Skip to content

src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3#38732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danbev wants to merge 3 commits into from
Closed

src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3 #38732

danbev wants to merge 3 commits into from

Conversation

@danbev
Copy link
Contributor

@danbevdanbev commented May 19, 2021

This commit adds a call to OPENSSL_init_crypto to initialize
OPENSSL_INIT_LOAD_CONFIG to avoid the default behavior where errors
raised during the parsing of the OpenSSL configuration file are not
propagated and cannot be detected.

The motivation for this is that if FIPS is configured the OpenSSL
configuration file will have an .include pointing to the fipsmodule.cnf
file generated by the openssl fipsinstall command. If the path to this
file is incorrect no error will be reported. For Node.js this will mean
that EntropySource will be called by V8 as part of its initalization
process, and EntropySource will in turn call CheckEntropy. CheckEntropy
will call RAND_status which will now always return 0 leading to an
endless loop and the node process will appear to hang/freeze.

I'll continue investigating the cause of this and see if this is
expected behavior or not, but in the mean time it would be good to be
able to workaround this issue with this commit.

@github-actionsgithub-actionsbot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels May 19, 2021
@waelsy123
Copy link
Contributor

waelsy123 commented May 19, 2021

@danbev is there any opened issue to link this pull request?

@danbev
Copy link
ContributorAuthor

danbev commented May 19, 2021
edited
Loading

@danbev is there any opened issue to link this pull request?

The is no issue for this at the moment, but I can create one if needed. This issue discovered in #38633 (review) which I should have added as a Refs in the commit message. I'll to that.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented May 19, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38192/

richardlau
richardlau reviewed May 19, 2021
View reviewed changes
@danbev
src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3
86fa07c
This commit adds a call to OPENSSL_init_crypto to initialize OPENSSL_INIT_LOAD_CONFIG to avoid the default behavior where errors raised during the parsing of the OpenSSL configuration file are not propagated and cannot be detected. The motivation for this is that if FIPS is configured the OpenSSL configuration file will have an .include pointing to the fipsmodule.cnf file generated by the openssl fipsinstall command. If the path to this file is incorrect no error will be reported. For Node.js this will mean that EntropySource will be called by V8 as part of its initalization process, and EntropySource will in turn call CheckEntropy. CheckEntropy will call RAND_status which will now always return 0 leading to an endless loop and the node process will appear to hang/freeze. I'll continue investigating the cause of this and see if this is expected behavior or not, but in the mean time it would be good to be able to workaround this issue with this commit. Refs: nodejs#38633 (review)
@danbevdanbevforce-pushed the openssl-config-include-error branch from ddd7847 to 86fa07cCompareMay 19, 2021 13:46
richardlau
richardlau reviewed May 19, 2021
View reviewed changes
danbev added 2 commits May 20, 2021 05:50
@danbev
squash! src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3
7a8579f
Remove setting of config_filename when OPENSSL_CONF environment variable is specified (only set it for --openssl-config Node.js option.
@danbev
squash! src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3
ae15490
Only skip the settting of the config_filename for OpenSSL 3 and not the OPENSSL_init_ssl.
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented May 20, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38220/

@danbev
Copy link
ContributorAuthor

danbev commented May 24, 2021

Landed in e9e851f.

@danbevdanbev closed this May 24, 2021
danbev added a commit that referenced this pull request May 24, 2021
@danbev
src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3
e9e851f
This commit adds a call to OPENSSL_init_crypto to initialize OPENSSL_INIT_LOAD_CONFIG to avoid the default behavior where errors raised during the parsing of the OpenSSL configuration file are not propagated and cannot be detected. The motivation for this is that if FIPS is configured the OpenSSL configuration file will have an .include pointing to the fipsmodule.cnf file generated by the openssl fipsinstall command. If the path to this file is incorrect no error will be reported. For Node.js this will mean that EntropySource will be called by V8 as part of its initalization process, and EntropySource will in turn call CheckEntropy. CheckEntropy will call RAND_status which will now always return 0 leading to an endless loop and the node process will appear to hang/freeze. I'll continue investigating the cause of this and see if this is expected behavior or not, but in the mean time it would be good to be able to workaround this issue with this commit. PR-URL: #38732 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Minwoo Jung <[email protected]> Refs: #38633 (review)
@danbevdanbev deleted the openssl-config-include-error branch May 24, 2021 06:21
danielleadams pushed a commit that referenced this pull request May 31, 2021
@danbev@danielleadams
src: set CONF_MFLAGS_DEFAULT_SECTION for OpenSSL 3
3741595
This commit adds a call to OPENSSL_init_crypto to initialize OPENSSL_INIT_LOAD_CONFIG to avoid the default behavior where errors raised during the parsing of the OpenSSL configuration file are not propagated and cannot be detected. The motivation for this is that if FIPS is configured the OpenSSL configuration file will have an .include pointing to the fipsmodule.cnf file generated by the openssl fipsinstall command. If the path to this file is incorrect no error will be reported. For Node.js this will mean that EntropySource will be called by V8 as part of its initalization process, and EntropySource will in turn call CheckEntropy. CheckEntropy will call RAND_status which will now always return 0 leading to an endless loop and the node process will appear to hang/freeze. I'll continue investigating the cause of this and see if this is expected behavior or not, but in the mean time it would be good to be able to workaround this issue with this commit. PR-URL: #38732 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Minwoo Jung <[email protected]> Refs: #38633 (review)
@danielleadamsdanielleadams mentioned this pull request May 31, 2021
Merged
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JungMinuJungMinuJungMinu approved these changes

@richardlaurichardlaurichardlau approved these changes

+1 more reviewer

@waelsy123waelsy123waelsy123 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

c++Issues and PRs that require attention from people who are familiar with C++.needs-ciPRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@danbev@waelsy123@nodejs-github-bot@JungMinu@richardlau