Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support dynamically linking with OpenSSL 3.0 #37669

Closed
wants to merge 40 commits into from

Conversation

danbev
Copy link
Contributor

@danbev danbev commented Mar 9, 2021

This PR enables node to dynamically link against OpenSSL 3.0.

The motivation for opening this PR even though OpenSSL 3.0 has not been released yet is to
allow a nightly CI job to be created. This will allow us stay on top of changes required for
OpenSSL 3.0, and also to make sure that changes to node crypto do not cause issues when
linking to OpenSSL 3.0.

While most changes have been in tests, there have been updates to src/crypto as well.

Refs: #29817


Steps to build and link

During development we have been building OpenSSL upstream and linking against that and used the following commands.

Configure and build OpenSSL

We specify an prefix where this build will be installed into. This path will later be used when configuring Node's build:

$ ./config -Werror --strict-warnings --debug --prefix=/path/openssl_build_master linux-x86_64
$ make -j8 install_sw 

Configure and build Node.js

The following will configure Node to link against OpenSSl 3.0 that was configured
and built in the previous step.

$ ./configure --shared-openssl --shared-openssl-libpath=/path/openssl_build_master/lib --shared-openssl-includes=/path/openssl_build_master/include --shared-openssl-libname=crypto,ssl
$ make -j8 test   

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 9, 2021
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

src/crypto/crypto_keys.h Show resolved Hide resolved
src/crypto/crypto_sig.cc Outdated Show resolved Hide resolved
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@danbev danbev force-pushed the dynamically-link-openssl-3.0 branch from 28f2c9b to 518e678 Compare March 11, 2021 11:40
@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@danbev danbev force-pushed the dynamically-link-openssl-3.0 branch from 518e678 to 7da5860 Compare March 15, 2021 07:55
@nodejs-github-bot
Copy link
Collaborator

danbev added 13 commits March 15, 2021 16:35
Currently there are three compilation errors generated for
crypto_hkdf.cc:
./src/crypto/crypto_hkdf.cc:
In static member function ‘static bool
node::crypto::HKDFTraits::DeriveBits(node::Environment*,
    const node::crypto::HKDFConfig&, node::crypto::ByteSource*)’:
../src/crypto/crypto_hkdf.cc:113:24: error:
invalid conversion from ‘const char*’ to ‘const unsigned char*’
[-fpermissive]
  113 |         params.salt.get(),
      |         ~~~~~~~~~~~~~~~^~
      |                        |
      |                        const char*
In file included from ../src/crypto/crypto_util.h:18,
                 from ../src/crypto/crypto_keys.h:6,
                 from ../src/crypto/crypto_hkdf.h:6,
                 from ../src/crypto/crypto_hkdf.cc:1:
/openssl_build_master/include/openssl/kdf.h:130:54: note:
initializing argument 2 of ‘int EVP_PKEY_CTX_set1_hkdf_salt(
EVP_PKEY_CTX*, const unsigned char*, int)’
  130 |    const unsigned char *salt, int saltlen);
      |    ~~~~~~~~~~~~~~~~~~~~~^~~~
This commit adds the OPENSSL_API_COMPAT macro and sets it to version
1.0.0 of OpenSSL when linking with a shared OpenSSL library.

The motivation for this is that when linking against OpenSSL 3.x there
are a lot of deprecation warnings and this allows them to be avoided.
When we later upgrade the code base to 3.x this value can then be
updated.
This commit adds a constant to identify if the version of OpenSSl is
3 or above.

The motivation for this is it allows for checking this value in tests
to make sure that they work with OpenSSL 3.x, and also with earlier
versions.
This commit fixes a number of test failures reported when using OpenSSL
3.0, for example:

Error: error:0500007E:Diffie-Hellman routines::modulus too small

Check have been added for OpenSSL 3 and use the larger sizes only for
OpenSSL 3.0 as these sizes seem to cause timeouts when using
OpenSSL 1.1.1.
danbev added 7 commits March 15, 2021 16:37
This commit adds a macro check for OpenSSL 3 and used
EVP_default_properties_is_fips_enabled instead of FIPS_mode which has
been removed in OpenSSL 3.
This commit aquires the Mutex in ManagedEVPPKey::operator= to avoid
multiple threads updating the underlying EVP_PKEY in OpenSSL 3.0.
There are additional changes to the code to avoid dead locks, making
sure to release the lock before aquiring a new lock.

Refs: nodejs@79d44baae2
This commit add const to EC_KEY, DSA, RSA pointer to avoid compilation
errors when linking against OpenSSL 3.0.

Refs: openssl/openssl@7bc0fdd
@danbev danbev force-pushed the dynamically-link-openssl-3.0 branch from 7da5860 to 6b8c504 Compare March 15, 2021 17:20
@nodejs-github-bot
Copy link
Collaborator

@danbev
Copy link
Contributor Author

danbev commented Mar 16, 2021

Re-run of failing node-test-linux-linked-debug ✔️

danbev added a commit that referenced this pull request Mar 16, 2021
This commit enables node to dynamically link against OpenSSL 3.0.

The motivation for opening this PR even though OpenSSL 3.0 has not been
released yet is to allow a nightly CI job to be created. This will
allow us stay on top of changes required for OpenSSL 3.0, and also to
make sure that changes to node crypto do not cause issues when linking
to OpenSSL 3.0.

PR-URL: #37669
Refs: #29817
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
@danbev
Copy link
Contributor Author

danbev commented Mar 16, 2021

Landed in 640fe94.

@danbev danbev closed this Mar 16, 2021
danielleadams pushed a commit that referenced this pull request Mar 16, 2021
This commit enables node to dynamically link against OpenSSL 3.0.

The motivation for opening this PR even though OpenSSL 3.0 has not been
released yet is to allow a nightly CI job to be created. This will
allow us stay on top of changes required for OpenSSL 3.0, and also to
make sure that changes to node crypto do not cause issues when linking
to OpenSSL 3.0.

PR-URL: #37669
Refs: #29817
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
danielleadams pushed a commit that referenced this pull request Mar 16, 2021
This commit enables node to dynamically link against OpenSSL 3.0.

The motivation for opening this PR even though OpenSSL 3.0 has not been
released yet is to allow a nightly CI job to be created. This will
allow us stay on top of changes required for OpenSSL 3.0, and also to
make sure that changes to node crypto do not cause issues when linking
to OpenSSL 3.0.

PR-URL: #37669
Refs: #29817
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
codebytere added a commit to electron/electron that referenced this pull request May 20, 2021
codebytere added a commit to electron/electron that referenced this pull request May 31, 2021
codebytere added a commit to electron/electron that referenced this pull request May 31, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 2, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 2, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 2, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 8, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 8, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 9, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 9, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 10, 2021
codebytere added a commit to electron/electron that referenced this pull request Jun 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants