!115 nodejs适配openssl v3.0.8版本

From: @Tom_zc Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2023-03-27 02:48:15 +00:00 · 2023-03-27 02:48:15 +00:00 · 043e244619
commit 043e244619
parent 48847ee5dd f38a39b327
2 changed files with 173 additions and 1 deletions
--- a/0004-Support-openssl3.patch
+++ b/0004-Support-openssl3.patch
@ -0,0 +1,168 @@
+From 219e4f9e635a3cba0650f9f985b645c67f83d332 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Sat, 16 Oct 2021 08:50:16 +0200
+Subject: [PATCH] src: add --openssl-legacy-provider option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit adds an option to Node.js named --openssl-legacy-provider
+and if specified will load OpenSSL 3.0 Legacy provider when dynamically
+linking Node.js v16.x with OpenSSL 3.0.
+
+Building:
+$ ./configure --shared-openssl \
+ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
+ --shared-openssl-includes=/path/openssl_quic-3.0/include \
+ --shared-openssl-libname=crypto,ssl
+$ make -j8
+
+Verify options is available:
+$ ./node --help
+...
+--openssl-legacy-provider  enable OpenSSL 3.0 legacy provider
+
+Usage:
+$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
+$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
+$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
+$ ./node --openssl-legacy-provider  -p 'crypto.createHash("md4")'
+Hash {
+  _options: undefined,
+  [Symbol(kHandle)]: Hash {},
+  [Symbol(kState)]: { [Symbol(kFinalized)]: false }
+}
+
+Fixes: https://github.com/nodejs/node/issues/40948
+
+Refs: https://github.com/nodejs/node/issues/40455
+PR-URL: https://github.com/nodejs/node/pull/40478
+Reviewed-By: Richard Lau <rlau@redhat.com>
+Reviewed-By: Tobias Nießen <tniessen@tnie.de>
+---
+ doc/api/cli.md                                        | 11 +++++++++++
+ src/crypto/crypto_util.cc                             | 10 ++++++++++
+ src/node_options.cc                                   |  3 +++
+ src/node_options.h                                    |  7 +++++++
+ .../test-process-env-allowed-flags-are-documented.js  |  5 +++++
+ 5 files changed, 36 insertions(+)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 475894d7c0e4..380a220b7cf8 100644
+--- a/doc/api/cli.md
+++ b/doc/api/cli.md
+@@ -732,6 +732,15 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
+ used to enable FIPS-compliant crypto if Node.js is built
+ against FIPS-enabled OpenSSL.
+ 
+### `--openssl-legacy-provider`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Enable OpenSSL 3.0 legacy provider when dynamically linking to OpenSSL 3.x.
+For more information please see [OSSL\_PROVIDER-legacy][OSSL_PROVIDER-legacy].
+
+ ### `--pending-deprecation`
+ 
+ <!-- YAML
+@@ -1592,6 +1601,7 @@ Node.js options that are allowed are:
+ * `--no-warnings`
+ * `--node-memory-debug`
+ * `--openssl-config`
+* `--openssl-legacy-provider`
+ * `--pending-deprecation`
+ * `--policy-integrity`
+ * `--preserve-symlinks-main`
+@@ -1952,6 +1962,7 @@ $ node --max-old-space-size=1536 index.js
+ [ECMAScript module loader]: esm.md#loaders
+ [Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
+ [Modules loaders]: packages.md#modules-loaders
+[OSSL_PROVIDER-legacy]: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
+ [REPL]: repl.md
+ [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
+ [Source Map]: https://sourcemaps.info/spec.html
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index e1ef170a9f17..e93edd4b2fc9 100644
+--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
+@@ -148,6 +148,16 @@ void InitCryptoOnce() {
+   }
+ #endif
+ 
+#if OPENSSL_VERSION_MAJOR >= 3
+  // --openssl-legacy-provider
+  if (per_process::cli_options->openssl_legacy_provider) {
+    OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
+    if (legacy_provider == nullptr) {
+      fprintf(stderr, "Unable to load legacy provider.\n");
+    }
+  }
+#endif
+
+   OPENSSL_init_ssl(0, settings);
+   OPENSSL_INIT_free(settings);
+   settings = nullptr;
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 3192faaddaf4..296fed02b8d4 100644
+--- a/src/node_options.cc
+++ b/src/node_options.cc
+@@ -5,6 +5,9 @@
+ #include "node_binding.h"
+ #include "node_external_reference.h"
+ #include "node_internals.h"
+#if HAVE_OPENSSL
+#include "openssl/opensslv.h"
+#endif
+ 
+ #include <errno.h>
+ #include <sstream>
+diff --git a/src/node_options.h b/src/node_options.h
+index 40d1c0260581..07bf24489874 100644
+--- a/src/node_options.h
+++ b/src/node_options.h
+@@ -11,6 +11,10 @@
+ #include "node_mutex.h"
+ #include "util.h"
+ 
+#if HAVE_OPENSSL
+#include "openssl/opensslv.h"
+#endif
+
+ namespace node {
+ 
+ class HostPort {
+@@ -252,6 +256,9 @@ class PerProcessOptions : public Options {
+   bool enable_fips_crypto = false;
+   bool force_fips_crypto = false;
+ #endif
+#if OPENSSL_VERSION_MAJOR >= 3
+  bool openssl_legacy_provider = false;
+#endif
+ 
+   // Per-process because reports can be triggered outside a known V8 context.
+   bool report_on_fatalerror = false;
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index a2738f08e2fd..f4dd77e075b8 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
+   }
+ }
+ 
+if (!common.hasOpenSSL3) {
+  documented.delete('--openssl-legacy-provider');
+}
+
+ // Filter out options that are conditionally present.
+ const conditionalOpts = [
+   {
+@@ -50,6 +54,7 @@ const conditionalOpts = [
+     filter: (opt) => {
+       return [
+         '--openssl-config',
+        common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
+         '--tls-cipher-list',
+         '--use-bundled-ca',
+         '--use-openssl-ca',
--- a/nodejs.spec
+++ b/nodejs.spec
@ -1,5 +1,5 @@
 %bcond_with bootstrap
-%global baserelease 2
+%global baserelease 3
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %global nodejs_epoch 1
 %global nodejs_major 16
@ -82,6 +82,7 @@ Source7: nodejs_native.attr
 Patch0001: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
 Patch0003: 0003-Make-AARCH64-compile-on-64KB-physical-pages.patch
+Patch0004: 0004-Support-openssl3.patch
 Patch0006: CVE-2022-43548-pre-1.patch
 Patch0007: CVE-2022-43548-pre-2.patch
 Patch0008: CVE-2022-43548.patch
@ -446,6 +447,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 %{_pkgdocdir}/npm/docs

 %changelog
+* Sat Mar 11 2023 Tom_zc <tom_toworld@163.com> - 1:16.15.0-3
+- support openssl v3.0.8
+
 * Thu Feb 23 2023 yaoxin <yaoxin30@h-partners.com> - 1:16.15.0-2
 - Fix CVE-2023-0286,CVE-2023-0215,CVE-2022-4304 and CVE-2022-4450