Skip to content

Commit

Permalink
node: --openssl-config cli argument
Browse files Browse the repository at this point in the history
Do not load `openssl.cnf` file automatically, load the one provided by
`--openssl-config` at node startup.

PR-URL: nodejs-private/node-private#78
Reviewed-By: Rod Vagg <rod@vagg.org>
  • Loading branch information
indutny authored and jasnell committed Oct 19, 2016
1 parent fab7217 commit c32be9a
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 5 deletions.
11 changes: 9 additions & 2 deletions src/node.cc
Original file line number Diff line number Diff line change
Expand Up @@ -168,11 +168,14 @@ static const char* icu_data_dir = nullptr;
// used by C++ modules as well
bool no_deprecation = false;

#if HAVE_OPENSSL && NODE_FIPS_MODE
#if HAVE_OPENSSL
# if NODE_FIPS_MODE
// used by crypto module
bool enable_fips_crypto = false;
bool force_fips_crypto = false;
#endif
# endif // NODE_FIPS_MODE
const char* openssl_config = nullptr;
#endif // HAVE_OPENSSL

// true if process warnings should be suppressed
bool no_process_warnings = false;
Expand Down Expand Up @@ -3558,6 +3561,8 @@ static void PrintHelp() {
" --enable-fips enable FIPS crypto at startup\n"
" --force-fips force FIPS crypto (cannot be disabled)\n"
#endif /* NODE_FIPS_MODE */
" --openssl-config=path load OpenSSL configuration file from the\n"
" specified path\n"
#endif /* HAVE_OPENSSL */
#if defined(NODE_HAVE_I18N_SUPPORT)
" --icu-data-dir=dir set ICU data load path to dir\n"
Expand Down Expand Up @@ -3718,6 +3723,8 @@ static void ParseArgs(int* argc,
} else if (strcmp(arg, "--force-fips") == 0) {
force_fips_crypto = true;
#endif /* NODE_FIPS_MODE */
} else if (strncmp(arg, "--openssl-config=", 17) == 0) {
openssl_config = arg + 17;
#endif /* HAVE_OPENSSL */
#if defined(NODE_HAVE_I18N_SUPPORT)
} else if (strncmp(arg, "--icu-data-dir=", 15) == 0) {
Expand Down
7 changes: 5 additions & 2 deletions src/node.h
Original file line number Diff line number Diff line change
Expand Up @@ -179,10 +179,13 @@ typedef intptr_t ssize_t;
namespace node {

NODE_EXTERN extern bool no_deprecation;
#if HAVE_OPENSSL && NODE_FIPS_MODE
#if HAVE_OPENSSL
# if NODE_FIPS_MODE
NODE_EXTERN extern bool enable_fips_crypto;
NODE_EXTERN extern bool force_fips_crypto;
#endif
# endif // NODE_FIPS_MODE
NODE_EXTERN extern const char* openssl_config;
#endif // HAVE_OPENSSL

NODE_EXTERN int Start(int argc, char *argv[]);
NODE_EXTERN void Init(int* argc,
Expand Down
18 changes: 17 additions & 1 deletion src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5767,7 +5767,23 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
}

void InitCryptoOnce() {
OPENSSL_config(NULL);
OPENSSL_no_config();

// --openssl-config=...
if (openssl_config != nullptr) {
CONF_modules_load_file(
openssl_config,
nullptr,
CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE);
int err = ERR_get_error();
if (0 != err) {
fprintf(stderr,
"openssl config failed: %s\n",
ERR_error_string(err, NULL));
CHECK_NE(err, 0);
}
}

SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
Expand Down

0 comments on commit c32be9a

Please sign in to comment.