Support dynamically linking with OpenSSL 3.0 #37669

Currently there are three compilation errors generated for crypto_hkdf.cc: ./src/crypto/crypto_hkdf.cc: In static member function ‘static bool node::crypto::HKDFTraits::DeriveBits(node::Environment*, const node::crypto::HKDFConfig&, node::crypto::ByteSource*)’: ../src/crypto/crypto_hkdf.cc:113:24: error: invalid conversion from ‘const char*’ to ‘const unsigned char*’ [-fpermissive] 113 | params.salt.get(), | ~~~~~~~~~~~~~~~^~ | | | const char* In file included from ../src/crypto/crypto_util.h:18, from ../src/crypto/crypto_keys.h:6, from ../src/crypto/crypto_hkdf.h:6, from ../src/crypto/crypto_hkdf.cc:1: /openssl_build_master/include/openssl/kdf.h:130:54: note: initializing argument 2 of ‘int EVP_PKEY_CTX_set1_hkdf_salt( EVP_PKEY_CTX*, const unsigned char*, int)’ 130 | const unsigned char *salt, int saltlen); | ~~~~~~~~~~~~~~~~~~~~~^~~~

This commit adds the OPENSSL_API_COMPAT macro and sets it to version 1.0.0 of OpenSSL when linking with a shared OpenSSL library. The motivation for this is that when linking against OpenSSL 3.x there are a lot of deprecation warnings and this allows them to be avoided. When we later upgrade the code base to 3.x this value can then be updated.

This commit adds a constant to identify if the version of OpenSSl is 3 or above. The motivation for this is it allows for checking this value in tests to make sure that they work with OpenSSL 3.x, and also with earlier versions.

This commit fixes a number of test failures reported when using OpenSSL 3.0, for example: Error: error:0500007E:Diffie-Hellman routines::modulus too small Check have been added for OpenSSL 3 and use the larger sizes only for OpenSSL 3.0 as these sizes seem to cause timeouts when using OpenSSL 1.1.1.

…13.js

…32240.js

…eriv.js This commit adds min and max IV lengths to the test crypto-cipheriv-decipher-iv when OpenSSL 3.x is in use. The motivation for this is that OpenSSL 3.x has a check in providers/implementations/ciphers/ciphercommon_gcm: if (iv != NULL) { if (ivlen < ctx->ivlen_min || ivlen > sizeof(ctx->iv)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } And the ivlen_min is 8 and max is 64: (lldb) expr ctx->ivlen_min (size_t) $25 = 8 (lldb) expr sizeof(ctx->iv) (unsigned long) $28 = 64 (size_t) $25 = 8

This commit adds a check and a skip if using OpenSSL 3.x. The reason for this is that Blowfish (BF) is only available when using the legacy provider in OpenSSL 3.x.

…coding.js

…ext.js

…s.js This commit adds a check to skip tests that depend on OpenSSL 1.x config files. These test will not work with OpenSSL 3.x as the configuration files have changed. Once FIPS support is available in OpenSSL 3.x we should revisit these test and add tests specific to OpenSSL 3.x.

…-cache.js Currently this test will fail if the default security level 1 is used when linked against OpenSSL 3.x.

…est-tls-getprotocol.js, test-tls-min-max-version.js

Note that there is still an issue with OpenSSL 3.x for which there is an open issue: openssl/openssl#12384

This commit adds an check for OpenSSL 3.0 to deal with changes to the newline output of infoAccess. Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/issues.md#test-crypto-x509js

This commit adds a macro check for OpenSSL 3 and used EVP_default_properties_is_fips_enabled instead of FIPS_mode which has been removed in OpenSSL 3.

This commit aquires the Mutex in ManagedEVPPKey::operator= to avoid multiple threads updating the underlying EVP_PKEY in OpenSSL 3.0. There are additional changes to the code to avoid dead locks, making sure to release the lock before aquiring a new lock. Refs: nodejs@79d44baae2

This commit add const to EC_KEY, DSA, RSA pointer to avoid compilation errors when linking against OpenSSL 3.0. Refs: openssl/openssl@7bc0fdd

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support dynamically linking with OpenSSL 3.0 #37669

Support dynamically linking with OpenSSL 3.0 #37669

Commits on Mar 15, 2021