| Message ID | 20220304133822.68214-1-andrej.valek@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe] nodejs: add option to use openssl legacy providers again | expand |
fails to apply https://errors.yoctoproject.org/Errors/Details/651075/ https://errors.yoctoproject.org/Errors/Details/651076/ On Fri, Mar 4, 2022 at 5:38 AM Andrej Valek <andrej.valek@siemens.com> wrote: > > Current nodejs version v16 does not fully support new OpenSSL, so add option > to use legacy provider. > > | opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ], > | library: 'digital envelope routines', > | reason: 'unsupported', > | code: 'ERR_OSSL_EVP_UNSUPPORTED' > > It was blindly removed by upgrade to 16.14.0 version > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > --- > ...5-add-openssl-legacy-provider-option.patch | 165 ++++++++++++++++++ > .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 + > 2 files changed, 166 insertions(+) > create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > > diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > new file mode 100644 > index 000000000..2e66a0282 > --- /dev/null > +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch > @@ -0,0 +1,165 @@ > +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001 > +From: Daniel Bevenius <daniel.bevenius@gmail.com> > +Date: Sat, 16 Oct 2021 08:50:16 +0200 > +Subject: [PATCH] src: add --openssl-legacy-provider option > + > +This commit adds an option to Node.js named --openssl-legacy-provider > +and if specified will load OpenSSL 3.0 Legacy provider. > + > +$ ./node --help > +... > +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider > + > +Example usage: > + > +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' > +Hash { > + _options: undefined, > + [Symbol(kHandle)]: Hash {}, > + [Symbol(kState)]: { [Symbol(kFinalized)]: false } > +} > + > +Co-authored-by: Richard Lau <rlau@redhat.com> > + > +Refs: https://github.com/nodejs/node/issues/40455 > +--- > + doc/api/cli.md | 10 ++++++++++ > + src/crypto/crypto_util.cc | 10 ++++++++++ > + src/node_options.cc | 10 ++++++++++ > + src/node_options.h | 7 +++++++ > + .../test-process-env-allowed-flags-are-documented.js | 5 +++++ > + 5 files changed, 42 insertions(+) > + > +diff --git a/doc/api/cli.md b/doc/api/cli.md > +index 74057706bf8d..608b9cdeddf1 100644 > +--- a/doc/api/cli.md > ++++ b/doc/api/cli.md > +@@ -652,6 +652,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be > + used to enable FIPS-compliant crypto if Node.js is built > + against FIPS-enabled OpenSSL. > + > ++### `--openssl-legacy-provider` > ++<!-- YAML > ++added: REPLACEME > ++--> > ++ > ++Enable OpenSSL 3.0 legacy provider. For more information please see > ++[providers readme][]. > ++ > + ### `--pending-deprecation` > + <!-- YAML > + added: v8.0.0 > +@@ -1444,6 +1452,7 @@ Node.js options that are allowed are: > + * `--no-warnings` > + * `--node-memory-debug` > + * `--openssl-config` > ++* `--openssl-legacy-provider` > + * `--pending-deprecation` > + * `--policy-integrity` > + * `--preserve-symlinks-main` > +@@ -1814,6 +1823,7 @@ $ node --max-old-space-size=1536 index.js > + [emit_warning]: process.md#process_process_emitwarning_warning_type_code_ctor > + [jitless]: https://v8.dev/blog/jitless > + [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html > ++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md > + [remote code execution]: https://www.owasp.org/index.php/Code_Injection > + [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones > + [ways that `TZ` is handled in other environments]: https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html > +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc > +index 7e0c8ba3eb60..796ea3025e41 100644 > +--- a/src/crypto/crypto_util.cc > ++++ b/src/crypto/crypto_util.cc > +@@ -136,6 +136,16 @@ void InitCryptoOnce() { > + } > + #endif > + > ++#if OPENSSL_VERSION_MAJOR >= 3 > ++ // --openssl-legacy-provider > ++ if (per_process::cli_options->openssl_legacy_provider) { > ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy"); > ++ if (legacy_provider == nullptr) { > ++ fprintf(stderr, "Unable to load legacy provider.\n"); > ++ } > ++ } > ++#endif > ++ > + OPENSSL_init_ssl(0, settings); > + OPENSSL_INIT_free(settings); > + settings = nullptr; > +diff --git a/src/node_options.cc b/src/node_options.cc > +index 00bdc6688a4c..3363860919a9 100644 > +--- a/src/node_options.cc > ++++ b/src/node_options.cc > +@@ -4,6 +4,9 @@ > + #include "env-inl.h" > + #include "node_binding.h" > + #include "node_internals.h" > ++#if HAVE_OPENSSL > ++#include "openssl/opensslv.h" > ++#endif > + > + #include <errno.h> > + #include <sstream> > +@@ -809,6 +812,13 @@ PerProcessOptionsParser::PerProcessOptionsParser( > + &PerProcessOptions::secure_heap_min, > + kAllowedInEnvironment); > + #endif > ++#if OPENSSL_VERSION_MAJOR >= 3 > ++ AddOption("--openssl-legacy-provider", > ++ "enable OpenSSL 3.0 legacy provider", > ++ &PerProcessOptions::openssl_legacy_provider, > ++ kAllowedInEnvironment); > ++ > ++#endif // OPENSSL_VERSION_MAJOR > + AddOption("--use-largepages", > + "Map the Node.js static code to large pages. Options are " > + "'off' (the default value, meaning do not map), " > +diff --git a/src/node_options.h b/src/node_options.h > +index fd772478d04d..1c0e018ab16f 100644 > +--- a/src/node_options.h > ++++ b/src/node_options.h > +@@ -11,6 +11,10 @@ > + #include "node_mutex.h" > + #include "util.h" > + > ++#if HAVE_OPENSSL > ++#include "openssl/opensslv.h" > ++#endif > ++ > + namespace node { > + > + class HostPort { > +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options { > + bool enable_fips_crypto = false; > + bool force_fips_crypto = false; > + #endif > ++#if OPENSSL_VERSION_MAJOR >= 3 > ++ bool openssl_legacy_provider = false; > ++#endif > + > + // Per-process because reports can be triggered outside a known V8 context. > + bool report_on_fatalerror = false; > +diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js > +index 64626b71f019..8a4e35997907 100644 > +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js > ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js > +@@ -40,6 +40,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) { > + } > + } > + > ++if (!common.hasOpenSSL3) { > ++ documented.delete('--openssl-legacy-provider'); > ++} > ++ > + // Filter out options that are conditionally present. > + const conditionalOpts = [ > + { > +@@ -47,6 +51,7 @@ const conditionalOpts = [ > + filter: (opt) => { > + return [ > + '--openssl-config', > ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '', > + '--tls-cipher-list', > + '--use-bundled-ca', > + '--use-openssl-ca', > + > diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > index 9514ec499..7b9644ec8 100644 > --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb > @@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ > file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ > file://0002-Install-both-binaries-and-use-libdir.patch \ > file://0004-v8-don-t-override-ARM-CFLAGS.patch \ > + file://0005-add-openssl-legacy-provider-option.patch \ > file://big-endian.patch \ > file://mips-less-memory.patch \ > file://system-c-ares.patch \ > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#95782): https://lists.openembedded.org/g/openembedded-devel/message/95782 > Mute This Topic: https://lists.openembedded.org/mt/89548688/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch new file mode 100644 index 000000000..2e66a0282 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch @@ -0,0 +1,165 @@ +From 86d1c0cc6a5dcf57e413a1cc1c29203e87cf9a14 Mon Sep 17 00:00:00 2001 +From: Daniel Bevenius <daniel.bevenius@gmail.com> +Date: Sat, 16 Oct 2021 08:50:16 +0200 +Subject: [PATCH] src: add --openssl-legacy-provider option + +This commit adds an option to Node.js named --openssl-legacy-provider +and if specified will load OpenSSL 3.0 Legacy provider. + +$ ./node --help +... +--openssl-legacy-provider enable OpenSSL 3.0 legacy provider + +Example usage: + +$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")' +Hash { + _options: undefined, + [Symbol(kHandle)]: Hash {}, + [Symbol(kState)]: { [Symbol(kFinalized)]: false } +} + +Co-authored-by: Richard Lau <rlau@redhat.com> + +Refs: https://github.com/nodejs/node/issues/40455 +--- + doc/api/cli.md | 10 ++++++++++ + src/crypto/crypto_util.cc | 10 ++++++++++ + src/node_options.cc | 10 ++++++++++ + src/node_options.h | 7 +++++++ + .../test-process-env-allowed-flags-are-documented.js | 5 +++++ + 5 files changed, 42 insertions(+) + +diff --git a/doc/api/cli.md b/doc/api/cli.md +index 74057706bf8d..608b9cdeddf1 100644 +--- a/doc/api/cli.md ++++ b/doc/api/cli.md +@@ -652,6 +652,14 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be + used to enable FIPS-compliant crypto if Node.js is built + against FIPS-enabled OpenSSL. + ++### `--openssl-legacy-provider` ++<!-- YAML ++added: REPLACEME ++--> ++ ++Enable OpenSSL 3.0 legacy provider. For more information please see ++[providers readme][]. ++ + ### `--pending-deprecation` + <!-- YAML + added: v8.0.0 +@@ -1444,6 +1452,7 @@ Node.js options that are allowed are: + * `--no-warnings` + * `--node-memory-debug` + * `--openssl-config` ++* `--openssl-legacy-provider` + * `--pending-deprecation` + * `--policy-integrity` + * `--preserve-symlinks-main` +@@ -1814,6 +1823,7 @@ $ node --max-old-space-size=1536 index.js + [emit_warning]: process.md#process_process_emitwarning_warning_type_code_ctor + [jitless]: https://v8.dev/blog/jitless + [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html ++[providers readme]: https://github.com/openssl/openssl/blob/openssl-3.0.0/README-PROVIDERS.md + [remote code execution]: https://www.owasp.org/index.php/Code_Injection + [timezone IDs]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + [ways that `TZ` is handled in other environments]: https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 7e0c8ba3eb60..796ea3025e41 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -136,6 +136,16 @@ void InitCryptoOnce() { + } + #endif + ++#if OPENSSL_VERSION_MAJOR >= 3 ++ // --openssl-legacy-provider ++ if (per_process::cli_options->openssl_legacy_provider) { ++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy"); ++ if (legacy_provider == nullptr) { ++ fprintf(stderr, "Unable to load legacy provider.\n"); ++ } ++ } ++#endif ++ + OPENSSL_init_ssl(0, settings); + OPENSSL_INIT_free(settings); + settings = nullptr; +diff --git a/src/node_options.cc b/src/node_options.cc +index 00bdc6688a4c..3363860919a9 100644 +--- a/src/node_options.cc ++++ b/src/node_options.cc +@@ -4,6 +4,9 @@ + #include "env-inl.h" + #include "node_binding.h" + #include "node_internals.h" ++#if HAVE_OPENSSL ++#include "openssl/opensslv.h" ++#endif + + #include <errno.h> + #include <sstream> +@@ -809,6 +812,13 @@ PerProcessOptionsParser::PerProcessOptionsParser( + &PerProcessOptions::secure_heap_min, + kAllowedInEnvironment); + #endif ++#if OPENSSL_VERSION_MAJOR >= 3 ++ AddOption("--openssl-legacy-provider", ++ "enable OpenSSL 3.0 legacy provider", ++ &PerProcessOptions::openssl_legacy_provider, ++ kAllowedInEnvironment); ++ ++#endif // OPENSSL_VERSION_MAJOR + AddOption("--use-largepages", + "Map the Node.js static code to large pages. Options are " + "'off' (the default value, meaning do not map), " +diff --git a/src/node_options.h b/src/node_options.h +index fd772478d04d..1c0e018ab16f 100644 +--- a/src/node_options.h ++++ b/src/node_options.h +@@ -11,6 +11,10 @@ + #include "node_mutex.h" + #include "util.h" + ++#if HAVE_OPENSSL ++#include "openssl/opensslv.h" ++#endif ++ + namespace node { + + class HostPort { +@@ -251,6 +255,9 @@ class PerProcessOptions : public Options { + bool enable_fips_crypto = false; + bool force_fips_crypto = false; + #endif ++#if OPENSSL_VERSION_MAJOR >= 3 ++ bool openssl_legacy_provider = false; ++#endif + + // Per-process because reports can be triggered outside a known V8 context. + bool report_on_fatalerror = false; +diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js +index 64626b71f019..8a4e35997907 100644 +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js +@@ -40,6 +40,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) { + } + } + ++if (!common.hasOpenSSL3) { ++ documented.delete('--openssl-legacy-provider'); ++} ++ + // Filter out options that are conditionally present. + const conditionalOpts = [ + { +@@ -47,6 +51,7 @@ const conditionalOpts = [ + filter: (opt) => { + return [ + '--openssl-config', ++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '', + '--tls-cipher-list', + '--use-bundled-ca', + '--use-openssl-ca', + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb index 9514ec499..7b9644ec8 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.14.0.bb @@ -20,6 +20,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ file://0002-Install-both-binaries-and-use-libdir.patch \ file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://0005-add-openssl-legacy-provider-option.patch \ file://big-endian.patch \ file://mips-less-memory.patch \ file://system-c-ares.patch \
Current nodejs version v16 does not fully support new OpenSSL, so add option to use legacy provider. | opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ], | library: 'digital envelope routines', | reason: 'unsupported', | code: 'ERR_OSSL_EVP_UNSUPPORTED' It was blindly removed by upgrade to 16.14.0 version Signed-off-by: Andrej Valek <andrej.valek@siemens.com> --- ...5-add-openssl-legacy-provider-option.patch | 165 ++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_16.14.0.bb | 1 + 2 files changed, 166 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0005-add-openssl-legacy-provider-option.patch