Investigate loading legacy provider with OpenSSL 3.0
danbev opened this issue · 8 comments
I though it would be possible to enable it but updating openssl.cnf like this:
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
But that does not work:
$ env OPENSSL_CONF=out/Release/obj.target/deps/openssl/openssl.cnf ./node -p 'crypto.createHash("md4")'
node:internal/crypto/hash:67
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)
at [eval]:1:8
at Script.runInThisContext (node:vm:129:12)
at Object.runInThisContext (node:vm:305:38)
at node:internal/process/execution:81:19
at [eval]-wrapper:6:22
at evalScript (node:internal/process/execution:80:60)
at node:internal/main/eval_string:27:3 {
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}This issue should take a closer look at how the legacy provider can be enabled.
Refs: #40119 (comment)
@danbev It looks like we don't build at least legacyprov.c (maybe some others?). This doesn't appear to work but might be a start:
diff --git a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
index 46cc9b2b4a..13b6d6eb96 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
index cb90c57338..4f5a640dd8 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
@richardlau Thanks, I'll take a look. These gypi files are generated and perhaps we are missing, or reading the wrong source list from configdata.pm.
FWIW This hack appears to allow the legacy provider to be statically compiled and loaded:
diff --git a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
index 46cc9b2b4a..13b6d6eb96 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
index cb90c57338..4f5a640dd8 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/openssl.gypi
@@ -775,6 +775,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi b/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
index 647092c410..279a4d27c3 100644
--- a/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
+++ b/deps/openssl/config/archs/linux-x86_64/no-asm/openssl.gypi
@@ -782,6 +782,7 @@
'openssl/engines/e_padlock.c',
'openssl/providers/baseprov.c',
'openssl/providers/defltprov.c',
+ 'openssl/providers/legacyprov.c',
'openssl/providers/nullprov.c',
'openssl/providers/prov_running.c',
'openssl/providers/common/der/der_rsa_sig.c',
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index 4d4e6f2801..d178ffaa61 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -29,6 +29,7 @@
# is able to create a malicious DLL in one of the default search paths.
'OPENSSL_NO_HW',
'OPENSSL_API_COMPAT=0x10100001L',
+ 'STATIC_LEGACY',
#'OPENSSL_NO_DEPRECATED',
],
'conditions': [
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 7e0c8ba3eb..c1fe6fb6ac 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -170,6 +170,16 @@ void InitCryptoOnce() {
ENGINE_load_builtin_engines();
#endif // !OPENSSL_NO_ENGINE
+#if OPENSSL_VERSION_MAJOR >= 3
+ // Put behind a flag?
+ {
+ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
+ if (legacy_provider == nullptr) {
+ fprintf(stderr, "Unable to load legacy provider.\n");
+ }
+ }
+#endif
+
NodeBIO::GetMethod();
}$ ./node -p 'crypto.createHash("md4")'
Hash {
_options: undefined,
[Symbol(kHandle)]: Hash {},
[Symbol(kState)]: { [Symbol(kFinalized)]: false }
}
$
I'm not entirely sure how to get legacyprov.c into gyp via the generating scripts. We'd probably want to put some CLI flag around the loading of the provider (we probably can't assume it's available if linking to an shared openssl) or maybe enablement could be via modifying the openssl config file.
This sounds good to me and if we can do that and not have to mess around with openssl.cnf that is great.
I'm not entirely sure how to get legacyprov.c into gyp via the generating scripts.
Yeah, I was not sure about this either. We need to add this to generate_gypi.pl. The easiest way to try this out it to update that file and then run make linux-x86-64 (or use the arch you are on). After that you can inspect the generated archs/linux-x86_64/asm/openssl.gypi. If that looks good one can try to build node with this and see that it works before generating all the arch files which takes a while.
I've opened a pull request based on your suggestion: #40478. I've added you as Co-author which I hope is alright.
cat 'openssl-legacy-provider=true' >> .npmrc
ran into this when using npm install
hope this helps someone
cat 'openssl-legacy-provider=true' >> .npmrc
@RobertLowe It should be echo command.
I have added this file to my project, deleted node_modules folder and run yarn install, but still doesn't work
cat 'openssl-legacy-provider=true' >> .npmrc@RobertLowe It should be
echocommand.I have added this file to my project, deleted
node_modulesfolder and runyarn install, but still doesn't work
In my case I had some webpack commands which failed
Error: error:0308010C:digital envelope routines::unsupported
and would need an NODE OPTION set for every command/task, which looks ugly:
SET NODE_OPTIONS=--openssl-legacy-provider && SOME_COMMAND...
So I was looking for a solution how to set this "globally" at least per project.
The idea of the .npmrc seems to be good one (and I did not find any other project related possible way to set NODE options), but the above string did not work for me either.
Also
openssl-legacy-provideris a node option, and not a npm option. 🤔
After reading the documentation, it seems that we can set node options this way:
So when I add the following to my .npmrc file, it actually works 🥳
node-options="--openssl-legacy-provider"
maybe this helps someone else, migrating from NODE 14/16 to NODE >16
PS D:\Work Area------\admin> ng serve
10% building 4/4 modules 0 active(node:20664) [DEP0111] DeprecationWarning: Access to process.binding('http_parser') is deprecated.
(Use node --trace-deprecation ... to show where the warning was created)
i 「wds」: Project is running at http://localhost:4200/webpack-dev-server/
i 「wds」: webpack output is served from /
i 「wds」: 404s will fallback to //index.html
10% building 4/5 modules 1 active ...es\webpack-dev-server\client\index.js?http://0.0.0.0:0/sockjs-node&sockPath=/sockjs-nodenode:internal/crypto/hash:69
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:69:19)
at Object.createHash (node:crypto:133:10)
at module.exports (D:\Work Area\nocmitra\admin\node_modules\webpack\lib\util\createHash.js:135:53)
at NormalModule._initBuildHash (D:\Work Area\nocmitra\admin\node_modules\webpack\lib\NormalModule.js:412:16)
at D:\Work Area\nocmitra\admin\node_modules\webpack\lib\NormalModule.js:444:10
at D:\Work Area\nocmitra\admin\node_modules\webpack\lib\NormalModule.js:320:13
at D:\Work Area\nocmitra\admin\node_modules\loader-runner\lib\LoaderRunner.js:367:11
at D:\Work Area\nocmitra\admin\node_modules\loader-runner\lib\LoaderRunner.js:203:19
at VirtualFileSystemDecorator.readFile (D:\Work Area\nocmitra\admin\node_modules@ngtools\webpack\src\virtual_file_system_decorator.js:46:13)
at processResource (D:\Work Area\nocmitra\admin\node_modules\loader-runner\lib\LoaderRunner.js:202:11)
at iteratePitchingLoaders (D:\Work Area\nocmitra\admin\node_modules\loader-runner\lib\LoaderRunner.js:158:10)
at runLoaders (D:\Work Area\nocmitra\admin\node_modules\loader-runner\lib\LoaderRunner.js:365:2)
at NormalModule.doBuild (D:\Work Area\nocmitra\admin\node_modules\webpack\lib\NormalModule.js:292:3)
at NormalModule.build (D:\Work Area\nocmitra\admin\node_modules\webpack\lib\NormalModule.js:438:15)
at Compilation.buildModule (D:\Work Area\nocmitra\admin\node_modules\webpack\lib\Compilation.js:702:10)
at D:\Work Area\nocmitra\admin\node_modules\webpack\lib\Compilation.js:944:14 {
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
Node.js v18.19.1
i'm facing this issue in angular , even it's Node v20