* [meta-oe][PATCH] nodejs: add option to use openssl legacy providers
@ 2022-02-18 13:31 Andrej Valek
2022-03-05 13:16 ` [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again Andrej Valek
0 siblings, 1 reply; 9+ messages in thread
From: Andrej Valek @ 2022-02-18 13:31 UTC (permalink / raw)
To: openembedded-devel; +Cc: Andrej Valek
Current nodejs version does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
...5-add-openssl-legacy-provider-option.patch | 165 ++++++++++++++++++
.../recipes-devtools/nodejs/nodejs_16.11.1.bb | 1 +
2 files changed, 166 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
new file mode 100644
index 000000000..2e66a0282
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
@@ -0,0 +1,165 @@
+From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Sat, 16 Oct 2021 08:50:16 +0200
+Subject: [PATCH] src: add --openssl-legacy-provider option
+
+This commit adds an option to Node.js named --openssl-legacy-provider
+and if specified will load OpenSSL 3.0 Legacy provider.
+
+$ ./node --help
+...
+--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
+
+Example usage:
+
+$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
+Hash {
+ _options: undefined,
+ [Symbol(kHandle)]: Hash {},
+ [Symbol(kState)]: { [Symbol(kFinalized)]: false }
+}
+
+Co-authored-by: Richard Lau <rlau@redhat.com>
+
+Refs: https://github.com/nodejs/node/issues/40455
+---
+ doc/api/cli.md | 10 ++++++++++
+ src/crypto/crypto_util.cc | 10 ++++++++++
+ src/node_options.cc | 10 ++++++++++
+ src/node_options.h | 7 +++++++
+ .../test-process-env-allowed-flags-are-documented.js | 5 +++++
+ 5 files changed, 42 insertions(+)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 74057706bf8d..608b9cdeddf1 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -652,6 +652,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
+ used to enable FIPS-compliant crypto if Node.js is built
+ against FIPS-enabled OpenSSL.
+
++### `--openssl-legacy-provider`
++<!-- YAML
++added: REPLACEME
++-->
++
++Enable OpenSSL 3.0 legacy provider. For more information please see
++[providers readme][].
++
+ ### `--pending-deprecation`
+ <!-- YAML
+ added: v8.0.0
+@@ -1444,6 +1452,7 @@ Node.js options that are allowed are:
+ * `--no-warnings`
+ * `--node-memory-debug`
+ * `--openssl-config`
++* `--openssl-legacy-provider`
+ * `--pending-deprecation`
+ * `--policy-integrity`
+ * `--preserve-symlinks-main`
+@@ -1814,6 +1823,7 @@ $ node --max-old-space-size=1536 index.js
+ [emit_warning]: process.md#process_process_emitwarning_warning_type_code_ctor
+ [jitless]: https://v8.dev/blog/jitless
+ [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
+ [remote code execution]: https://www.owasp.org/index.php/Code_Injection
+ [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+ [ways that `TZ` is handled in other environments]: https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 7e0c8ba3eb60..796ea3025e41 100644
+--- a/src/crypto/crypto_util.cc
++++ b/src/crypto/crypto_util.cc
+@@ -136,6 +136,16 @@ void InitCryptoOnce() {
+ }
+ #endif
+
++#if OPENSSL_VERSION_MAJOR >= 3
++ // --openssl-legacy-provider
++ if (per_process::cli_options->openssl_legacy_provider) {
++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
++ if (legacy_provider == nullptr) {
++ fprintf(stderr, "Unable to load legacy provider.\n");
++ }
++ }
++#endif
++
+ OPENSSL_init_ssl(0, settings);
+ OPENSSL_INIT_free(settings);
+ settings = nullptr;
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 00bdc6688a4c..3363860919a9 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -4,6 +4,9 @@
+ #include "env-inl.h"
+ #include "node_binding.h"
+ #include "node_internals.h"
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
+
+ #include <errno.h>
+ #include <sstream>
+@@ -809,6 +812,13 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+ &PerProcessOptions::secure_heap_min,
+ kAllowedInEnvironment);
+ #endif
++#if OPENSSL_VERSION_MAJOR >= 3
++ AddOption("--openssl-legacy-provider",
++ "enable OpenSSL 3.0 legacy provider",
++ &PerProcessOptions::openssl_legacy_provider,
++ kAllowedInEnvironment);
++
++#endif // OPENSSL_VERSION_MAJOR
+ AddOption("--use-largepages",
+ "Map the Node.js static code to large pages. Options are "
+ "'off' (the default value, meaning do not map), "
+diff --git a/src/node_options.h b/src/node_options.h
+index fd772478d04d..1c0e018ab16f 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -11,6 +11,10 @@
+ #include "node_mutex.h"
+ #include "util.h"
+
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
++
+ namespace node {
+
+ class HostPort {
+@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+ #endif
++#if OPENSSL_VERSION_MAJOR >= 3
++ bool openssl_legacy_provider = false;
++#endif
+
+ // Per-process because reports can be triggered outside a known V8 context.
+ bool report_on_fatalerror = false;
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 64626b71f019..8a4e35997907 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -40,6 +40,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
+ }
+ }
+
++if (!common.hasOpenSSL3) {
++ documented.delete('--openssl-legacy-provider');
++}
++
+ // Filter out options that are conditionally present.
+ const conditionalOpts = [
+ {
+@@ -47,6 +51,7 @@ const conditionalOpts = [
+ filter: (opt) => {
+ return [
+ '--openssl-config',
++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
+ '--tls-cipher-list',
+ '--use-bundled-ca',
+ '--use-openssl-ca',
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.11.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.11.1.bb
index 72fbecb8f..7d8f08a38 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.11.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.11.1.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
file://0002-Install-both-binaries-and-use-libdir.patch \
file://0004-v8-don-t-override-ARM-CFLAGS.patch \
+ file://0005-add-openssl-legacy-provider-option.patch \
file://big-endian.patch \
file://mips-less-memory.patch \
file://system-c-ares.patch \
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-02-18 13:31 [meta-oe][PATCH] nodejs: add option to use openssl legacy providers Andrej Valek
@ 2022-03-05 13:16 ` Andrej Valek
2022-03-05 19:47 ` [oe] " akuster808
2022-04-26 12:37 ` Martin Jansa
0 siblings, 2 replies; 9+ messages in thread
From: Andrej Valek @ 2022-03-05 13:16 UTC (permalink / raw)
To: openembedded-devel; +Cc: raj.khem, zboszor, Andrej Valek
Current nodejs version v16 does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
It was blindly removed by upgrade to 16.14.0 version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
.../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
2 files changed, 152 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
new file mode 100644
index 000000000..5af6c6114
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
@@ -0,0 +1,151 @@
+From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Sat, 16 Oct 2021 08:50:16 +0200
+Subject: [PATCH] src: add --openssl-legacy-provider option
+
+This commit adds an option to Node.js named --openssl-legacy-provider
+and if specified will load OpenSSL 3.0 Legacy provider.
+
+$ ./node --help
+...
+--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
+
+Example usage:
+
+$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
+Hash {
+ _options: undefined,
+ [Symbol(kHandle)]: Hash {},
+ [Symbol(kState)]: { [Symbol(kFinalized)]: false }
+}
+
+Co-authored-by: Richard Lau <rlau@redhat.com>
+
+Refs: https://github.com/nodejs/node/issues/40455
+---
+ doc/api/cli.md | 10 ++++++++++
+ src/crypto/crypto_util.cc | 10 ++++++++++
+ src/node_options.cc | 10 ++++++++++
+ src/node_options.h | 7 +++++++
+ .../test-process-env-allowed-flags-are-documented.js | 5 +++++
+ 5 files changed, 42 insertions(+)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 74057706bf8d..608b9cdeddf1 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
+ used to enable FIPS-compliant crypto if Node.js is built
+ against FIPS-enabled OpenSSL.
+
++### `--openssl-legacy-provider`
++<!-- YAML
++added: REPLACEME
++-->
++
++Enable OpenSSL 3.0 legacy provider. For more information please see
++[providers readme][].
++
+ ### `--pending-deprecation`
+
+ <!-- YAML
+@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
+ * `--no-warnings`
+ * `--node-memory-debug`
+ * `--openssl-config`
++* `--openssl-legacy-provider`
+ * `--pending-deprecation`
+ * `--policy-integrity`
+ * `--preserve-symlinks-main`
+@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
+ [emit_warning]: process.md#processemitwarningwarning-options
+ [jitless]: https://v8.dev/blog/jitless
+ [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
+ [remote code execution]: https://www.owasp.org/index.php/Code_Injection
+ [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
+ [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 7e0c8ba3eb60..796ea3025e41 100644
+--- a/src/crypto/crypto_util.cc
++++ b/src/crypto/crypto_util.cc
+@@ -148,6 +148,16 @@ void InitCryptoOnce() {
+ }
+ #endif
+
++#if OPENSSL_VERSION_MAJOR >= 3
++ // --openssl-legacy-provider
++ if (per_process::cli_options->openssl_legacy_provider) {
++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
++ if (legacy_provider == nullptr) {
++ fprintf(stderr, "Unable to load legacy provider.\n");
++ }
++ }
++#endif
++
+ OPENSSL_init_ssl(0, settings);
+ OPENSSL_INIT_free(settings);
+ settings = nullptr;
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 00bdc6688a4c..3363860919a9 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -4,6 +4,9 @@
+ #include "env-inl.h"
+ #include "node_binding.h"
+ #include "node_internals.h"
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
+
+ #include <errno.h>
+ #include <sstream>
+diff --git a/src/node_options.h b/src/node_options.h
+index fd772478d04d..1c0e018ab16f 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -11,6 +11,10 @@
+ #include "node_mutex.h"
+ #include "util.h"
+
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
++
+ namespace node {
+
+ class HostPort {
+@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+ #endif
++#if OPENSSL_VERSION_MAJOR >= 3
++ bool openssl_legacy_provider = false;
++#endif
+
+ // Per-process because reports can be triggered outside a known V8 context.
+ bool report_on_fatalerror = false;
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 64626b71f019..8a4e35997907 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
+ }
+ }
+
++if (!common.hasOpenSSL3) {
++ documented.delete('--openssl-legacy-provider');
++}
++
+ // Filter out options that are conditionally present.
+ const conditionalOpts = [
+ {
+@@ -50,6 +54,7 @@ const conditionalOpts = [
+ filter: (opt) => {
+ return [
+ '--openssl-config',
++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
+ '--tls-cipher-list',
+ '--use-bundled-ca',
+ '--use-openssl-ca',
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
index 9514ec499..7b9644ec8 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
file://0002-Install-both-binaries-and-use-libdir.patch \
file://0004-v8-don-t-override-ARM-CFLAGS.patch \
+ file://0005-add-openssl-legacy-provider-option.patch \
file://big-endian.patch \
file://mips-less-memory.patch \
file://system-c-ares.patch \
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-03-05 13:16 ` [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again Andrej Valek
@ 2022-03-05 19:47 ` akuster808
2022-03-08 18:01 ` Khem Raj
2022-04-26 12:37 ` Martin Jansa
1 sibling, 1 reply; 9+ messages in thread
From: akuster808 @ 2022-03-05 19:47 UTC (permalink / raw)
To: Andrej Valek, openembedded-devel; +Cc: raj.khem, zboszor
On 3/5/22 05:16, Andrej Valek wrote:
> Current nodejs version v16 does not fully support new OpenSSL, so add option
> to use legacy provider.
>
> | opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
> | library: 'digital envelope routines',
> | reason: 'unsupported',
> | code: 'ERR_OSSL_EVP_UNSUPPORTED'
>
> It was blindly removed by upgrade to 16.14.0 version
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
> .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
> 2 files changed, 152 insertions(+)
> create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
>
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> new file mode 100644
> index 000000000..5af6c6114
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> @@ -0,0 +1,151 @@
> +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
> +From: Daniel Bevenius <daniel.bevenius@gmail.com>
> +Date: Sat, 16 Oct 2021 08:50:16 +0200
> +Subject: [PATCH] src: add --openssl-legacy-provider option
> +
> +This commit adds an option to Node.js named --openssl-legacy-provider
> +and if specified will load OpenSSL 3.0 Legacy provider.
> +
> +$ ./node --help
> +...
> +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
> +
> +Example usage:
> +
> +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
> +Hash {
> + _options: undefined,
> + [Symbol(kHandle)]: Hash {},
> + [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> +}
> +
> +Co-authored-by: Richard Lau <rlau@redhat.com>
> +
> +Refs: https://github.com/nodejs/node/issues/40455
The patch is self is missing:
Signed-off-by: "you"
Upstream-Status: (see
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines)
> +---
> + doc/api/cli.md | 10 ++++++++++
> + src/crypto/crypto_util.cc | 10 ++++++++++
> + src/node_options.cc | 10 ++++++++++
> + src/node_options.h | 7 +++++++
> + .../test-process-env-allowed-flags-are-documented.js | 5 +++++
> + 5 files changed, 42 insertions(+)
> +
> +diff --git a/doc/api/cli.md b/doc/api/cli.md
> +index 74057706bf8d..608b9cdeddf1 100644
> +--- a/doc/api/cli.md
> ++++ b/doc/api/cli.md
> +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
> + used to enable FIPS-compliant crypto if Node.js is built
> + against FIPS-enabled OpenSSL.
> +
> ++### `--openssl-legacy-provider`
> ++<!-- YAML
> ++added: REPLACEME
> ++-->
> ++
> ++Enable OpenSSL 3.0 legacy provider. For more information please see
> ++[providers readme][].
> ++
> + ### `--pending-deprecation`
> +
> + <!-- YAML
> +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
> + * `--no-warnings`
> + * `--node-memory-debug`
> + * `--openssl-config`
> ++* `--openssl-legacy-provider`
> + * `--pending-deprecation`
> + * `--policy-integrity`
> + * `--preserve-symlinks-main`
> +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
> + [emit_warning]: process.md#processemitwarningwarning-options
> + [jitless]: https://v8.dev/blog/jitless
> + [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
> ++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
> + [remote code execution]: https://www.owasp.org/index.php/Code_Injection
> + [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
> + [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
> +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
> +index 7e0c8ba3eb60..796ea3025e41 100644
> +--- a/src/crypto/crypto_util.cc
> ++++ b/src/crypto/crypto_util.cc
> +@@ -148,6 +148,16 @@ void InitCryptoOnce() {
> + }
> + #endif
> +
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ // --openssl-legacy-provider
> ++ if (per_process::cli_options->openssl_legacy_provider) {
> ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
> ++ if (legacy_provider == nullptr) {
> ++ fprintf(stderr, "Unable to load legacy provider.\n");
> ++ }
> ++ }
> ++#endif
> ++
> + OPENSSL_init_ssl(0, settings);
> + OPENSSL_INIT_free(settings);
> + settings = nullptr;
> +diff --git a/src/node_options.cc b/src/node_options.cc
> +index 00bdc6688a4c..3363860919a9 100644
> +--- a/src/node_options.cc
> ++++ b/src/node_options.cc
> +@@ -4,6 +4,9 @@
> + #include "env-inl.h"
> + #include "node_binding.h"
> + #include "node_internals.h"
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> +
> + #include <errno.h>
> + #include <sstream>
> +diff --git a/src/node_options.h b/src/node_options.h
> +index fd772478d04d..1c0e018ab16f 100644
> +--- a/src/node_options.h
> ++++ b/src/node_options.h
> +@@ -11,6 +11,10 @@
> + #include "node_mutex.h"
> + #include "util.h"
> +
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> ++
> + namespace node {
> +
> + class HostPort {
> +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
> + bool enable_fips_crypto = false;
> + bool force_fips_crypto = false;
> + #endif
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ bool openssl_legacy_provider = false;
> ++#endif
> +
> + // Per-process because reports can be triggered outside a known V8 context.
> + bool report_on_fatalerror = false;
> +diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +index 64626b71f019..8a4e35997907 100644
> +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
> ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
> + }
> + }
> +
> ++if (!common.hasOpenSSL3) {
> ++ documented.delete('--openssl-legacy-provider');
> ++}
> ++
> + // Filter out options that are conditionally present.
> + const conditionalOpts = [
> + {
> +@@ -50,6 +54,7 @@ const conditionalOpts = [
> + filter: (opt) => {
> + return [
> + '--openssl-config',
> ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
> + '--tls-cipher-list',
> + '--use-bundled-ca',
> + '--use-openssl-ca',
> +
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> index 9514ec499..7b9644ec8 100644
> --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> @@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
> file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
> file://0002-Install-both-binaries-and-use-libdir.patch \
> file://0004-v8-don-t-override-ARM-CFLAGS.patch \
> + file://0005-add-openssl-legacy-provider-option.patch \
> file://big-endian.patch \
> file://mips-less-memory.patch \
> file://system-c-ares.patch \
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#95799): https://lists.openembedded.org/g/openembedded-devel/message/95799
> Mute This Topic: https://lists.openembedded.org/mt/89569235/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-03-05 19:47 ` [oe] " akuster808
@ 2022-03-08 18:01 ` Khem Raj
0 siblings, 0 replies; 9+ messages in thread
From: Khem Raj @ 2022-03-08 18:01 UTC (permalink / raw)
To: akuster808
Cc: Andrej Valek, openembeded-devel, Zoltán Böszörményi
On Sat, Mar 5, 2022 at 11:47 AM akuster808 <akuster808@gmail.com> wrote:
>
>
>
> On 3/5/22 05:16, Andrej Valek wrote:
> > Current nodejs version v16 does not fully support new OpenSSL, so add option
> > to use legacy provider.
> >
> > | opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
> > | library: 'digital envelope routines',
> > | reason: 'unsupported',
> > | code: 'ERR_OSSL_EVP_UNSUPPORTED'
> >
> > It was blindly removed by upgrade to 16.14.0 version
> >
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> > ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
> > .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
> > 2 files changed, 152 insertions(+)
> > create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> >
> > diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> > new file mode 100644
> > index 000000000..5af6c6114
> > --- /dev/null
> > +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> > @@ -0,0 +1,151 @@
> > +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
> > +From: Daniel Bevenius <daniel.bevenius@gmail.com>
> > +Date: Sat, 16 Oct 2021 08:50:16 +0200
> > +Subject: [PATCH] src: add --openssl-legacy-provider option
> > +
> > +This commit adds an option to Node.js named --openssl-legacy-provider
> > +and if specified will load OpenSSL 3.0 Legacy provider.
> > +
> > +$ ./node --help
> > +...
> > +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
> > +
> > +Example usage:
> > +
> > +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
> > +Hash {
> > + _options: undefined,
> > + [Symbol(kHandle)]: Hash {},
> > + [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> > +}
> > +
> > +Co-authored-by: Richard Lau <rlau@redhat.com>
> > +
> > +Refs: https://github.com/nodejs/node/issues/40455
>
> The patch is self is missing:
>
> Signed-off-by: "you"
> Upstream-Status: (see
> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines)
>
right, this time I have addressed this myself for once.
>
> > +---
> > + doc/api/cli.md | 10 ++++++++++
> > + src/crypto/crypto_util.cc | 10 ++++++++++
> > + src/node_options.cc | 10 ++++++++++
> > + src/node_options.h | 7 +++++++
> > + .../test-process-env-allowed-flags-are-documented.js | 5 +++++
> > + 5 files changed, 42 insertions(+)
> > +
> > +diff --git a/doc/api/cli.md b/doc/api/cli.md
> > +index 74057706bf8d..608b9cdeddf1 100644
> > +--- a/doc/api/cli.md
> > ++++ b/doc/api/cli.md
> > +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
> > + used to enable FIPS-compliant crypto if Node.js is built
> > + against FIPS-enabled OpenSSL.
> > +
> > ++### `--openssl-legacy-provider`
> > ++<!-- YAML
> > ++added: REPLACEME
> > ++-->
> > ++
> > ++Enable OpenSSL 3.0 legacy provider. For more information please see
> > ++[providers readme][].
> > ++
> > + ### `--pending-deprecation`
> > +
> > + <!-- YAML
> > +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
> > + * `--no-warnings`
> > + * `--node-memory-debug`
> > + * `--openssl-config`
> > ++* `--openssl-legacy-provider`
> > + * `--pending-deprecation`
> > + * `--policy-integrity`
> > + * `--preserve-symlinks-main`
> > +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
> > + [emit_warning]: process.md#processemitwarningwarning-options
> > + [jitless]: https://v8.dev/blog/jitless
> > + [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
> > ++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
> > + [remote code execution]: https://www.owasp.org/index.php/Code_Injection
> > + [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
> > + [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
> > +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
> > +index 7e0c8ba3eb60..796ea3025e41 100644
> > +--- a/src/crypto/crypto_util.cc
> > ++++ b/src/crypto/crypto_util.cc
> > +@@ -148,6 +148,16 @@ void InitCryptoOnce() {
> > + }
> > + #endif
> > +
> > ++#if OPENSSL_VERSION_MAJOR >= 3
> > ++ // --openssl-legacy-provider
> > ++ if (per_process::cli_options->openssl_legacy_provider) {
> > ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
> > ++ if (legacy_provider == nullptr) {
> > ++ fprintf(stderr, "Unable to load legacy provider.\n");
> > ++ }
> > ++ }
> > ++#endif
> > ++
> > + OPENSSL_init_ssl(0, settings);
> > + OPENSSL_INIT_free(settings);
> > + settings = nullptr;
> > +diff --git a/src/node_options.cc b/src/node_options.cc
> > +index 00bdc6688a4c..3363860919a9 100644
> > +--- a/src/node_options.cc
> > ++++ b/src/node_options.cc
> > +@@ -4,6 +4,9 @@
> > + #include "env-inl.h"
> > + #include "node_binding.h"
> > + #include "node_internals.h"
> > ++#if HAVE_OPENSSL
> > ++#include "openssl/opensslv.h"
> > ++#endif
> > +
> > + #include <errno.h>
> > + #include <sstream>
> > +diff --git a/src/node_options.h b/src/node_options.h
> > +index fd772478d04d..1c0e018ab16f 100644
> > +--- a/src/node_options.h
> > ++++ b/src/node_options.h
> > +@@ -11,6 +11,10 @@
> > + #include "node_mutex.h"
> > + #include "util.h"
> > +
> > ++#if HAVE_OPENSSL
> > ++#include "openssl/opensslv.h"
> > ++#endif
> > ++
> > + namespace node {
> > +
> > + class HostPort {
> > +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
> > + bool enable_fips_crypto = false;
> > + bool force_fips_crypto = false;
> > + #endif
> > ++#if OPENSSL_VERSION_MAJOR >= 3
> > ++ bool openssl_legacy_provider = false;
> > ++#endif
> > +
> > + // Per-process because reports can be triggered outside a known V8 context.
> > + bool report_on_fatalerror = false;
> > +diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
> > +index 64626b71f019..8a4e35997907 100644
> > +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
> > ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
> > +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
> > + }
> > + }
> > +
> > ++if (!common.hasOpenSSL3) {
> > ++ documented.delete('--openssl-legacy-provider');
> > ++}
> > ++
> > + // Filter out options that are conditionally present.
> > + const conditionalOpts = [
> > + {
> > +@@ -50,6 +54,7 @@ const conditionalOpts = [
> > + filter: (opt) => {
> > + return [
> > + '--openssl-config',
> > ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
> > + '--tls-cipher-list',
> > + '--use-bundled-ca',
> > + '--use-openssl-ca',
> > +
> > diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > index 9514ec499..7b9644ec8 100644
> > --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > @@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
> > file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
> > file://0002-Install-both-binaries-and-use-libdir.patch \
> > file://0004-v8-don-t-override-ARM-CFLAGS.patch \
> > + file://0005-add-openssl-legacy-provider-option.patch \
> > file://big-endian.patch \
> > file://mips-less-memory.patch \
> > file://system-c-ares.patch \
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#95799): https://lists.openembedded.org/g/openembedded-devel/message/95799
> > Mute This Topic: https://lists.openembedded.org/mt/89569235/3616698
> > Group Owner: openembedded-devel+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-03-05 13:16 ` [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again Andrej Valek
2022-03-05 19:47 ` [oe] " akuster808
@ 2022-04-26 12:37 ` Martin Jansa
2022-04-26 12:45 ` Valek, Andrej
1 sibling, 1 reply; 9+ messages in thread
From: Martin Jansa @ 2022-04-26 12:37 UTC (permalink / raw)
To: Andrej Valek; +Cc: openembedded-devel, raj.khem, zboszor
[-- Attachment #1: Type: text/plain, Size: 9634 bytes --]
Hi,
does this work correctly for you with nodejs-native?
Here it fails to load legacy module:
recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")'
--openssl-legacy-provider
Unable to load legacy provider.
node:internal/crypto/hash:67
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:12800067:DSO support routines::could not load the shared
library
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)
at [eval]:1:8
at Script.runInThisContext (node:vm:129:12)
at Object.runInThisContext (node:vm:305:38)
at node:internal/process/execution:76:19
at [eval]-wrapper:6:22
at evalScript (node:internal/process/execution:75:60)
at node:internal/main/eval_string:27:3 {
opensslErrorStack: [
'error:03000086:digital envelope routines::initialization error',
'error:0308010C:digital envelope routines::unsupported',
'error:078C0105:common libcrypto routines::init fail',
'error:12800067:DSO support routines::could not load the shared library'
],
library: 'DSO support routines',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
with LD_DEBUG I've found that it is trying to load legacy.so from
openssl-native WORKDIR
(work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so)
which is already removed by rm_work and as work around I need to
set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and
then it works:
OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/
recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")'
--openssl-legacy-provider
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek <andrej.valek@siemens.com>
wrote:
> Current nodejs version v16 does not fully support new OpenSSL, so add
> option
> to use legacy provider.
>
> | opensslErrorStack: [ 'error:03000086:digital envelope
> routines::initialization error' ],
> | library: 'digital envelope routines',
> | reason: 'unsupported',
> | code: 'ERR_OSSL_EVP_UNSUPPORTED'
>
> It was blindly removed by upgrade to 16.14.0 version
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
> .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
> 2 files changed, 152 insertions(+)
> create mode 100644
> meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
>
> diff --git
> a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> new file mode 100644
> index 000000000..5af6c6114
> --- /dev/null
> +++
> b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> @@ -0,0 +1,151 @@
> +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
> +From: Daniel Bevenius <daniel.bevenius@gmail.com>
> +Date: Sat, 16 Oct 2021 08:50:16 +0200
> +Subject: [PATCH] src: add --openssl-legacy-provider option
> +
> +This commit adds an option to Node.js named --openssl-legacy-provider
> +and if specified will load OpenSSL 3.0 Legacy provider.
> +
> +$ ./node --help
> +...
> +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
> +
> +Example usage:
> +
> +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
> +Hash {
> + _options: undefined,
> + [Symbol(kHandle)]: Hash {},
> + [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> +}
> +
> +Co-authored-by: Richard Lau <rlau@redhat.com>
> +
> +Refs: https://github.com/nodejs/node/issues/40455
> +---
> + doc/api/cli.md | 10 ++++++++++
> + src/crypto/crypto_util.cc | 10 ++++++++++
> + src/node_options.cc | 10 ++++++++++
> + src/node_options.h | 7 +++++++
> + .../test-process-env-allowed-flags-are-documented.js | 5 +++++
> + 5 files changed, 42 insertions(+)
> +
> +diff --git a/doc/api/cli.md b/doc/api/cli.md
> +index 74057706bf8d..608b9cdeddf1 100644
> +--- a/doc/api/cli.md
> ++++ b/doc/api/cli.md
> +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among
> other uses, this can be
> + used to enable FIPS-compliant crypto if Node.js is built
> + against FIPS-enabled OpenSSL.
> +
> ++### `--openssl-legacy-provider`
> ++<!-- YAML
> ++added: REPLACEME
> ++-->
> ++
> ++Enable OpenSSL 3.0 legacy provider. For more information please see
> ++[providers readme][].
> ++
> + ### `--pending-deprecation`
> +
> + <!-- YAML
> +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
> + * `--no-warnings`
> + * `--node-memory-debug`
> + * `--openssl-config`
> ++* `--openssl-legacy-provider`
> + * `--pending-deprecation`
> + * `--policy-integrity`
> + * `--preserve-symlinks-main`
> +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
> + [emit_warning]: process.md#processemitwarningwarning-options
> + [jitless]: https://v8.dev/blog/jitless
> + [libuv threadpool documentation]:
> https://docs.libuv.org/en/latest/threadpool.html
> ++[providers readme]:
> https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
> + [remote code execution]: https://www.owasp.org/index.php/Code_Injection
> + [security warning]:
> #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
> + [timezone IDs]:
> https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
> +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
> +index 7e0c8ba3eb60..796ea3025e41 100644
> +--- a/src/crypto/crypto_util.cc
> ++++ b/src/crypto/crypto_util.cc
> +@@ -148,6 +148,16 @@ void InitCryptoOnce() {
> + }
> + #endif
> +
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ // --openssl-legacy-provider
> ++ if (per_process::cli_options->openssl_legacy_provider) {
> ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr,
> "legacy");
> ++ if (legacy_provider == nullptr) {
> ++ fprintf(stderr, "Unable to load legacy provider.\n");
> ++ }
> ++ }
> ++#endif
> ++
> + OPENSSL_init_ssl(0, settings);
> + OPENSSL_INIT_free(settings);
> + settings = nullptr;
> +diff --git a/src/node_options.cc b/src/node_options.cc
> +index 00bdc6688a4c..3363860919a9 100644
> +--- a/src/node_options.cc
> ++++ b/src/node_options.cc
> +@@ -4,6 +4,9 @@
> + #include "env-inl.h"
> + #include "node_binding.h"
> + #include "node_internals.h"
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> +
> + #include <errno.h>
> + #include <sstream>
> +diff --git a/src/node_options.h b/src/node_options.h
> +index fd772478d04d..1c0e018ab16f 100644
> +--- a/src/node_options.h
> ++++ b/src/node_options.h
> +@@ -11,6 +11,10 @@
> + #include "node_mutex.h"
> + #include "util.h"
> +
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> ++
> + namespace node {
> +
> + class HostPort {
> +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
> + bool enable_fips_crypto = false;
> + bool force_fips_crypto = false;
> + #endif
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ bool openssl_legacy_provider = false;
> ++#endif
> +
> + // Per-process because reports can be triggered outside a known V8
> context.
> + bool report_on_fatalerror = false;
> +diff --git
> a/test/parallel/test-process-env-allowed-flags-are-documented.js
> b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +index 64626b71f019..8a4e35997907 100644
> +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
> ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines,
> ...v8OptionsLines]) {
> + }
> + }
> +
> ++if (!common.hasOpenSSL3) {
> ++ documented.delete('--openssl-legacy-provider');
> ++}
> ++
> + // Filter out options that are conditionally present.
> + const conditionalOpts = [
> + {
> +@@ -50,6 +54,7 @@ const conditionalOpts = [
> + filter: (opt) => {
> + return [
> + '--openssl-config',
> ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
> + '--tls-cipher-list',
> + '--use-bundled-ca',
> + '--use-openssl-ca',
> +
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> index 9514ec499..7b9644ec8 100644
> --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> @@ -20,6 +20,7 @@ SRC_URI = "
> http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
> file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
> file://0002-Install-both-binaries-and-use-libdir.patch \
> file://0004-v8-don-t-override-ARM-CFLAGS.patch \
> + file://0005-add-openssl-legacy-provider-option.patch \
> file://big-endian.patch \
> file://mips-less-memory.patch \
> file://system-c-ares.patch \
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#95799):
> https://lists.openembedded.org/g/openembedded-devel/message/95799
> Mute This Topic: https://lists.openembedded.org/mt/89569235/3617156
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 12974 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-04-26 12:37 ` Martin Jansa
@ 2022-04-26 12:45 ` Valek, Andrej
2022-04-26 12:59 ` Martin Jansa
0 siblings, 1 reply; 9+ messages in thread
From: Valek, Andrej @ 2022-04-26 12:45 UTC (permalink / raw)
To: martin.jansa; +Cc: raj.khem, openembedded-devel, zboszor
[-- Attachment #1: Type: text/plain, Size: 9724 bytes --]
Hi,
of course, that i working. But if you're going to use --openssl-legacy-provider, you should have a legacy libraries in library loading path already. Other option is manually set variables in npm-class like:
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
export NODE_OPTIONS="--openssl-legacy-provider"
Regards,
Andrej
On Tue, 2022-04-26 at 14:37 +0200, Martin Jansa wrote:
Hi,
does this work correctly for you with nodejs-native?
Here it fails to load legacy module:
recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' --openssl-legacy-provider
Unable to load legacy provider.
node:internal/crypto/hash:67
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:12800067:DSO support routines::could not load the shared library
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)
at [eval]:1:8
at Script.runInThisContext (node:vm:129:12)
at Object.runInThisContext (node:vm:305:38)
at node:internal/process/execution:76:19
at [eval]-wrapper:6:22
at evalScript (node:internal/process/execution:75:60)
at node:internal/main/eval_string:27:3 {
opensslErrorStack: [
'error:03000086:digital envelope routines::initialization error',
'error:0308010C:digital envelope routines::unsupported',
'error:078C0105:common libcrypto routines::init fail',
'error:12800067:DSO support routines::could not load the shared library'
],
library: 'DSO support routines',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
with LD_DEBUG I've found that it is trying to load legacy.so from openssl-native WORKDIR (work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so) which is already removed by rm_work and as work around I need to set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and then it works:
OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' --openssl-legacy-provider
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>> wrote:
Current nodejs version v16 does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
It was blindly removed by upgrade to 16.14.0 version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>>
---
...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
.../recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb> | 1 +
2 files changed, 152 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
new file mode 100644
index 000000000..5af6c6114
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
@@ -0,0 +1,151 @@
+From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com<mailto:daniel.bevenius@gmail.com>>
+Date: Sat, 16 Oct 2021 08:50:16 +0200
+Subject: [PATCH] src: add --openssl-legacy-provider option
+
+This commit adds an option to Node.js named --openssl-legacy-provider
+and if specified will load OpenSSL 3.0 Legacy provider.
+
+$ ./node --help
+...
+--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
+
+Example usage:
+
+$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
+Hash {
+ _options: undefined,
+ [Symbol(kHandle)]: Hash {},
+ [Symbol(kState)]: { [Symbol(kFinalized)]: false }
+}
+
+Co-authored-by: Richard Lau <rlau@redhat.com<mailto:rlau@redhat.com>>
+
+Refs: https://github.com/nodejs/node/issues/40455
+---
+ doc/api/cli.md | 10 ++++++++++
+ src/crypto/crypto_util.cc | 10 ++++++++++
+ src/node_options.cc | 10 ++++++++++
+ src/node_options.h | 7 +++++++
+ .../test-process-env-allowed-flags-are-documented.js | 5 +++++
+ 5 files changed, 42 insertions(+)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 74057706bf8d..608b9cdeddf1 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
+ used to enable FIPS-compliant crypto if Node.js is built
+ against FIPS-enabled OpenSSL.
+
++### `--openssl-legacy-provider`
++<!-- YAML
++added: REPLACEME
++-->
++
++Enable OpenSSL 3.0 legacy provider. For more information please see
++[providers readme][].
++
+ ### `--pending-deprecation`
+
+ <!-- YAML
+@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
+ * `--no-warnings`
+ * `--node-memory-debug`
+ * `--openssl-config`
++* `--openssl-legacy-provider`
+ * `--pending-deprecation`
+ * `--policy-integrity`
+ * `--preserve-symlinks-main`
+@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
+ [emit_warning]: process.md#processemitwarningwarning-options
+ [jitless]: https://v8.dev/blog/jitless
+ [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
+ [remote code execution]: https://www.owasp.org/index.php/Code_Injection
+ [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
+ [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 7e0c8ba3eb60..796ea3025e41 100644
+--- a/src/crypto/crypto_util.cc
++++ b/src/crypto/crypto_util.cc
+@@ -148,6 +148,16 @@ void InitCryptoOnce() {
+ }
+ #endif
+
++#if OPENSSL_VERSION_MAJOR >= 3
++ // --openssl-legacy-provider
++ if (per_process::cli_options->openssl_legacy_provider) {
++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
++ if (legacy_provider == nullptr) {
++ fprintf(stderr, "Unable to load legacy provider.\n");
++ }
++ }
++#endif
++
+ OPENSSL_init_ssl(0, settings);
+ OPENSSL_INIT_free(settings);
+ settings = nullptr;
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 00bdc6688a4c..3363860919a9 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -4,6 +4,9 @@
+ #include "env-inl.h"
+ #include "node_binding.h"
+ #include "node_internals.h"
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
+
+ #include <errno.h>
+ #include <sstream>
+diff --git a/src/node_options.h b/src/node_options.h
+index fd772478d04d..1c0e018ab16f 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -11,6 +11,10 @@
+ #include "node_mutex.h"
+ #include "util.h"
+
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
++
+ namespace node {
+
+ class HostPort {
+@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+ #endif
++#if OPENSSL_VERSION_MAJOR >= 3
++ bool openssl_legacy_provider = false;
++#endif
+
+ // Per-process because reports can be triggered outside a known V8 context.
+ bool report_on_fatalerror = false;
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 64626b71f019..8a4e35997907 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
+ }
+ }
+
++if (!common.hasOpenSSL3) {
++ documented.delete('--openssl-legacy-provider');
++}
++
+ // Filter out options that are conditionally present.
+ const conditionalOpts = [
+ {
+@@ -50,6 +54,7 @@ const conditionalOpts = [
+ filter: (opt) => {
+ return [
+ '--openssl-config',
++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
+ '--tls-cipher-list',
+ '--use-bundled-ca',
+ '--use-openssl-ca',
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb> b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb>
index 9514ec499..7b9644ec8 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb>
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb>
@@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz<http://nodejs.org/dist/v$%7BPV%7D/node-v$%7BPV%7D.tar.xz> \
file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
file://0002-Install-both-binaries-and-use-libdir.patch \
file://0004-v8-don-t-override-ARM-CFLAGS.patch \
+ file://0005-add-openssl-legacy-provider-option.patch \
file://big-endian.patch \
file://mips-less-memory.patch \
file://system-c-ares.patch \
[-- Attachment #2: Type: text/html, Size: 14384 bytes --]
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-04-26 12:45 ` Valek, Andrej
@ 2022-04-26 12:59 ` Martin Jansa
2022-04-27 6:11 ` Valek, Andrej
0 siblings, 1 reply; 9+ messages in thread
From: Martin Jansa @ 2022-04-26 12:59 UTC (permalink / raw)
To: Valek, Andrej; +Cc: raj.khem, openembedded-devel, zboszor
[-- Attachment #1: Type: text/plain, Size: 10239 bytes --]
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
export NODE_OPTIONS="--openssl-legacy-provider"
is what I'm doing in recipes which need it now.
> you should have a legacy libraries in library loading path already
here it tries to load it from openssl-native WORKDIR which is already
removed, maybe that works on target (there I was assuming you were
initially testing this), but in native case I need to explicitly set
OPENSSL_MODULES.
On Tue, Apr 26, 2022 at 2:45 PM Valek, Andrej <andrej.valek@siemens.com>
wrote:
> Hi,
>
> of course, that i working. But if you're going to use
> --openssl-legacy-provider, you should have a legacy libraries in library
> loading path already. Other option is manually set variables in npm-class
> like:
>
> export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"export NODE_OPTIONS="--openssl-legacy-provider"
>
>
> Regards,
> Andrej
>
> On Tue, 2022-04-26 at 14:37 +0200, Martin Jansa wrote:
>
> Hi,
>
> does this work correctly for you with nodejs-native?
>
> Here it fails to load legacy module:
> recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")'
> --openssl-legacy-provider
> Unable to load legacy provider.
> node:internal/crypto/hash:67
> this[kHandle] = new _Hash(algorithm, xofLen);
> ^
>
> Error: error:12800067:DSO support routines::could not load the shared
> library
> at new Hash (node:internal/crypto/hash:67:19)
> at Object.createHash (node:crypto:130:10)
> at [eval]:1:8
> at Script.runInThisContext (node:vm:129:12)
> at Object.runInThisContext (node:vm:305:38)
> at node:internal/process/execution:76:19
> at [eval]-wrapper:6:22
> at evalScript (node:internal/process/execution:75:60)
> at node:internal/main/eval_string:27:3 {
> opensslErrorStack: [
> 'error:03000086:digital envelope routines::initialization error',
> 'error:0308010C:digital envelope routines::unsupported',
> 'error:078C0105:common libcrypto routines::init fail',
> 'error:12800067:DSO support routines::could not load the shared
> library'
> ],
> library: 'DSO support routines',
> reason: 'could not load the shared library',
> code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
> }
>
> with LD_DEBUG I've found that it is trying to load legacy.so from
> openssl-native WORKDIR
> (work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so)
> which is already removed by rm_work and as work around I need to
> set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and
> then it works:
>
> OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/
> recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")'
> --openssl-legacy-provider
> Hash {
> _options: undefined,
> [Symbol(kHandle)]: Hash {},
> [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> }
>
> On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek <andrej.valek@siemens.com>
> wrote:
>
> Current nodejs version v16 does not fully support new OpenSSL, so add
> option
> to use legacy provider.
>
> | opensslErrorStack: [ 'error:03000086:digital envelope
> routines::initialization error' ],
> | library: 'digital envelope routines',
> | reason: 'unsupported',
> | code: 'ERR_OSSL_EVP_UNSUPPORTED'
>
> It was blindly removed by upgrade to 16.14.0 version
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
> .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
> 2 files changed, 152 insertions(+)
> create mode 100644
> meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
>
> diff --git
> a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> new file mode 100644
> index 000000000..5af6c6114
> --- /dev/null
> +++
> b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> @@ -0,0 +1,151 @@
> +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
> +From: Daniel Bevenius <daniel.bevenius@gmail.com>
> +Date: Sat, 16 Oct 2021 08:50:16 +0200
> +Subject: [PATCH] src: add --openssl-legacy-provider option
> +
> +This commit adds an option to Node.js named --openssl-legacy-provider
> +and if specified will load OpenSSL 3.0 Legacy provider.
> +
> +$ ./node --help
> +...
> +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
> +
> +Example usage:
> +
> +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
> +Hash {
> + _options: undefined,
> + [Symbol(kHandle)]: Hash {},
> + [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> +}
> +
> +Co-authored-by: Richard Lau <rlau@redhat.com>
> +
> +Refs: https://github.com/nodejs/node/issues/40455
> +---
> + doc/api/cli.md | 10 ++++++++++
> + src/crypto/crypto_util.cc | 10 ++++++++++
> + src/node_options.cc | 10 ++++++++++
> + src/node_options.h | 7 +++++++
> + .../test-process-env-allowed-flags-are-documented.js | 5 +++++
> + 5 files changed, 42 insertions(+)
> +
> +diff --git a/doc/api/cli.md b/doc/api/cli.md
> +index 74057706bf8d..608b9cdeddf1 100644
> +--- a/doc/api/cli.md
> ++++ b/doc/api/cli.md
> +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among
> other uses, this can be
> + used to enable FIPS-compliant crypto if Node.js is built
> + against FIPS-enabled OpenSSL.
> +
> ++### `--openssl-legacy-provider`
> ++<!-- YAML
> ++added: REPLACEME
> ++-->
> ++
> ++Enable OpenSSL 3.0 legacy provider. For more information please see
> ++[providers readme][].
> ++
> + ### `--pending-deprecation`
> +
> + <!-- YAML
> +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
> + * `--no-warnings`
> + * `--node-memory-debug`
> + * `--openssl-config`
> ++* `--openssl-legacy-provider`
> + * `--pending-deprecation`
> + * `--policy-integrity`
> + * `--preserve-symlinks-main`
> +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
> + [emit_warning]: process.md#processemitwarningwarning-options
> + [jitless]: https://v8.dev/blog/jitless
> + [libuv threadpool documentation]:
> https://docs.libuv.org/en/latest/threadpool.html
> ++[providers readme]:
> https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
> + [remote code execution]: https://www.owasp.org/index.php/Code_Injection
> + [security warning]:
> #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
> + [timezone IDs]:
> https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
> +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
> +index 7e0c8ba3eb60..796ea3025e41 100644
> +--- a/src/crypto/crypto_util.cc
> ++++ b/src/crypto/crypto_util.cc
> +@@ -148,6 +148,16 @@ void InitCryptoOnce() {
> + }
> + #endif
> +
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ // --openssl-legacy-provider
> ++ if (per_process::cli_options->openssl_legacy_provider) {
> ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr,
> "legacy");
> ++ if (legacy_provider == nullptr) {
> ++ fprintf(stderr, "Unable to load legacy provider.\n");
> ++ }
> ++ }
> ++#endif
> ++
> + OPENSSL_init_ssl(0, settings);
> + OPENSSL_INIT_free(settings);
> + settings = nullptr;
> +diff --git a/src/node_options.cc b/src/node_options.cc
> +index 00bdc6688a4c..3363860919a9 100644
> +--- a/src/node_options.cc
> ++++ b/src/node_options.cc
> +@@ -4,6 +4,9 @@
> + #include "env-inl.h"
> + #include "node_binding.h"
> + #include "node_internals.h"
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> +
> + #include <errno.h>
> + #include <sstream>
> +diff --git a/src/node_options.h b/src/node_options.h
> +index fd772478d04d..1c0e018ab16f 100644
> +--- a/src/node_options.h
> ++++ b/src/node_options.h
> +@@ -11,6 +11,10 @@
> + #include "node_mutex.h"
> + #include "util.h"
> +
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> ++
> + namespace node {
> +
> + class HostPort {
> +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
> + bool enable_fips_crypto = false;
> + bool force_fips_crypto = false;
> + #endif
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ bool openssl_legacy_provider = false;
> ++#endif
> +
> + // Per-process because reports can be triggered outside a known V8
> context.
> + bool report_on_fatalerror = false;
> +diff --git
> a/test/parallel/test-process-env-allowed-flags-are-documented.js
> b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +index 64626b71f019..8a4e35997907 100644
> +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
> ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines,
> ...v8OptionsLines]) {
> + }
> + }
> +
> ++if (!common.hasOpenSSL3) {
> ++ documented.delete('--openssl-legacy-provider');
> ++}
> ++
> + // Filter out options that are conditionally present.
> + const conditionalOpts = [
> + {
> +@@ -50,6 +54,7 @@ const conditionalOpts = [
> + filter: (opt) => {
> + return [
> + '--openssl-config',
> ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
> + '--tls-cipher-list',
> + '--use-bundled-ca',
> + '--use-openssl-ca',
> +
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> index 9514ec499..7b9644ec8 100644
> --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> @@ -20,6 +20,7 @@ SRC_URI = "
> http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
> file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
> file://0002-Install-both-binaries-and-use-libdir.patch \
> file://0004-v8-don-t-override-ARM-CFLAGS.patch \
> + file://0005-add-openssl-legacy-provider-option.patch \
> file://big-endian.patch \
> file://mips-less-memory.patch \
> file://system-c-ares.patch \
>
>
>
[-- Attachment #2: Type: text/html, Size: 14363 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-04-26 12:59 ` Martin Jansa
@ 2022-04-27 6:11 ` Valek, Andrej
2022-04-27 6:20 ` Martin Jansa
0 siblings, 1 reply; 9+ messages in thread
From: Valek, Andrej @ 2022-04-27 6:11 UTC (permalink / raw)
To: martin.jansa; +Cc: raj.khem, openembedded-devel, zboszor
[-- Attachment #1: Type: text/plain, Size: 10461 bytes --]
Maybe you can try to add it into global npm class with some enabling variable.
Cheers,
Andrej
On Tue, 2022-04-26 at 14:59 +0200, Martin Jansa wrote:
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
export NODE_OPTIONS="--openssl-legacy-provider"
is what I'm doing in recipes which need it now.
> you should have a legacy libraries in library loading path already
here it tries to load it from openssl-native WORKDIR which is already removed, maybe that works on target (there I was assuming you were initially testing this), but in native case I need to explicitly set OPENSSL_MODULES.
On Tue, Apr 26, 2022 at 2:45 PM Valek, Andrej <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>> wrote:
Hi,
of course, that i working. But if you're going to use --openssl-legacy-provider, you should have a legacy libraries in library loading path already. Other option is manually set variables in npm-class like:
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
export NODE_OPTIONS="--openssl-legacy-provider"
Regards,
Andrej
On Tue, 2022-04-26 at 14:37 +0200, Martin Jansa wrote:
Hi,
does this work correctly for you with nodejs-native?
Here it fails to load legacy module:
recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' --openssl-legacy-provider
Unable to load legacy provider.
node:internal/crypto/hash:67
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:12800067:DSO support routines::could not load the shared library
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)
at [eval]:1:8
at Script.runInThisContext (node:vm:129:12)
at Object.runInThisContext (node:vm:305:38)
at node:internal/process/execution:76:19
at [eval]-wrapper:6:22
at evalScript (node:internal/process/execution:75:60)
at node:internal/main/eval_string:27:3 {
opensslErrorStack: [
'error:03000086:digital envelope routines::initialization error',
'error:0308010C:digital envelope routines::unsupported',
'error:078C0105:common libcrypto routines::init fail',
'error:12800067:DSO support routines::could not load the shared library'
],
library: 'DSO support routines',
reason: 'could not load the shared library',
code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
}
with LD_DEBUG I've found that it is trying to load legacy.so from openssl-native WORKDIR (work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so) which is already removed by rm_work and as work around I need to set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and then it works:
OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' --openssl-legacy-provider
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>> wrote:
Current nodejs version v16 does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
It was blindly removed by upgrade to 16.14.0 version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com<mailto:andrej.valek@siemens.com>>
---
...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
.../recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb> | 1 +
2 files changed, 152 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
new file mode 100644
index 000000000..5af6c6114
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
@@ -0,0 +1,151 @@
+From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com<mailto:daniel.bevenius@gmail.com>>
+Date: Sat, 16 Oct 2021 08:50:16 +0200
+Subject: [PATCH] src: add --openssl-legacy-provider option
+
+This commit adds an option to Node.js named --openssl-legacy-provider
+and if specified will load OpenSSL 3.0 Legacy provider.
+
+$ ./node --help
+...
+--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
+
+Example usage:
+
+$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
+Hash {
+ _options: undefined,
+ [Symbol(kHandle)]: Hash {},
+ [Symbol(kState)]: { [Symbol(kFinalized)]: false }
+}
+
+Co-authored-by: Richard Lau <rlau@redhat.com<mailto:rlau@redhat.com>>
+
+Refs: https://github.com/nodejs/node/issues/40455
+---
+ doc/api/cli.md | 10 ++++++++++
+ src/crypto/crypto_util.cc | 10 ++++++++++
+ src/node_options.cc | 10 ++++++++++
+ src/node_options.h | 7 +++++++
+ .../test-process-env-allowed-flags-are-documented.js | 5 +++++
+ 5 files changed, 42 insertions(+)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 74057706bf8d..608b9cdeddf1 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
+ used to enable FIPS-compliant crypto if Node.js is built
+ against FIPS-enabled OpenSSL.
+
++### `--openssl-legacy-provider`
++<!-- YAML
++added: REPLACEME
++-->
++
++Enable OpenSSL 3.0 legacy provider. For more information please see
++[providers readme][].
++
+ ### `--pending-deprecation`
+
+ <!-- YAML
+@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
+ * `--no-warnings`
+ * `--node-memory-debug`
+ * `--openssl-config`
++* `--openssl-legacy-provider`
+ * `--pending-deprecation`
+ * `--policy-integrity`
+ * `--preserve-symlinks-main`
+@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
+ [emit_warning]: process.md#processemitwarningwarning-options
+ [jitless]: https://v8.dev/blog/jitless
+ [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
+ [remote code execution]: https://www.owasp.org/index.php/Code_Injection
+ [security warning]: #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
+ [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 7e0c8ba3eb60..796ea3025e41 100644
+--- a/src/crypto/crypto_util.cc
++++ b/src/crypto/crypto_util.cc
+@@ -148,6 +148,16 @@ void InitCryptoOnce() {
+ }
+ #endif
+
++#if OPENSSL_VERSION_MAJOR >= 3
++ // --openssl-legacy-provider
++ if (per_process::cli_options->openssl_legacy_provider) {
++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
++ if (legacy_provider == nullptr) {
++ fprintf(stderr, "Unable to load legacy provider.\n");
++ }
++ }
++#endif
++
+ OPENSSL_init_ssl(0, settings);
+ OPENSSL_INIT_free(settings);
+ settings = nullptr;
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 00bdc6688a4c..3363860919a9 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -4,6 +4,9 @@
+ #include "env-inl.h"
+ #include "node_binding.h"
+ #include "node_internals.h"
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
+
+ #include <errno.h>
+ #include <sstream>
+diff --git a/src/node_options.h b/src/node_options.h
+index fd772478d04d..1c0e018ab16f 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -11,6 +11,10 @@
+ #include "node_mutex.h"
+ #include "util.h"
+
++#if HAVE_OPENSSL
++#include "openssl/opensslv.h"
++#endif
++
+ namespace node {
+
+ class HostPort {
+@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
+ bool enable_fips_crypto = false;
+ bool force_fips_crypto = false;
+ #endif
++#if OPENSSL_VERSION_MAJOR >= 3
++ bool openssl_legacy_provider = false;
++#endif
+
+ // Per-process because reports can be triggered outside a known V8 context.
+ bool report_on_fatalerror = false;
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 64626b71f019..8a4e35997907 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
+ }
+ }
+
++if (!common.hasOpenSSL3) {
++ documented.delete('--openssl-legacy-provider');
++}
++
+ // Filter out options that are conditionally present.
+ const conditionalOpts = [
+ {
+@@ -50,6 +54,7 @@ const conditionalOpts = [
+ filter: (opt) => {
+ return [
+ '--openssl-config',
++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
+ '--tls-cipher-list',
+ '--use-bundled-ca',
+ '--use-openssl-ca',
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb> b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb>
index 9514ec499..7b9644ec8 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb>
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb<http://nodejs_16.14.0.bb>
@@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz<http://nodejs.org/dist/v$%7BPV%7D/node-v$%7BPV%7D.tar.xz> \
file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
file://0002-Install-both-binaries-and-use-libdir.patch \
file://0004-v8-don-t-override-ARM-CFLAGS.patch \
+ file://0005-add-openssl-legacy-provider-option.patch \
file://big-endian.patch \
file://mips-less-memory.patch \
file://system-c-ares.patch \
[-- Attachment #2: Type: text/html, Size: 15676 bytes --]
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again
2022-04-27 6:11 ` Valek, Andrej
@ 2022-04-27 6:20 ` Martin Jansa
0 siblings, 0 replies; 9+ messages in thread
From: Martin Jansa @ 2022-04-27 6:20 UTC (permalink / raw)
To: Valek, Andrej; +Cc: raj.khem, openembedded-devel, zboszor
[-- Attachment #1: Type: text/plain, Size: 10929 bytes --]
We have such bbclass already:
https://github.com/webosose/meta-webosose/blob/master/meta-webos/classes/webos_npm_env.bbclass
but I didn't want to enable legacy providers globally, so I was adding it
only to recipes which needed it in over-optimistic hope that it will nudge
component owners to update webpack (or whatever else needed legacy) before
they get too comfortable with legacy being enabled by default.
:)
On Wed, Apr 27, 2022 at 8:11 AM Valek, Andrej <andrej.valek@siemens.com>
wrote:
> Maybe you can try to add it into global npm class with some enabling
> variable.
>
> Cheers,
> Andrej
>
> On Tue, 2022-04-26 at 14:59 +0200, Martin Jansa wrote:
>
> export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> export NODE_OPTIONS="--openssl-legacy-provider"
>
> is what I'm doing in recipes which need it now.
>
> > you should have a legacy libraries in library loading path already
>
> here it tries to load it from openssl-native WORKDIR which is already
> removed, maybe that works on target (there I was assuming you were
> initially testing this), but in native case I need to explicitly set
> OPENSSL_MODULES.
>
> On Tue, Apr 26, 2022 at 2:45 PM Valek, Andrej <andrej.valek@siemens.com>
> wrote:
>
> Hi,
>
> of course, that i working. But if you're going to use
> --openssl-legacy-provider, you should have a legacy libraries in library
> loading path already. Other option is manually set variables in npm-class
> like:
>
> export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"export NODE_OPTIONS="--openssl-legacy-provider"
>
>
> Regards,
> Andrej
>
> On Tue, 2022-04-26 at 14:37 +0200, Martin Jansa wrote:
>
> Hi,
>
> does this work correctly for you with nodejs-native?
>
> Here it fails to load legacy module:
> recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")'
> --openssl-legacy-provider
> Unable to load legacy provider.
> node:internal/crypto/hash:67
> this[kHandle] = new _Hash(algorithm, xofLen);
> ^
>
> Error: error:12800067:DSO support routines::could not load the shared
> library
> at new Hash (node:internal/crypto/hash:67:19)
> at Object.createHash (node:crypto:130:10)
> at [eval]:1:8
> at Script.runInThisContext (node:vm:129:12)
> at Object.runInThisContext (node:vm:305:38)
> at node:internal/process/execution:76:19
> at [eval]-wrapper:6:22
> at evalScript (node:internal/process/execution:75:60)
> at node:internal/main/eval_string:27:3 {
> opensslErrorStack: [
> 'error:03000086:digital envelope routines::initialization error',
> 'error:0308010C:digital envelope routines::unsupported',
> 'error:078C0105:common libcrypto routines::init fail',
> 'error:12800067:DSO support routines::could not load the shared
> library'
> ],
> library: 'DSO support routines',
> reason: 'could not load the shared library',
> code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY'
> }
>
> with LD_DEBUG I've found that it is trying to load legacy.so from
> openssl-native WORKDIR
> (work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so)
> which is already removed by rm_work and as work around I need to
> set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and
> then it works:
>
> OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/
> recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")'
> --openssl-legacy-provider
> Hash {
> _options: undefined,
> [Symbol(kHandle)]: Hash {},
> [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> }
>
> On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek <andrej.valek@siemens.com>
> wrote:
>
> Current nodejs version v16 does not fully support new OpenSSL, so add
> option
> to use legacy provider.
>
> | opensslErrorStack: [ 'error:03000086:digital envelope
> routines::initialization error' ],
> | library: 'digital envelope routines',
> | reason: 'unsupported',
> | code: 'ERR_OSSL_EVP_UNSUPPORTED'
>
> It was blindly removed by upgrade to 16.14.0 version
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
> .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
> 2 files changed, 152 insertions(+)
> create mode 100644
> meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
>
> diff --git
> a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> new file mode 100644
> index 000000000..5af6c6114
> --- /dev/null
> +++
> b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> @@ -0,0 +1,151 @@
> +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
> +From: Daniel Bevenius <daniel.bevenius@gmail.com>
> +Date: Sat, 16 Oct 2021 08:50:16 +0200
> +Subject: [PATCH] src: add --openssl-legacy-provider option
> +
> +This commit adds an option to Node.js named --openssl-legacy-provider
> +and if specified will load OpenSSL 3.0 Legacy provider.
> +
> +$ ./node --help
> +...
> +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
> +
> +Example usage:
> +
> +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
> +Hash {
> + _options: undefined,
> + [Symbol(kHandle)]: Hash {},
> + [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> +}
> +
> +Co-authored-by: Richard Lau <rlau@redhat.com>
> +
> +Refs: https://github.com/nodejs/node/issues/40455
> +---
> + doc/api/cli.md | 10 ++++++++++
> + src/crypto/crypto_util.cc | 10 ++++++++++
> + src/node_options.cc | 10 ++++++++++
> + src/node_options.h | 7 +++++++
> + .../test-process-env-allowed-flags-are-documented.js | 5 +++++
> + 5 files changed, 42 insertions(+)
> +
> +diff --git a/doc/api/cli.md b/doc/api/cli.md
> +index 74057706bf8d..608b9cdeddf1 100644
> +--- a/doc/api/cli.md
> ++++ b/doc/api/cli.md
> +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among
> other uses, this can be
> + used to enable FIPS-compliant crypto if Node.js is built
> + against FIPS-enabled OpenSSL.
> +
> ++### `--openssl-legacy-provider`
> ++<!-- YAML
> ++added: REPLACEME
> ++-->
> ++
> ++Enable OpenSSL 3.0 legacy provider. For more information please see
> ++[providers readme][].
> ++
> + ### `--pending-deprecation`
> +
> + <!-- YAML
> +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
> + * `--no-warnings`
> + * `--node-memory-debug`
> + * `--openssl-config`
> ++* `--openssl-legacy-provider`
> + * `--pending-deprecation`
> + * `--policy-integrity`
> + * `--preserve-symlinks-main`
> +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
> + [emit_warning]: process.md#processemitwarningwarning-options
> + [jitless]: https://v8.dev/blog/jitless
> + [libuv threadpool documentation]:
> https://docs.libuv.org/en/latest/threadpool.html
> ++[providers readme]:
> https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
> + [remote code execution]: https://www.owasp.org/index.php/Code_Injection
> + [security warning]:
> #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
> + [timezone IDs]:
> https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
> +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
> +index 7e0c8ba3eb60..796ea3025e41 100644
> +--- a/src/crypto/crypto_util.cc
> ++++ b/src/crypto/crypto_util.cc
> +@@ -148,6 +148,16 @@ void InitCryptoOnce() {
> + }
> + #endif
> +
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ // --openssl-legacy-provider
> ++ if (per_process::cli_options->openssl_legacy_provider) {
> ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr,
> "legacy");
> ++ if (legacy_provider == nullptr) {
> ++ fprintf(stderr, "Unable to load legacy provider.\n");
> ++ }
> ++ }
> ++#endif
> ++
> + OPENSSL_init_ssl(0, settings);
> + OPENSSL_INIT_free(settings);
> + settings = nullptr;
> +diff --git a/src/node_options.cc b/src/node_options.cc
> +index 00bdc6688a4c..3363860919a9 100644
> +--- a/src/node_options.cc
> ++++ b/src/node_options.cc
> +@@ -4,6 +4,9 @@
> + #include "env-inl.h"
> + #include "node_binding.h"
> + #include "node_internals.h"
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> +
> + #include <errno.h>
> + #include <sstream>
> +diff --git a/src/node_options.h b/src/node_options.h
> +index fd772478d04d..1c0e018ab16f 100644
> +--- a/src/node_options.h
> ++++ b/src/node_options.h
> +@@ -11,6 +11,10 @@
> + #include "node_mutex.h"
> + #include "util.h"
> +
> ++#if HAVE_OPENSSL
> ++#include "openssl/opensslv.h"
> ++#endif
> ++
> + namespace node {
> +
> + class HostPort {
> +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
> + bool enable_fips_crypto = false;
> + bool force_fips_crypto = false;
> + #endif
> ++#if OPENSSL_VERSION_MAJOR >= 3
> ++ bool openssl_legacy_provider = false;
> ++#endif
> +
> + // Per-process because reports can be triggered outside a known V8
> context.
> + bool report_on_fatalerror = false;
> +diff --git
> a/test/parallel/test-process-env-allowed-flags-are-documented.js
> b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +index 64626b71f019..8a4e35997907 100644
> +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
> ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
> +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines,
> ...v8OptionsLines]) {
> + }
> + }
> +
> ++if (!common.hasOpenSSL3) {
> ++ documented.delete('--openssl-legacy-provider');
> ++}
> ++
> + // Filter out options that are conditionally present.
> + const conditionalOpts = [
> + {
> +@@ -50,6 +54,7 @@ const conditionalOpts = [
> + filter: (opt) => {
> + return [
> + '--openssl-config',
> ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
> + '--tls-cipher-list',
> + '--use-bundled-ca',
> + '--use-openssl-ca',
> +
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> index 9514ec499..7b9644ec8 100644
> --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> @@ -20,6 +20,7 @@ SRC_URI = "
> http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
> file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
> file://0002-Install-both-binaries-and-use-libdir.patch \
> file://0004-v8-don-t-override-ARM-CFLAGS.patch \
> + file://0005-add-openssl-legacy-provider-option.patch \
> file://big-endian.patch \
> file://mips-less-memory.patch \
> file://system-c-ares.patch \
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 15844 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-04-27 6:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-18 13:31 [meta-oe][PATCH] nodejs: add option to use openssl legacy providers Andrej Valek
2022-03-05 13:16 ` [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again Andrej Valek
2022-03-05 19:47 ` [oe] " akuster808
2022-03-08 18:01 ` Khem Raj
2022-04-26 12:37 ` Martin Jansa
2022-04-26 12:45 ` Valek, Andrej
2022-04-26 12:59 ` Martin Jansa
2022-04-27 6:11 ` Valek, Andrej
2022-04-27 6:20 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.