packages/nodejs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!115 nodejs适配openssl v3.0.8版本

Browse Source 
From: @Tom_zc 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2023-03-27 02:48:15 +00:00 committed by Gitee
commit 043e244619
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 173 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
0004-Support-openssl3.patch Normal file
View File

@ -0,0 +1,168 @@
From 219e4f9e635a3cba0650f9f985b645c67f83d332 Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Sat, 16 Oct 2021 08:50:16 +0200
Subject: [PATCH] src: add --openssl-legacy-provider option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit adds an option to Node.js named --openssl-legacy-provider
and if specified will load OpenSSL 3.0 Legacy provider when dynamically
linking Node.js v16.x with OpenSSL 3.0.
Building:
$ ./configure --shared-openssl \
--shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
--shared-openssl-includes=/path/openssl_quic-3.0/include \
--shared-openssl-libname=crypto,ssl
$ make -j8
Verify options is available:
$ ./node --help
...
--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
Usage:
$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
Fixes: https://github.com/nodejs/node/issues/40948
Refs: https://github.com/nodejs/node/issues/40455
PR-URL: https://github.com/nodejs/node/pull/40478
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
---
doc/api/cli.md | 11 +++++++++++
src/crypto/crypto_util.cc | 10 ++++++++++
src/node_options.cc | 3 +++
src/node_options.h | 7 +++++++
.../test-process-env-allowed-flags-are-documented.js | 5 +++++
5 files changed, 36 insertions(+)
diff --git a/doc/api/cli.md b/doc/api/cli.md
index 475894d7c0e4..380a220b7cf8 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -732,6 +732,15 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built
against FIPS-enabled OpenSSL.
+### `--openssl-legacy-provider`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Enable OpenSSL 3.0 legacy provider when dynamically linking to OpenSSL 3.x.
+For more information please see [OSSL\_PROVIDER-legacy][OSSL_PROVIDER-legacy].
+
### `--pending-deprecation`
<!-- YAML
@@ -1592,6 +1601,7 @@ Node.js options that are allowed are:
* `--no-warnings`
* `--node-memory-debug`
* `--openssl-config`
+* `--openssl-legacy-provider`
* `--pending-deprecation`
* `--policy-integrity`
* `--preserve-symlinks-main`
@@ -1952,6 +1962,7 @@ $ node --max-old-space-size=1536 index.js
[ECMAScript module loader]: esm.md#loaders
[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
[Modules loaders]: packages.md#modules-loaders
+[OSSL_PROVIDER-legacy]: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
[REPL]: repl.md
[ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
[Source Map]: https://sourcemaps.info/spec.html
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index e1ef170a9f17..e93edd4b2fc9 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -148,6 +148,16 @@ void InitCryptoOnce() {
}
#endif
+#if OPENSSL_VERSION_MAJOR >= 3
+ // --openssl-legacy-provider
+ if (per_process::cli_options->openssl_legacy_provider) {
+ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
+ if (legacy_provider == nullptr) {
+ fprintf(stderr, "Unable to load legacy provider.\n");
+ }
+ }
+#endif
+
OPENSSL_init_ssl(0, settings);
OPENSSL_INIT_free(settings);
settings = nullptr;
diff --git a/src/node_options.cc b/src/node_options.cc
index 3192faaddaf4..296fed02b8d4 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -5,6 +5,9 @@
#include "node_binding.h"
#include "node_external_reference.h"
#include "node_internals.h"
+#if HAVE_OPENSSL
+#include "openssl/opensslv.h"
+#endif
#include <errno.h>
#include <sstream>
diff --git a/src/node_options.h b/src/node_options.h
index 40d1c0260581..07bf24489874 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -11,6 +11,10 @@
#include "node_mutex.h"
#include "util.h"
+#if HAVE_OPENSSL
+#include "openssl/opensslv.h"
+#endif
+
namespace node {
class HostPort {
@@ -252,6 +256,9 @@ class PerProcessOptions : public Options {
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
#endif
+#if OPENSSL_VERSION_MAJOR >= 3
+ bool openssl_legacy_provider = false;
+#endif
// Per-process because reports can be triggered outside a known V8 context.
bool report_on_fatalerror = false;
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
index a2738f08e2fd..f4dd77e075b8 100644
--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
}
}
+if (!common.hasOpenSSL3) {
+ documented.delete('--openssl-legacy-provider');
+}
+
// Filter out options that are conditionally present.
const conditionalOpts = [
{
@@ -50,6 +54,7 @@ const conditionalOpts = [
filter: (opt) => {
return [
'--openssl-config',
+ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
'--tls-cipher-list',
'--use-bundled-ca',
'--use-openssl-ca',

6
nodejs.spec
View File

@ -1,5 +1,5 @@
%bcond_with bootstrap %bcond_with bootstrap
%global baserelease 2 %global baserelease 3
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 16 %global nodejs_major 16
@ -82,6 +82,7 @@ Source7: nodejs_native.attr
Patch0001: 0001-Disable-running-gyp-on-shared-deps.patch Patch0001: 0001-Disable-running-gyp-on-shared-deps.patch
Patch0002: 0002-Install-both-binaries-and-use-libdir.patch Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
Patch0003: 0003-Make-AARCH64-compile-on-64KB-physical-pages.patch Patch0003: 0003-Make-AARCH64-compile-on-64KB-physical-pages.patch
Patch0004: 0004-Support-openssl3.patch
Patch0006: CVE-2022-43548-pre-1.patch Patch0006: CVE-2022-43548-pre-1.patch
Patch0007: CVE-2022-43548-pre-2.patch Patch0007: CVE-2022-43548-pre-2.patch
Patch0008: CVE-2022-43548.patch Patch0008: CVE-2022-43548.patch
@ -446,6 +447,9 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%{_pkgdocdir}/npm/docs %{_pkgdocdir}/npm/docs
%changelog %changelog
* Sat Mar 11 2023 Tom_zc <tom_toworld@163.com> - 1:16.15.0-3
- support openssl v3.0.8
* Thu Feb 23 2023 yaoxin <yaoxin30@h-partners.com> - 1:16.15.0-2 * Thu Feb 23 2023 yaoxin <yaoxin30@h-partners.com> - 1:16.15.0-2
- Fix CVE-2023-0286,CVE-2023-0215,CVE-2022-4304 and CVE-2022-4450 - Fix CVE-2023-0286,CVE-2023-0215,CVE-2022-4304 and CVE-2022-4450