From 70c46d19af90d75c562dd611841ef894a58687d4 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Wed, 16 Oct 2019 15:37:40 -0700 Subject: [PATCH] src: initialize openssl only once For compatibility with OpenSSL 1.1.0 and 1.0.1 a series of initialization wrappers were being called, many deprecated, and many calling each other internally already. Compatibility is unnecessary in 12.x and later, which support only OpenSSL 1.1.1, and the multiple calls cause the configuration file to be loaded multiple times. Fixes: https://github.com/nodejs/node/issues/29702 See: - https://mta.openssl.org/pipermail/openssl-users/2019-October/011303.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html PR-URL: https://github.com/nodejs/node/pull/29999 Reviewed-By: James M Snell Reviewed-By: Shelley Vohr --- src/node.cc | 7 ------- src/node_crypto.cc | 27 ++++++++------------------- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/src/node.cc b/src/node.cc index 572490730da585..bff2285ed0b508 100644 --- a/src/node.cc +++ b/src/node.cc @@ -785,13 +785,6 @@ int InitializeNodeWithArgs(std::vector* argv, &default_env_options->redirect_warnings); } -#if HAVE_OPENSSL - std::string* openssl_config = &per_process::cli_options->openssl_config; - if (openssl_config->empty()) { - credentials::SafeGetenv("OPENSSL_CONF", openssl_config); - } -#endif - #if !defined(NODE_WITHOUT_NODE_OPTIONS) std::string node_options; diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 2d539094a0589e..4857229e0440fe 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -6961,30 +6961,19 @@ void TimingSafeEqual(const FunctionCallbackInfo& args) { } void InitCryptoOnce() { - SSL_load_error_strings(); - OPENSSL_no_config(); +#ifndef OPENSSL_IS_BORINGSSL + OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new(); // --openssl-config=... if (!per_process::cli_options->openssl_config.empty()) { - OPENSSL_load_builtin_modules(); -#ifndef OPENSSL_NO_ENGINE - ENGINE_load_builtin_engines(); -#endif - ERR_clear_error(); - CONF_modules_load_file(per_process::cli_options->openssl_config.c_str(), - nullptr, - CONF_MFLAGS_DEFAULT_SECTION); - int err = ERR_get_error(); - if (0 != err) { - fprintf(stderr, - "openssl config failed: %s\n", - ERR_error_string(err, nullptr)); - CHECK_NE(err, 0); - } + const char* conf = per_process::cli_options->openssl_config.c_str(); + OPENSSL_INIT_set_config_filename(settings, conf); } - SSL_library_init(); - OpenSSL_add_all_algorithms(); + OPENSSL_init_ssl(0, settings); + OPENSSL_INIT_free(settings); + settings = nullptr; +#endif #ifdef NODE_FIPS_MODE /* Override FIPS settings in cnf file, if needed. */