Browse Source

node: --openssl-config cli argument

Do not load `openssl.cnf` file automatically, load the one provided by
`--openssl-config` at node startup.

PR-URL: https://github.com/nodejs/node-private/pull/78
Reviewed-By: Rod Vagg <rod@vagg.org>
v6.x
Fedor Indutny 8 years ago
committed by Rod Vagg
parent
commit
1ea0358a91
  1. 11
      src/node.cc
  2. 7
      src/node.h
  3. 18
      src/node_crypto.cc

11
src/node.cc

@ -169,11 +169,14 @@ static const char* icu_data_dir = nullptr;
// used by C++ modules as well // used by C++ modules as well
bool no_deprecation = false; bool no_deprecation = false;
#if HAVE_OPENSSL && NODE_FIPS_MODE #if HAVE_OPENSSL
# if NODE_FIPS_MODE
// used by crypto module // used by crypto module
bool enable_fips_crypto = false; bool enable_fips_crypto = false;
bool force_fips_crypto = false; bool force_fips_crypto = false;
#endif # endif // NODE_FIPS_MODE
const char* openssl_config = nullptr;
#endif // HAVE_OPENSSL
// true if process warnings should be suppressed // true if process warnings should be suppressed
bool no_process_warnings = false; bool no_process_warnings = false;
@ -3637,6 +3640,8 @@ static void PrintHelp() {
" --enable-fips enable FIPS crypto at startup\n" " --enable-fips enable FIPS crypto at startup\n"
" --force-fips force FIPS crypto (cannot be disabled)\n" " --force-fips force FIPS crypto (cannot be disabled)\n"
#endif /* NODE_FIPS_MODE */ #endif /* NODE_FIPS_MODE */
" --openssl-config=path load OpenSSL configuration file from the\n"
" specified path\n"
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
#if defined(NODE_HAVE_I18N_SUPPORT) #if defined(NODE_HAVE_I18N_SUPPORT)
" --icu-data-dir=dir set ICU data load path to dir\n" " --icu-data-dir=dir set ICU data load path to dir\n"
@ -3797,6 +3802,8 @@ static void ParseArgs(int* argc,
} else if (strcmp(arg, "--force-fips") == 0) { } else if (strcmp(arg, "--force-fips") == 0) {
force_fips_crypto = true; force_fips_crypto = true;
#endif /* NODE_FIPS_MODE */ #endif /* NODE_FIPS_MODE */
} else if (strncmp(arg, "--openssl-config=", 17) == 0) {
openssl_config = arg + 17;
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
#if defined(NODE_HAVE_I18N_SUPPORT) #if defined(NODE_HAVE_I18N_SUPPORT)
} else if (strncmp(arg, "--icu-data-dir=", 15) == 0) { } else if (strncmp(arg, "--icu-data-dir=", 15) == 0) {

7
src/node.h

@ -179,10 +179,13 @@ typedef intptr_t ssize_t;
namespace node { namespace node {
NODE_EXTERN extern bool no_deprecation; NODE_EXTERN extern bool no_deprecation;
#if HAVE_OPENSSL && NODE_FIPS_MODE #if HAVE_OPENSSL
# if NODE_FIPS_MODE
NODE_EXTERN extern bool enable_fips_crypto; NODE_EXTERN extern bool enable_fips_crypto;
NODE_EXTERN extern bool force_fips_crypto; NODE_EXTERN extern bool force_fips_crypto;
#endif # endif // NODE_FIPS_MODE
NODE_EXTERN extern const char* openssl_config;
#endif // HAVE_OPENSSL
NODE_EXTERN int Start(int argc, char *argv[]); NODE_EXTERN int Start(int argc, char *argv[]);
NODE_EXTERN void Init(int* argc, NODE_EXTERN void Init(int* argc,

18
src/node_crypto.cc

@ -5789,7 +5789,23 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
} }
void InitCryptoOnce() { void InitCryptoOnce() {
OPENSSL_config(NULL); OPENSSL_no_config();
// --openssl-config=...
if (openssl_config != nullptr) {
CONF_modules_load_file(
openssl_config,
nullptr,
CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE);
int err = ERR_get_error();
if (0 != err) {
fprintf(stderr,
"openssl config failed: %s\n",
ERR_error_string(err, NULL));
CHECK_NE(err, 0);
}
}
SSL_library_init(); SSL_library_init();
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
SSL_load_error_strings(); SSL_load_error_strings();

Loading…
Cancel
Save