Skip to content

Commit f8da60f

Browse files
sam-githubMylesBorins
sam-github
authored and
MylesBorins
committed
crypto: support OPENSSL_CONF again
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: #10938 PR-URL: #11006 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
1 parent aec7ae2 commit f8da60f

File tree

6 files changed

+55
-9
lines changed

6 files changed

+55
-9
lines changed

doc/api/cli.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -328,8 +328,21 @@ malformed, but any errors are otherwise ignored.
328328
Note that neither the well known nor extra certificates are used when the `ca`
329329
options property is explicitly specified for a TLS or HTTPS client or server.
330330

331+
### `OPENSSL_CONF=file`
332+
<!-- YAML
333+
added: REPLACEME
334+
-->
335+
336+
Load an OpenSSL configuration file on startup. Among other uses, this can be
337+
used to enable FIPS-compliant crypto if Node.js is built with `./configure
338+
\-\-openssl\-fips`.
339+
340+
If the [`--openssl-config`][] command line option is used, the environment
341+
variable is ignored.
342+
331343
[emit_warning]: process.html#process_process_emitwarning_warning_name_ctor
332344
[Buffer]: buffer.html#buffer_buffer
333345
[debugger]: debugger.html
334346
[REPL]: repl.html
335347
[SlowBuffer]: buffer.html#buffer_class_slowbuffer
348+
[`--openssl-config`]: #cli_openssl_config_file

doc/node.1

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,16 @@ when outputting to a TTY on platforms which support async stdio.
215215
Setting this will void any guarantee that stdio will not be interleaved or
216216
dropped at program exit. \fBAvoid use.\fR
217217

218+
.TP
219+
.BR OPENSSL_CONF = \fIfile\fR
220+
Load an OpenSSL configuration file on startup. Among other uses, this can be
221+
used to enable FIPS-compliant crypto if Node.js is built with
222+
\fB./configure \-\-openssl\-fips\fR.
223+
224+
If the
225+
\fB\-\-openssl\-config\fR
226+
command line option is used, the environment variable is ignored.
227+
218228

219229
.SH BUGS
220230
Bugs are tracked in GitHub Issues:

src/node.cc

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -179,7 +179,7 @@ bool no_deprecation = false;
179179
bool enable_fips_crypto = false;
180180
bool force_fips_crypto = false;
181181
# endif // NODE_FIPS_MODE
182-
const char* openssl_config = nullptr;
182+
std::string openssl_config; // NOLINT(runtime/string)
183183
#endif // HAVE_OPENSSL
184184

185185
// true if process warnings should be suppressed
@@ -3691,7 +3691,7 @@ static void PrintHelp() {
36913691
" --force-fips force FIPS crypto (cannot be disabled)\n"
36923692
#endif /* NODE_FIPS_MODE */
36933693
" --openssl-config=path load OpenSSL configuration file from the\n"
3694-
" specified path\n"
3694+
" specified file (overrides OPENSSL_CONF)\n"
36953695
#endif /* HAVE_OPENSSL */
36963696
#if defined(NODE_HAVE_I18N_SUPPORT)
36973697
" --icu-data-dir=dir set ICU data load path to dir\n"
@@ -3726,6 +3726,7 @@ static void PrintHelp() {
37263726
#endif
37273727
" prefixed to the module search path\n"
37283728
"NODE_REPL_HISTORY path to the persistent REPL history file\n"
3729+
"OPENSSL_CONF load OpenSSL configuration from file\n"
37293730
"\n"
37303731
"Documentation can be found at https://nodejs.org/\n");
37313732
}
@@ -3860,7 +3861,7 @@ static void ParseArgs(int* argc,
38603861
force_fips_crypto = true;
38613862
#endif /* NODE_FIPS_MODE */
38623863
} else if (strncmp(arg, "--openssl-config=", 17) == 0) {
3863-
openssl_config = arg + 17;
3864+
openssl_config.assign(arg + 17);
38643865
#endif /* HAVE_OPENSSL */
38653866
#if defined(NODE_HAVE_I18N_SUPPORT)
38663867
} else if (strncmp(arg, "--icu-data-dir=", 15) == 0) {
@@ -4355,6 +4356,9 @@ void Init(int* argc,
43554356
V8::SetFlagsFromString(NODE_V8_OPTIONS, sizeof(NODE_V8_OPTIONS) - 1);
43564357
#endif
43574358

4359+
if (openssl_config.empty())
4360+
SafeGetenv("OPENSSL_CONF", &openssl_config);
4361+
43584362
// Parse a few arguments which are specific to Node.
43594363
int v8_argc;
43604364
const char** v8_argv;

src/node_crypto.cc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5904,14 +5904,14 @@ void InitCryptoOnce() {
59045904
OPENSSL_no_config();
59055905

59065906
// --openssl-config=...
5907-
if (openssl_config != nullptr) {
5907+
if (!openssl_config.empty()) {
59085908
OPENSSL_load_builtin_modules();
59095909
#ifndef OPENSSL_NO_ENGINE
59105910
ENGINE_load_builtin_engines();
59115911
#endif
59125912
ERR_clear_error();
59135913
CONF_modules_load_file(
5914-
openssl_config,
5914+
openssl_config.c_str(),
59155915
nullptr,
59165916
CONF_MFLAGS_DEFAULT_SECTION);
59175917
int err = ERR_get_error();

src/node_internals.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ namespace node {
3636

3737
// Set in node.cc by ParseArgs with the value of --openssl-config.
3838
// Used in node_crypto.cc when initializing OpenSSL.
39-
extern const char* openssl_config;
39+
extern std::string openssl_config;
4040

4141
// Set in node.cc by ParseArgs when --preserve-symlinks is used.
4242
// Used in node_config.cc to set a constant on process.binding('config')

test/parallel/test-crypto-fips.js

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,9 @@ function testHelper(stream, args, expectedOutput, cmd, env) {
3737
env: env
3838
});
3939

40-
console.error('Spawned child [pid:' + child.pid + '] with cmd ' +
41-
cmd + ' and args \'' + args + '\'');
40+
console.error('Spawned child [pid:' + child.pid + '] with cmd \'' +
41+
cmd + '\' expect %j with args \'' + args + '\'' +
42+
' OPENSSL_CONF=%j', expectedOutput, env.OPENSSL_CONF);
4243

4344
function childOk(child) {
4445
console.error('Child #' + ++num_children_ok +
@@ -92,10 +93,26 @@ testHelper(
9293
compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
9394
'require("crypto").fips',
9495
process.env);
95-
// OPENSSL_CONF should _not_ be able to turn on FIPS mode
96+
97+
// OPENSSL_CONF should be able to turn on FIPS mode
9698
testHelper(
9799
'stdout',
98100
[],
101+
compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
102+
'require("crypto").fips',
103+
addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
104+
105+
// --openssl-config option should override OPENSSL_CONF
106+
testHelper(
107+
'stdout',
108+
[`--openssl-config=${CNF_FIPS_ON}`],
109+
compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
110+
'require("crypto").fips',
111+
addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
112+
113+
testHelper(
114+
'stdout',
115+
[`--openssl-config=${CNF_FIPS_OFF}`],
99116
FIPS_DISABLED,
100117
'require("crypto").fips',
101118
addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
@@ -107,6 +124,7 @@ testHelper(
107124
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
108125
'require("crypto").fips',
109126
process.env);
127+
110128
// OPENSSL_CONF should _not_ make a difference to --enable-fips
111129
testHelper(
112130
compiledWithFips() ? 'stdout' : 'stderr',
@@ -122,6 +140,7 @@ testHelper(
122140
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
123141
'require("crypto").fips',
124142
process.env);
143+
125144
// Using OPENSSL_CONF should not make a difference to --force-fips
126145
testHelper(
127146
compiledWithFips() ? 'stdout' : 'stderr',

0 commit comments

Comments
 (0)