Skip to content
Permalink
Browse files

src: initialize openssl only once

For compatibility with OpenSSL 1.1.0 and 1.0.1 a series of
initialization wrappers were being called, many deprecated, and many
calling each other internally already. Compatibility is unnecessary in
12.x and later, which support only OpenSSL 1.1.1, and the multiple calls
cause the configuration file to be loaded multiple times.

Fixes: #29702

See:
- https://mta.openssl.org/pipermail/openssl-users/2019-October/011303.html
- https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html
- https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html

PR-URL: #29999
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
  • Loading branch information
sam-github authored and targos committed Oct 16, 2019
1 parent 9fed62f commit aa0aacbba9a904d39cbbee1340dd5db61520e32b
Showing with 8 additions and 26 deletions.
  1. +0 −7 src/node.cc
  2. +8 −19 src/node_crypto.cc
@@ -785,13 +785,6 @@ int InitializeNodeWithArgs(std::vector<std::string>* argv,
&default_env_options->redirect_warnings);
}

#if HAVE_OPENSSL
std::string* openssl_config = &per_process::cli_options->openssl_config;
if (openssl_config->empty()) {
credentials::SafeGetenv("OPENSSL_CONF", openssl_config);
}
#endif

#if !defined(NODE_WITHOUT_NODE_OPTIONS)
std::string node_options;

@@ -6961,30 +6961,19 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
}

void InitCryptoOnce() {
SSL_load_error_strings();
OPENSSL_no_config();
#ifndef OPENSSL_IS_BORINGSSL
OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();

// --openssl-config=...
if (!per_process::cli_options->openssl_config.empty()) {
OPENSSL_load_builtin_modules();
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
ERR_clear_error();
CONF_modules_load_file(per_process::cli_options->openssl_config.c_str(),
nullptr,
CONF_MFLAGS_DEFAULT_SECTION);
int err = ERR_get_error();
if (0 != err) {
fprintf(stderr,
"openssl config failed: %s\n",
ERR_error_string(err, nullptr));
CHECK_NE(err, 0);
}
const char* conf = per_process::cli_options->openssl_config.c_str();
OPENSSL_INIT_set_config_filename(settings, conf);
}

SSL_library_init();
OpenSSL_add_all_algorithms();
OPENSSL_init_ssl(0, settings);
OPENSSL_INIT_free(settings);
settings = nullptr;
#endif

#ifdef NODE_FIPS_MODE
/* Override FIPS settings in cnf file, if needed. */

0 comments on commit aa0aacb

Please sign in to comment.
You can’t perform that action at this time.