We have such bbclass already: https://github.com/webosose/meta-webosose/blob/master/meta-webos/classes/webos_npm_env.bbclass but I didn't want to enable legacy providers globally, so I was adding it only to recipes which needed it in over-optimistic hope that it will nudge component owners to update webpack (or whatever else needed legacy) before they get too comfortable with legacy being enabled by default.
:) On Wed, Apr 27, 2022 at 8:11 AM Valek, Andrej <[email protected]> wrote: > Maybe you can try to add it into global npm class with some enabling > variable. > > Cheers, > Andrej > > On Tue, 2022-04-26 at 14:59 +0200, Martin Jansa wrote: > > export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" > export NODE_OPTIONS="--openssl-legacy-provider" > > is what I'm doing in recipes which need it now. > > > you should have a legacy libraries in library loading path already > > here it tries to load it from openssl-native WORKDIR which is already > removed, maybe that works on target (there I was assuming you were > initially testing this), but in native case I need to explicitly set > OPENSSL_MODULES. > > On Tue, Apr 26, 2022 at 2:45 PM Valek, Andrej <[email protected]> > wrote: > > Hi, > > of course, that i working. But if you're going to use > --openssl-legacy-provider, you should have a legacy libraries in library > loading path already. Other option is manually set variables in npm-class > like: > > export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"export > NODE_OPTIONS="--openssl-legacy-provider" > > > Regards, > Andrej > > On Tue, 2022-04-26 at 14:37 +0200, Martin Jansa wrote: > > Hi, > > does this work correctly for you with nodejs-native? > > Here it fails to load legacy module: > recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' > --openssl-legacy-provider > Unable to load legacy provider. > node:internal/crypto/hash:67 > this[kHandle] = new _Hash(algorithm, xofLen); > ^ > > Error: error:12800067:DSO support routines::could not load the shared > library > at new Hash (node:internal/crypto/hash:67:19) > at Object.createHash (node:crypto:130:10) > at [eval]:1:8 > at Script.runInThisContext (node:vm:129:12) > at Object.runInThisContext (node:vm:305:38) > at node:internal/process/execution:76:19 > at [eval]-wrapper:6:22 > at evalScript (node:internal/process/execution:75:60) > at node:internal/main/eval_string:27:3 { > opensslErrorStack: [ > 'error:03000086:digital envelope routines::initialization error', > 'error:0308010C:digital envelope routines::unsupported', > 'error:078C0105:common libcrypto routines::init fail', > 'error:12800067:DSO support routines::could not load the shared > library' > ], > library: 'DSO support routines', > reason: 'could not load the shared library', > code: 'ERR_OSSL_DSO_COULD_NOT_LOAD_THE_SHARED_LIBRARY' > } > > with LD_DEBUG I've found that it is trying to load legacy.so from > openssl-native WORKDIR > (work/x86_64-linux/openssl-native/3.0.2-r0/recipe-sysroot-native/usr/lib/ossl-modules/legacy.so) > which is already removed by rm_work and as work around I need to > set OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ and > then it works: > > OPENSSL_MODULES=$(pwd)/recipe-sysroot-native/usr/lib/ossl-modules/ > recipe-sysroot-native/usr/bin/node -p 'crypto.createHash("md4")' > --openssl-legacy-provider > Hash { > _options: undefined, > [Symbol(kHandle)]: Hash {}, > [Symbol(kState)]: { [Symbol(kFinalized)]: false } > } > > On Sat, Mar 5, 2022 at 2:17 PM Andrej Valek <[email protected]> > wrote: > > Current nodejs version v16 does not fully support new OpenSSL, so add > option > to use legacy provider. > > | opensslErrorStack: [ 'error:03000086:digital envelope > routines::initialization error' ], > | library: 'digital envelope routines', > | reason: 'unsupported', > | code: 'ERR_OSSL_EVP_UNSUPPORTED' > > It was blindly removed by upgrade to 16.14.0 version > > Signed-off-by: Andrej Valek <[email protected]> > --- > ...5-add-openssl-legacy-provider-option.patch | 151 ++++++++++++++++++ > .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 + > 2 files changed, 152 insertions(+) > create mode 100644 > meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > > diff --git > a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > new file mode 100644 > index 000000000..5af6c6114 > --- /dev/null > +++ > b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > @@ -0,0 +1,151 @@ > +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001 > +From: Daniel Bevenius <[email protected]> > +Date: Sat, 16 Oct 2021 08:50:16 +0200 > +Subject: [PATCH] src: add --openssl-legacy-provider option > + > +This commit adds an option to Node.js named --openssl-legacy-provider > +and if specified will load OpenSSL 3.0 Legacy provider. > + > +$ ./node --help > +... > +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider > + > +Example usage: > + > +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' > +Hash { > + _options: undefined, > + [Symbol(kHandle)]: Hash {}, > + [Symbol(kState)]: { [Symbol(kFinalized)]: false } > +} > + > +Co-authored-by: Richard Lau <[email protected]> > + > +Refs: https://github.com/nodejs/node/issues/40455 > +--- > + doc/api/cli.md | 10 ++++++++++ > + src/crypto/crypto_util.cc | 10 ++++++++++ > + src/node_options.cc | 10 ++++++++++ > + src/node_options.h | 7 +++++++ > + .../test-process-env-allowed-flags-are-documented.js | 5 +++++ > + 5 files changed, 42 insertions(+) > + > +diff --git a/doc/api/cli.md b/doc/api/cli.md > +index 74057706bf8d..608b9cdeddf1 100644 > +--- a/doc/api/cli.md > ++++ b/doc/api/cli.md > +@@ -687,6 +687,14 @@ Load an OpenSSL configuration file on startup. Among > other uses, this can be > + used to enable FIPS-compliant crypto if Node.js is built > + against FIPS-enabled OpenSSL. > + > ++### `--openssl-legacy-provider` > ++<!-- YAML > ++added: REPLACEME > ++--> > ++ > ++Enable OpenSSL 3.0 legacy provider. For more information please see > ++[providers readme][]. > ++ > + ### `--pending-deprecation` > + > + <!-- YAML > +@@ -1544,6 +1552,7 @@ Node.js options that are allowed are: > + * `--no-warnings` > + * `--node-memory-debug` > + * `--openssl-config` > ++* `--openssl-legacy-provider` > + * `--pending-deprecation` > + * `--policy-integrity` > + * `--preserve-symlinks-main` > +@@ -1933,6 +1942,7 @@ $ node --max-old-space-size=1536 index.js > + [emit_warning]: process.md#processemitwarningwarning-options > + [jitless]: https://v8.dev/blog/jitless > + [libuv threadpool documentation]: > https://docs.libuv.org/en/latest/threadpool.html > ++[providers readme]: > https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md > + [remote code execution]: https://www.owasp.org/index.php/Code_Injection > + [security warning]: > #warning-binding-inspector-to-a-public-ipport-combination-is-insecure > + [timezone IDs]: > https://en.wikipedia.org/wiki/List_of_tz_database_time_zones > +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc > +index 7e0c8ba3eb60..796ea3025e41 100644 > +--- a/src/crypto/crypto_util.cc > ++++ b/src/crypto/crypto_util.cc > +@@ -148,6 +148,16 @@ void InitCryptoOnce() { > + } > + #endif > + > ++#if OPENSSL_VERSION_MAJOR >= 3 > ++ // --openssl-legacy-provider > ++ if (per_process::cli_options->openssl_legacy_provider) { > ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, > "legacy"); > ++ if (legacy_provider == nullptr) { > ++ fprintf(stderr, "Unable to load legacy provider.\n"); > ++ } > ++ } > ++#endif > ++ > + OPENSSL_init_ssl(0, settings); > + OPENSSL_INIT_free(settings); > + settings = nullptr; > +diff --git a/src/node_options.cc b/src/node_options.cc > +index 00bdc6688a4c..3363860919a9 100644 > +--- a/src/node_options.cc > ++++ b/src/node_options.cc > +@@ -4,6 +4,9 @@ > + #include "env-inl.h" > + #include "node_binding.h" > + #include "node_internals.h" > ++#if HAVE_OPENSSL > ++#include "openssl/opensslv.h" > ++#endif > + > + #include <errno.h> > + #include <sstream> > +diff --git a/src/node_options.h b/src/node_options.h > +index fd772478d04d..1c0e018ab16f 100644 > +--- a/src/node_options.h > ++++ b/src/node_options.h > +@@ -11,6 +11,10 @@ > + #include "node_mutex.h" > + #include "util.h" > + > ++#if HAVE_OPENSSL > ++#include "openssl/opensslv.h" > ++#endif > ++ > + namespace node { > + > + class HostPort { > +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options { > + bool enable_fips_crypto = false; > + bool force_fips_crypto = false; > + #endif > ++#if OPENSSL_VERSION_MAJOR >= 3 > ++ bool openssl_legacy_provider = false; > ++#endif > + > + // Per-process because reports can be triggered outside a known V8 > context. > + bool report_on_fatalerror = false; > +diff --git > a/test/parallel/test-process-env-allowed-flags-are-documented.js > b/test/parallel/test-process-env-allowed-flags-are-documented.js > +index 64626b71f019..8a4e35997907 100644 > +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js > ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js > +@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, > ...v8OptionsLines]) { > + } > + } > + > ++if (!common.hasOpenSSL3) { > ++ documented.delete('--openssl-legacy-provider'); > ++} > ++ > + // Filter out options that are conditionally present. > + const conditionalOpts = [ > + { > +@@ -50,6 +54,7 @@ const conditionalOpts = [ > + filter: (opt) => { > + return [ > + '--openssl-config', > ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '', > + '--tls-cipher-list', > + '--use-bundled-ca', > + '--use-openssl-ca', > + > diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > index 9514ec499..7b9644ec8 100644 > --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > @@ -20,6 +20,7 @@ SRC_URI = " > http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ > file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ > file://0002-Install-both-binaries-and-use-libdir.patch \ > file://0004-v8-don-t-override-ARM-CFLAGS.patch \ > + file://0005-add-openssl-legacy-provider-option.patch \ > file://big-endian.patch \ > file://mips-less-memory.patch \ > file://system-c-ares.patch \ > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#96809): https://lists.openembedded.org/g/openembedded-devel/message/96809 Mute This Topic: https://lists.openembedded.org/mt/89569235/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
