From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC439C433EF for ; Wed, 27 Apr 2022 06:20:34 +0000 (UTC) Received: from mail-ua1-f53.google.com (mail-ua1-f53.google.com [209.85.222.53]) by mx.groups.io with SMTP id smtpd.web08.5120.1651040429598856173 for ; Tue, 26 Apr 2022 23:20:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=dJofO5ld; spf=pass (domain: gmail.com, ip: 209.85.222.53, mailfrom: martin.jansa@gmail.com) Received: by mail-ua1-f53.google.com with SMTP id az13so250597uab.13 for ; Tue, 26 Apr 2022 23:20:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PVeKiqI8pIi3hQqMJ70lQ7irkjCpxobRmxzAYLexFpU=; b=dJofO5ldeP93EtKOp/Yy1dYS5pXFO/oQTcZ9Ee6bk7a71obbhMpXT6O+DAvRTmO5Aj C/wYiJuW9o8GqEOAvuEcasRlQdGF3ZSB4aPxcxxX0XmUpfqQR0jZ7nQ/PdlTG4H5MbGA CEGEWogE1+4wip+tsWGYRGT/Lj1Dn1HooWBHIwLejQ7AsN5r6t88dKfAAQb1pdt4Dx+D 0ND5iTR4Wy/iFvSUfx9Zv7FvoDoPS/ptqz65Tw1NqZGBLvLGYrLI5y8rW0R3SQ6WrhAk AcHuIDqKPWurigc95eL45J7c99XykwCK7rwU/hNOy31Bk/Cy7nPZAZae/6EOCxCKrqFN LHqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PVeKiqI8pIi3hQqMJ70lQ7irkjCpxobRmxzAYLexFpU=; b=s8N7TxRrMN7Cal36HyTDeCA3H38PTy7bcb2IMVcl5xJ+/dmrJL42ofgx3Xa1/zQNWo nmhi7OPmGxLmQm/d+h9rkLqH/BW5ZwkxW4aNl3z5rdmUwJd5F5lxZrnP+BJQhJBmvLsu Yln+Qay+EnDzR7ywU7lwSFfu1dd+H3IeGN/ziucnUkYhIreTwT6QDsVv/gC/pMm8L9Ye KxQRs1Y+L5gZp1BcAzEE03OkhtOBM2LSwbRKvJItdf+n+bccK2lV7bDGK0CWGMYXYDFg SrwVdFj7XgD6q9zvdkpnJEGC4YLR69Fue+Vqyj+HIGRsYucPW2Rhf8YDb2Cef+cjtcFV VLJA== X-Gm-Message-State: AOAM531vVG6ljwzxexwtGsD6ocN+G/AAYZEnml0J3rS1lXfNkrehET/L k9XqE2YSDgUwpMc9D59BS66diKJKnIC0tr3iTao= X-Google-Smtp-Source: ABdhPJw3kCsZ+0Up3URTMEOGaRgcAC8NFtFrpu0/f90agqhT6hYK36HhmPcyguc/AQnAhPxEjKW8j/y3/e8se6SmNn0= X-Received: by 2002:ab0:6288:0:b0:35f:b6cd:d5b3 with SMTP id z8-20020ab06288000000b0035fb6cdd5b3mr8182384uao.44.1651040428699; Tue, 26 Apr 2022 23:20:28 -0700 (PDT) MIME-Version: 1.0 References: <20220218133121.222269-1-andrej.valek@siemens.com> <20220305131625.16138-1-andrej.valek@siemens.com> <564a202fefe67bc819b0eac49d9d4e25e7c24629.camel@siemens.com> In-Reply-To: From: Martin Jansa Date: Wed, 27 Apr 2022 08:20:11 +0200 Message-ID: Subject: Re: [oe] [meta-oe][PATCH v2] nodejs: add option to use openssl legacy providers again To: "Valek, Andrej" Cc: "raj.khem@gmail.com" , "openembedded-devel@lists.openembedded.org" , "zboszor@gmail.com" Content-Type: multipart/alternative; boundary="00000000000043326e05dd9cce14" List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 27 Apr 2022 06:20:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/96809 --00000000000043326e05dd9cce14 Content-Type: text/plain; charset="UTF-8" We have such bbclass already: https://github.com/webosose/meta-webosose/blob/master/meta-webos/classes/webos_npm_env.bbclass but I didn't want to enable legacy providers globally, so I was adding it only to recipes which needed it in over-optimistic hope that it will nudge component owners to update webpack (or whatever else needed legacy) before they get too comfortable with legacy being enabled by default. :) On Wed, Apr 27, 2022 at 8:11 AM Valek, Andrej wrote: > Maybe you can try to add it into global npm class with some enabling > variable. > > Cheers, > Andrej > > On Tue, 2022-04-26 at 14:59 +0200, Martin Jansa wrote: > > export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" > export NODE_OPTIONS="--openssl-legacy-provider" > > is what I'm doing in recipes which need it now. > > > you should have a legacy libraries in library loading path already > > here it tries to load it from openssl-native WORKDIR which is already > removed, maybe that works on target (there I was assuming you were > initially testing this), but in native case I need to explicitly set > OPENSSL_MODULES. > > On Tue, Apr 26, 2022 at 2:45 PM Valek, Andrej > wrote: > > Hi, > > of course, that i working. But if you're going to use > --openssl-legacy-provider, you should have a legacy libraries in library > loading path already. Other option is manually set variables in npm-class > like: > > export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"export NODE_OPTIONS="--openssl-legacy-provider" > > > Regards, > Andrej > > On Tue, 2022-04-26 at 14:37 +0200, Martin Jansa wrote: > > Hi, > > does this work correctly for you with nodejs-native? > > Here it fails to load legacy module: > recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' > --openssl-legacy-provider > Unable to load legacy provider. > node:internal/crypto/hash:67 > this[kHandle] = new _Hash(algorithm, xofLen); > ^ > > Error: error:12800067:DSO support routines::could not load the shared > library > at new Hash (node:internal/crypto/hash:67:19) > at Object.createHash (node:crypto:130:10) > at [eval]:1:8 > at Script.runInThisContext (node:vm:129:12) > at Object.runInThisContext (node:vm:305:38) > at node:internal/process/execution:76:19 > at [eval]-wrapper:6:22 > at evalScript (node:internal/process/execution:75:60) > at node:internal/main/eval_string:27:3 { > opensslErrorStack: [ > 'error:03000086:digital envelope routines::initialization error', > 'error:0308010C:digital envelope routines::unsupported', > 'error:078C0105:common libcrypto routines::init fail', > 'error:12800067:DSO support routines::could not load the shared > library' > ], > library: 'DSO support routines', > reason: 'could not load the shared library', > code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY' > } > > with LD_DEBUG I've found that it is trying to load legacy.so from > openssl-native WORKDIR > (work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so) > which is already removed by rm_work and as work around I need to > set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and > then it works: > > OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ > recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' > --openssl-legacy-provider > Hash { > _options: undefined, > [Symbol(kHandle)]: Hash {}, > [Symbol(kState)]: { [Symbol(kFinalized)]: false } > } > > On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek > wrote: > > Current nodejs version v16 does not fully support new OpenSSL, so add > option > to use legacy provider. > > | opensslErrorStack: [ 'error:03000086:digital envelope > routines::initialization error' ], > | library: 'digital envelope routines', > | reason: 'unsupported', > | code: 'ERR_OSSL_EVP_UNSUPPORTED' > > It was blindly removed by upgrade to 16.14.0 version > > Signed-off-by: Andrej Valek > --- > ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++ > .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 + > 2 files changed, 152 insertions(+) > create mode 100644 > meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > > diff --git > a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > new file mode 100644 > index 000000000..5af6c6114 > --- /dev/null > +++ > b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > @@ -0,0 +1,151 @@ > +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001 > +From: Daniel Bevenius > +Date: Sat, 16 Oct 2021 08:50:16 +0200 > +Subject: [PATCH] src: add --openssl-legacy-provider option > + > +This commit adds an option to Node.js named --openssl-legacy-provider > +and if specified will load OpenSSL 3.0 Legacy provider. > + > +$ ./node --help > +... > +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider > + > +Example usage: > + > +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' > +Hash { > + _options: undefined, > + [Symbol(kHandle)]: Hash {}, > + [Symbol(kState)]: { [Symbol(kFinalized)]: false } > +} > + > +Co-authored-by: Richard Lau > + > +Refs: https://github.com/nodejs/node/issues/40455 > +--- > + doc/api/cli.md | 10 ++++++++++ > + src/crypto/crypto_util.cc | 10 ++++++++++ > + src/node_options.cc | 10 ++++++++++ > + src/node_options.h | 7 +++++++ > + .../test-process-env-allowed-flags-are-documented.js | 5 +++++ > + 5 files changed, 42 insertions(+) > + > +diff --git a/doc/api/cli.md b/doc/api/cli.md > +index 74057706bf8d..608b9cdeddf1 100644 > +--- a/doc/api/cli.md > ++++ b/doc/api/cli.md > +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among > other uses, this can be > + used to enable FIPS-compliant crypto if Node.js is built > + against FIPS-enabled OpenSSL. > + > ++### `--openssl-legacy-provider` > ++ > ++ > ++Enable OpenSSL 3.0 legacy provider. For more information please see > ++[providers readme][]. > ++ > + ### `--pending-deprecation` > + > +