On Sat, Mar 5, 2022 at 11:47 AM akuster808 <akuster...@gmail.com> wrote:
>
>
>
> On 3/5/22 05:16, Andrej Valek wrote:
> > Current nodejs version v16 does not fully support new OpenSSL, so add option
> > to use legacy provider.
> >
> > | opensslErrorStack: [ 'error:03000086:digital envelope
> > routines::initialization error' ],
> > | library: 'digital envelope routines',
> > | reason: 'unsupported',
> > | code: 'ERR_OSSL_EVP_UNSUPPORTED'
> >
> > It was blindly removed by upgrade to 16.14.0 version
> >
> > Signed-off-by: Andrej Valek <andrej.va...@siemens.com>
> > ---
> > ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++
> > .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 +
> > 2 files changed, 152 insertions(+)
> > create mode 100644
> > meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> >
> > diff --git
> > a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> >
> > b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> > new file mode 100644
> > index 000000000..5af6c6114
> > --- /dev/null
> > +++
> > b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch
> > @@ -0,0 +1,151 @@
> > +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001
> > +From: Daniel Bevenius <daniel.beven...@gmail.com>
> > +Date: Sat, 16 Oct 2021 08:50:16 +0200
> > +Subject: [PATCH] src: add --openssl-legacy-provider option
> > +
> > +This commit adds an option to Node.js named --openssl-legacy-provider
> > +and if specified will load OpenSSL 3.0 Legacy provider.
> > +
> > +$ ./node --help
> > +...
> > +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
> > +
> > +Example usage:
> > +
> > +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
> > +Hash {
> > + _options: undefined,
> > + [Symbol(kHandle)]: Hash {},
> > + [Symbol(kState)]: { [Symbol(kFinalized)]: false }
> > +}
> > +
> > +Co-authored-by: Richard Lau <r...@redhat.com>
> > +
> > +Refs: https://github.com/nodejs/node/issues/40455
>
> The patch is self is missing:
>
> Signed-off-by: "you"
> Upstream-Status: (see
> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines)
>
right, this time I have addressed this myself for once.
>
> > +---
> > + doc/api/cli.md | 10 ++++++++++
> > + src/crypto/crypto_util.cc | 10 ++++++++++
> > + src/node_options.cc | 10 ++++++++++
> > + src/node_options.h | 7 +++++++
> > + .../test-process-env-allowed-flags-are-documented.js | 5 +++++
> > + 5 files changed, 42 insertions(+)
> > +
> > +diff --git a/doc/api/cli.md b/doc/api/cli.md
> > +index 74057706bf8d..608b9cdeddf1 100644
> > +--- a/doc/api/cli.md
> > ++++ b/doc/api/cli.md
> > +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among
> > other uses, this can be
> > + used to enable FIPS-compliant crypto if Node.js is built
> > + against FIPS-enabled OpenSSL.
> > +
> > ++### `--openssl-legacy-provider`
> > ++<!-- YAML
> > ++added: REPLACEME
> > ++-->
> > ++
> > ++Enable OpenSSL 3.0 legacy provider. For more information please see
> > ++[providers readme][].
> > ++
> > + ### `--pending-deprecation`
> > +
> > + <!-- YAML
> > +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are:
> > + * `--no-warnings`
> > + * `--node-memory-debug`
> > + * `--openssl-config`
> > ++* `--openssl-legacy-provider`
> > + * `--pending-deprecation`
> > + * `--policy-integrity`
> > + * `--preserve-symlinks-main`
> > +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js
> > + [emit_warning]: process.md#processemitwarningwarning-options
> > + [jitless]: https://v8.dev/blog/jitless
> > + [libuv threadpool documentation]:
> > https://docs.libuv.org/en/latest/threadpool.html
> > ++[providers readme]:
> > https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md
> > + [remote code execution]: https://www.owasp.org/index.php/Code_Injection
> > + [security warning]:
> > #warning-binding-inspector-to-a-public-ipport-combination-is-insecure
> > + [timezone IDs]:
> > https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
> > +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
> > +index 7e0c8ba3eb60..796ea3025e41 100644
> > +--- a/src/crypto/crypto_util.cc
> > ++++ b/src/crypto/crypto_util.cc
> > +@@ -148,6 +148,16 @@ void InitCryptoOnce() {
> > + }
> > + #endif
> > +
> > ++#if OPENSSL_VERSION_MAJOR >= 3
> > ++ // --openssl-legacy-provider
> > ++ if (per_process::cli_options->openssl_legacy_provider) {
> > ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr,
> > "legacy");
> > ++ if (legacy_provider == nullptr) {
> > ++ fprintf(stderr, "Unable to load legacy provider.\n");
> > ++ }
> > ++ }
> > ++#endif
> > ++
> > + OPENSSL_init_ssl(0, settings);
> > + OPENSSL_INIT_free(settings);
> > + settings = nullptr;
> > +diff --git a/src/node_options.cc b/src/node_options.cc
> > +index 00bdc6688a4c..3363860919a9 100644
> > +--- a/src/node_options.cc
> > ++++ b/src/node_options.cc
> > +@@ -4,6 +4,9 @@
> > + #include "env-inl.h"
> > + #include "node_binding.h"
> > + #include "node_internals.h"
> > ++#if HAVE_OPENSSL
> > ++#include "openssl/opensslv.h"
> > ++#endif
> > +
> > + #include <errno.h>
> > + #include <sstream>
> > +diff --git a/src/node_options.h b/src/node_options.h
> > +index fd772478d04d..1c0e018ab16f 100644
> > +--- a/src/node_options.h
> > ++++ b/src/node_options.h
> > +@@ -11,6 +11,10 @@
> > + #include "node_mutex.h"
> > + #include "util.h"
> > +
> > ++#if HAVE_OPENSSL
> > ++#include "openssl/opensslv.h"
> > ++#endif
> > ++
> > + namespace node {
> > +
> > + class HostPort {
> > +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
> > + bool enable_fips_crypto = false;
> > + bool force_fips_crypto = false;
> > + #endif
> > ++#if OPENSSL_VERSION_MAJOR >= 3
> > ++ bool openssl_legacy_provider = false;
> > ++#endif
> > +
> > + // Per-process because reports can be triggered outside a known V8
> > context.
> > + bool report_on_fatalerror = false;
> > +diff --git
> > a/test/parallel/test-process-env-allowed-flags-are-documented.js
> > b/test/parallel/test-process-env-allowed-flags-are-documented.js
> > +index 64626b71f019..8a4e35997907 100644
> > +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
> > ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
> > +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines,
> > ...v8OptionsLines]) {
> > + }
> > + }
> > +
> > ++if (!common.hasOpenSSL3) {
> > ++ documented.delete('--openssl-legacy-provider');
> > ++}
> > ++
> > + // Filter out options that are conditionally present.
> > + const conditionalOpts = [
> > + {
> > +@@ -50,6 +54,7 @@ const conditionalOpts = [
> > + filter: (opt) => {
> > + return [
> > + '--openssl-config',
> > ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
> > + '--tls-cipher-list',
> > + '--use-bundled-ca',
> > + '--use-openssl-ca',
> > +
> > diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > index 9514ec499..7b9644ec8 100644
> > --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb
> > @@ -20,6 +20,7 @@ SRC_URI =
> > "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
> > file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
> > file://0002-Install-both-binaries-and-use-libdir.patch \
> > file://0004-v8-don-t-override-ARM-CFLAGS.patch \
> > + file://0005-add-openssl-legacy-provider-option.patch \
> > file://big-endian.patch \
> > file://mips-less-memory.patch \
> > file://system-c-ares.patch \
> >
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#95888):
https://lists.openembedded.org/g/openembedded-devel/message/95888
Mute This Topic: https://lists.openembedded.org/mt/89569235/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
