node: --openssl-config cli argument

Do not load `openssl.cnf` file automatically, load the one provided by `--openssl-config` at node startup. PR-URL: https://github.com/nodejs/node-private/pull/78 Reviewed-By: Rod Vagg <rod@vagg.org>
2026-01-15 12:15:26 +00:00 · 2016-09-29 10:53:30 +02:00
parent 69fc85dcb3
commit db411cf116
3 changed files with 31 additions and 5 deletions
--- a/src/node.cc
+++ b/src/node.cc
@@ -168,11 +168,14 @@ static const char* icu_data_dir = nullptr;
 // used by C++ modules as well
 bool no_deprecation = false;

-#if HAVE_OPENSSL && NODE_FIPS_MODE
+#if HAVE_OPENSSL
+# if NODE_FIPS_MODE
 // used by crypto module
 bool enable_fips_crypto = false;
 bool force_fips_crypto = false;
-#endif
+# endif  // NODE_FIPS_MODE
+const char* openssl_config = nullptr;
+#endif  // HAVE_OPENSSL

 // true if process warnings should be suppressed
 bool no_process_warnings = false;
@@ -3558,6 +3561,8 @@ static void PrintHelp() {
         "  --enable-fips         enable FIPS crypto at startup\n"
         "  --force-fips          force FIPS crypto (cannot be disabled)\n"
 #endif  /* NODE_FIPS_MODE */
+         "  --openssl-config=path load OpenSSL configuration file from the\n"
+         "                        specified path\n"
 #endif /* HAVE_OPENSSL */
 #if defined(NODE_HAVE_I18N_SUPPORT)
         "  --icu-data-dir=dir    set ICU data load path to dir\n"
@@ -3718,6 +3723,8 @@ static void ParseArgs(int* argc,
    } else if (strcmp(arg, "--force-fips") == 0) {
      force_fips_crypto = true;
 #endif /* NODE_FIPS_MODE */
+    } else if (strncmp(arg, "--openssl-config=", 17) == 0) {
+      openssl_config = arg + 17;
 #endif /* HAVE_OPENSSL */
 #if defined(NODE_HAVE_I18N_SUPPORT)
    } else if (strncmp(arg, "--icu-data-dir=", 15) == 0) {
--- a/src/node.h
+++ b/src/node.h
@@ -179,10 +179,13 @@ typedef intptr_t ssize_t;
 namespace node {

 NODE_EXTERN extern bool no_deprecation;
-#if HAVE_OPENSSL && NODE_FIPS_MODE
+#if HAVE_OPENSSL
+# if NODE_FIPS_MODE
 NODE_EXTERN extern bool enable_fips_crypto;
 NODE_EXTERN extern bool force_fips_crypto;
-#endif
+# endif  // NODE_FIPS_MODE
+NODE_EXTERN extern const char* openssl_config;
+#endif  // HAVE_OPENSSL

 NODE_EXTERN int Start(int argc, char *argv[]);
 NODE_EXTERN void Init(int* argc,
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -5767,7 +5767,23 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
 }

 void InitCryptoOnce() {
-  OPENSSL_config(NULL);
+  OPENSSL_no_config();
+
+  // --openssl-config=...
+  if (openssl_config != nullptr) {
+    CONF_modules_load_file(
+        openssl_config,
+        nullptr,
+        CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE);
+    int err = ERR_get_error();
+    if (0 != err) {
+      fprintf(stderr,
+              "openssl config failed: %s\n",
+              ERR_error_string(err, NULL));
+      CHECK_NE(err, 0);
+    }
+  }
+
  SSL_library_init();
  OpenSSL_add_all_algorithms();
  SSL_load_error_strings();