From c32be9a7aa2389f15d990ae70ebcc94f4c0be62b Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Thu, 29 Sep 2016 10:53:30 +0200 Subject: [PATCH] node: --openssl-config cli argument Do not load `openssl.cnf` file automatically, load the one provided by `--openssl-config` at node startup. PR-URL: https://github.com/nodejs/node-private/pull/78 Reviewed-By: Rod Vagg --- src/node.cc | 11 +++++++++-- src/node.h | 7 +++++-- src/node_crypto.cc | 18 +++++++++++++++++- 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/src/node.cc b/src/node.cc index 0526becdd2..be9cd6442c 100644 --- a/src/node.cc +++ b/src/node.cc @@ -168,11 +168,14 @@ static const char* icu_data_dir = nullptr; // used by C++ modules as well bool no_deprecation = false; -#if HAVE_OPENSSL && NODE_FIPS_MODE +#if HAVE_OPENSSL +# if NODE_FIPS_MODE // used by crypto module bool enable_fips_crypto = false; bool force_fips_crypto = false; -#endif +# endif // NODE_FIPS_MODE +const char* openssl_config = nullptr; +#endif // HAVE_OPENSSL // true if process warnings should be suppressed bool no_process_warnings = false; @@ -3558,6 +3561,8 @@ static void PrintHelp() { " --enable-fips enable FIPS crypto at startup\n" " --force-fips force FIPS crypto (cannot be disabled)\n" #endif /* NODE_FIPS_MODE */ + " --openssl-config=path load OpenSSL configuration file from the\n" + " specified path\n" #endif /* HAVE_OPENSSL */ #if defined(NODE_HAVE_I18N_SUPPORT) " --icu-data-dir=dir set ICU data load path to dir\n" @@ -3718,6 +3723,8 @@ static void ParseArgs(int* argc, } else if (strcmp(arg, "--force-fips") == 0) { force_fips_crypto = true; #endif /* NODE_FIPS_MODE */ + } else if (strncmp(arg, "--openssl-config=", 17) == 0) { + openssl_config = arg + 17; #endif /* HAVE_OPENSSL */ #if defined(NODE_HAVE_I18N_SUPPORT) } else if (strncmp(arg, "--icu-data-dir=", 15) == 0) { diff --git a/src/node.h b/src/node.h index 873551fa33..3f6b963935 100644 --- a/src/node.h +++ b/src/node.h @@ -179,10 +179,13 @@ typedef intptr_t ssize_t; namespace node { NODE_EXTERN extern bool no_deprecation; -#if HAVE_OPENSSL && NODE_FIPS_MODE +#if HAVE_OPENSSL +# if NODE_FIPS_MODE NODE_EXTERN extern bool enable_fips_crypto; NODE_EXTERN extern bool force_fips_crypto; -#endif +# endif // NODE_FIPS_MODE +NODE_EXTERN extern const char* openssl_config; +#endif // HAVE_OPENSSL NODE_EXTERN int Start(int argc, char *argv[]); NODE_EXTERN void Init(int* argc, diff --git a/src/node_crypto.cc b/src/node_crypto.cc index b545d186c3..722e7cea39 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -5767,7 +5767,23 @@ void TimingSafeEqual(const FunctionCallbackInfo& args) { } void InitCryptoOnce() { - OPENSSL_config(NULL); + OPENSSL_no_config(); + + // --openssl-config=... + if (openssl_config != nullptr) { + CONF_modules_load_file( + openssl_config, + nullptr, + CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE); + int err = ERR_get_error(); + if (0 != err) { + fprintf(stderr, + "openssl config failed: %s\n", + ERR_error_string(err, NULL)); + CHECK_NE(err, 0); + } + } + SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings();