From b019ccd59d8f541005db8b219fe00c708174afe6 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Wed, 16 Oct 2019 15:37:40 -0700 Subject: [PATCH] src: initialize openssl only once For compatibility with OpenSSL 1.1.0 and 1.0.1 a series of initialization wrappers were being called, many deprecated, and many calling each other internally already. Compatibility is unnecessary in 12.x and later, which support only OpenSSL 1.1.1, and the multiple calls cause the configuration file to be loaded multiple times. Fixes: https://github.com/nodejs/node/issues/29702 See: - https://mta.openssl.org/pipermail/openssl-users/2019-October/011303.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html PR-URL: https://github.com/nodejs/node/pull/29999 Reviewed-By: James M Snell Reviewed-By: Shelley Vohr --- src/node.cc | 7 ------- src/node_crypto.cc | 27 ++++++++------------------- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/src/node.cc b/src/node.cc index 17963d0b11b297..5dbb837425d1f4 100644 --- a/src/node.cc +++ b/src/node.cc @@ -833,13 +833,6 @@ int InitializeNodeWithArgs(std::vector* argv, &default_env_options->redirect_warnings); } -#if HAVE_OPENSSL - std::string* openssl_config = &per_process::cli_options->openssl_config; - if (openssl_config->empty()) { - credentials::SafeGetenv("OPENSSL_CONF", openssl_config); - } -#endif - #if !defined(NODE_WITHOUT_NODE_OPTIONS) std::string node_options; diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 3405fbb5b45aa4..d2563c0fb5326b 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -6964,30 +6964,19 @@ void TimingSafeEqual(const FunctionCallbackInfo& args) { } void InitCryptoOnce() { - SSL_load_error_strings(); - OPENSSL_no_config(); +#ifndef OPENSSL_IS_BORINGSSL + OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new(); // --openssl-config=... if (!per_process::cli_options->openssl_config.empty()) { - OPENSSL_load_builtin_modules(); -#ifndef OPENSSL_NO_ENGINE - ENGINE_load_builtin_engines(); -#endif - ERR_clear_error(); - CONF_modules_load_file(per_process::cli_options->openssl_config.c_str(), - nullptr, - CONF_MFLAGS_DEFAULT_SECTION); - int err = ERR_get_error(); - if (0 != err) { - fprintf(stderr, - "openssl config failed: %s\n", - ERR_error_string(err, nullptr)); - CHECK_NE(err, 0); - } + const char* conf = per_process::cli_options->openssl_config.c_str(); + OPENSSL_INIT_set_config_filename(settings, conf); } - SSL_library_init(); - OpenSSL_add_all_algorithms(); + OPENSSL_init_ssl(0, settings); + OPENSSL_INIT_free(settings); + settings = nullptr; +#endif #ifdef NODE_FIPS_MODE /* Override FIPS settings in cnf file, if needed. */