### `--pending-deprecation`

<!-- YAML
Expand Down Expand Up @@ -1597,6 +1605,7 @@ Node.js options that are allowed are:
* `--no-warnings`
* `--node-memory-debug`
* `--openssl-config`
* `--openssl-legacy-provider`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
Expand Down Expand Up @@ -1957,6 +1966,7 @@ $ node --max-old-space-size=1536 index.js
[ECMAScript module loader]: esm.md#loaders
[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
[Modules loaders]: packages.md#modules-loaders
[OSSL_PROVIDER-legacy]: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
[REPL]: repl.md
[ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
[Source Map]: https://sourcemaps.info/spec.html
Expand Down
10 changes: 10 additions & 0 deletions src/crypto/crypto_util.cc
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,16 @@ void InitCryptoOnce() {
}
#endif

#if OPENSSL_VERSION_MAJOR >= 3
// --openssl-legacy-provider
if (per_process::cli_options->openssl_legacy_provider) {
OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
if (legacy_provider == nullptr) {
fprintf(stderr, "Unable to load legacy provider.\n");
}
}
#endif

OPENSSL_init_ssl(0, settings);
OPENSSL_INIT_free(settings);
settings = nullptr;
Expand Down
3 changes: 3 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
#include "node_binding.h"
#include "node_external_reference.h"
#include "node_internals.h"
#if HAVE_OPENSSL
#include "openssl/opensslv.h"
#endif

#include <errno.h>
#include <sstream>
Expand Down
7 changes: 7 additions & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@
#include "node_mutex.h"
#include "util.h"

#if HAVE_OPENSSL
#include "openssl/opensslv.h"
#endif

namespace node {

class HostPort {
Expand Down Expand Up @@ -252,6 +256,9 @@ class PerProcessOptions : public Options {
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
#endif
#if OPENSSL_VERSION_MAJOR >= 3
bool openssl_legacy_provider = false;
#endif

// Per-process because reports can be triggered outside a known V8 context.
bool report_on_fatalerror = false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,18 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
}
}

if (!common.hasOpenSSL3) {
documented.delete('--openssl-legacy-provider');
}

// Filter out options that are conditionally present.
const conditionalOpts = [
{
include: common.hasCrypto,
filter: (opt) => {
return [
'--openssl-config',
common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',
Expand Down

0 comments on commit 55bbdd7

Please sign in to comment.