Skip to content

Commit db7cc5b

Browse files
authored
crypto: split OpenSSL 3, BoringSSL, and legacy backends
This separates the native crypto backend paths for OpenSSL >= 3, BoringSSL, and legacy OpenSSL. The OpenSSL >= 3 path now builds with `OPENSSL_API_COMPAT=30000` and `OPENSSL_NO_DEPRECATED`, moving normal crypto/TLS code away from APIs that OpenSSL 3.0.0 marks deprecated. BoringSSL remains on its own branch, and OpenSSL < 3 remains the legacy fallback. The exception is ENGINE support. ENGINE APIs are isolated into a dedicated compatibility target so they can remain available while the JS-facing engine APIs are runtime-deprecated in 27.x. That gives us a clear removal point for 28.x, without letting ENGINE usage leak back into the strict OpenSSL 3 path. The split also makes the eventual OpenSSL 1.1.1 removal easier to reason about. Once support for OpenSSL < 3 is dropped, the legacy branch can be removed in a focused follow-up, possibly targeting 27.x, instead of untangling mixed version guards throughout the crypto implementation. No public crypto or TLS API behavior is intentionally changed. Assisted-by: Codex:gpt-5 Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #64211 Refs: #56733 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
1 parent a18052e commit db7cc5b

23 files changed

Lines changed: 2443 additions & 204 deletions

common.gypi

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
'node_module_version%': '',
2525
'node_with_ltcg%': '',
2626
'node_shared_openssl%': 'false',
27+
'openssl_is_boringssl%': 'false',
2728

2829
'node_tag%': '',
2930
'uv_library%': 'static_library',

configure.py

Lines changed: 51 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1440,6 +1440,48 @@ def get_gas_version(cc):
14401440
warn(f'Could not recognize `gas`: {gas_ret}')
14411441
return '0.0'
14421442

1443+
def get_openssl_macros(o):
1444+
"""Extract OpenSSL preprocessor macros from the configured headers."""
1445+
1446+
# Use the C compiler to extract preprocessor macros from OpenSSL headers.
1447+
# crypto.h is included because BoringSSL declares OPENSSL_IS_BORINGSSL there.
1448+
args = ['-E', '-dM',
1449+
'-include', 'openssl/opensslv.h',
1450+
'-include', 'openssl/crypto.h',
1451+
'-']
1452+
if not options.shared_openssl:
1453+
args = ['-I', 'deps/openssl/openssl/include'] + args
1454+
elif options.shared_openssl_includes:
1455+
args = ['-I', options.shared_openssl_includes] + args
1456+
else:
1457+
for dir in o['include_dirs']:
1458+
args = ['-I', dir] + args
1459+
1460+
proc = subprocess.Popen(
1461+
shlex.split(CC) + args,
1462+
stdin=subprocess.PIPE,
1463+
stdout=subprocess.PIPE,
1464+
stderr=subprocess.PIPE
1465+
)
1466+
with proc:
1467+
proc.stdin.write(b'\n')
1468+
out = to_utf8(proc.communicate()[0])
1469+
1470+
if proc.returncode != 0:
1471+
warn('Failed to extract OpenSSL macros from headers')
1472+
return {}
1473+
1474+
macros = {}
1475+
for line in out.split('\n'):
1476+
if line.startswith('#define OPENSSL_'):
1477+
parts = line.split()
1478+
if len(parts) >= 2:
1479+
macro_name = parts[1]
1480+
macro_value = parts[2] if len(parts) >= 3 else '1'
1481+
macros[macro_name] = macro_value
1482+
1483+
return macros
1484+
14431485
def get_openssl_version(o):
14441486
"""Parse OpenSSL version from opensslv.h header file.
14451487
@@ -1449,39 +1491,7 @@ def get_openssl_version(o):
14491491
"""
14501492

14511493
try:
1452-
# Use the C compiler to extract preprocessor macros from opensslv.h
1453-
args = ['-E', '-dM', '-include', 'openssl/opensslv.h', '-']
1454-
if not options.shared_openssl:
1455-
args = ['-I', 'deps/openssl/openssl/include'] + args
1456-
elif options.shared_openssl_includes:
1457-
args = ['-I', options.shared_openssl_includes] + args
1458-
else:
1459-
for dir in o['include_dirs']:
1460-
args = ['-I', dir] + args
1461-
1462-
proc = subprocess.Popen(
1463-
shlex.split(CC) + args,
1464-
stdin=subprocess.PIPE,
1465-
stdout=subprocess.PIPE,
1466-
stderr=subprocess.PIPE
1467-
)
1468-
with proc:
1469-
proc.stdin.write(b'\n')
1470-
out = to_utf8(proc.communicate()[0])
1471-
1472-
if proc.returncode != 0:
1473-
warn('Failed to extract OpenSSL version from opensslv.h header')
1474-
return 0
1475-
1476-
# Parse the macro definitions
1477-
macros = {}
1478-
for line in out.split('\n'):
1479-
if line.startswith('#define OPENSSL_VERSION_'):
1480-
parts = line.split()
1481-
if len(parts) >= 3:
1482-
macro_name = parts[1]
1483-
macro_value = parts[2]
1484-
macros[macro_name] = macro_value
1494+
macros = get_openssl_macros(o)
14851495

14861496
# Extract version components
14871497
major = int(macros.get('OPENSSL_VERSION_MAJOR', '0'))
@@ -1511,6 +1521,13 @@ def get_openssl_version(o):
15111521
warn(f'Failed to determine OpenSSL version from header: {e}')
15121522
return 0
15131523

1524+
def get_openssl_is_boringssl(o):
1525+
try:
1526+
return b('OPENSSL_IS_BORINGSSL' in get_openssl_macros(o))
1527+
except (OSError, ValueError, subprocess.SubprocessError) as e:
1528+
warn(f'Failed to determine whether OpenSSL headers are BoringSSL: {e}')
1529+
return 'false'
1530+
15141531
def get_cargo_version(cargo):
15151532
try:
15161533
proc = subprocess.Popen(shlex.split(cargo) + ['--version'],
@@ -2315,6 +2332,7 @@ def without_ssl_error(option):
23152332
configure_library('openssl', o)
23162333

23172334
o['variables']['openssl_version'] = get_openssl_version(o)
2335+
o['variables']['openssl_is_boringssl'] = get_openssl_is_boringssl(o)
23182336

23192337
def configure_lief(o):
23202338
if options.without_lief:

deps/ncrypto/engine.cc

Lines changed: 25 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,18 @@
11
#include "ncrypto.h"
22

3+
#if !defined(OPENSSL_NO_ENGINE) && \
4+
((defined(NCRYPTO_ENGINE_COMPAT) && NCRYPTO_ENGINE_COMPAT) || \
5+
NCRYPTO_USE_LEGACY_OPENSSL)
6+
#include <openssl/engine.h>
7+
#endif
8+
39
namespace ncrypto {
410

511
// ============================================================================
612
// Engine
713

814
#ifndef OPENSSL_NO_ENGINE
9-
EnginePointer::EnginePointer(ENGINE* engine_, bool finish_on_exit_)
15+
EnginePointer::EnginePointer(void* engine_, bool finish_on_exit_)
1016
: engine(engine_), finish_on_exit(finish_on_exit_) {}
1117

1218
EnginePointer::EnginePointer(EnginePointer&& other) noexcept
@@ -24,21 +30,22 @@ EnginePointer& EnginePointer::operator=(EnginePointer&& other) noexcept {
2430
return *new (this) EnginePointer(std::move(other));
2531
}
2632

27-
void EnginePointer::reset(ENGINE* engine_, bool finish_on_exit_) {
33+
void EnginePointer::reset(void* engine_, bool finish_on_exit_) {
2834
if (engine != nullptr) {
35+
ENGINE* current = static_cast<ENGINE*>(engine);
2936
if (finish_on_exit) {
3037
// This also does the equivalent of ENGINE_free.
31-
ENGINE_finish(engine);
38+
ENGINE_finish(current);
3239
} else {
33-
ENGINE_free(engine);
40+
ENGINE_free(current);
3441
}
3542
}
3643
engine = engine_;
3744
finish_on_exit = finish_on_exit_;
3845
}
3946

40-
ENGINE* EnginePointer::release() {
41-
ENGINE* ret = engine;
47+
void* EnginePointer::release() {
48+
void* ret = engine;
4249
engine = nullptr;
4350
finish_on_exit = false;
4451
return ret;
@@ -52,8 +59,9 @@ EnginePointer EnginePointer::getEngineByName(const char* name,
5259
// Engine not found, try loading dynamically.
5360
engine = EnginePointer(ENGINE_by_id("dynamic"));
5461
if (engine) {
55-
if (!ENGINE_ctrl_cmd_string(engine.get(), "SO_PATH", name, 0) ||
56-
!ENGINE_ctrl_cmd_string(engine.get(), "LOAD", nullptr, 0)) {
62+
ENGINE* current = static_cast<ENGINE*>(engine.engine);
63+
if (!ENGINE_ctrl_cmd_string(current, "SO_PATH", name, 0) ||
64+
!ENGINE_ctrl_cmd_string(current, "LOAD", nullptr, 0)) {
5765
engine.reset();
5866
}
5967
}
@@ -64,19 +72,24 @@ EnginePointer EnginePointer::getEngineByName(const char* name,
6472
bool EnginePointer::setAsDefault(uint32_t flags, CryptoErrorList* errors) {
6573
if (engine == nullptr) return false;
6674
ClearErrorOnReturn clear_error_on_return(errors);
67-
return ENGINE_set_default(engine, flags) != 0;
75+
return ENGINE_set_default(static_cast<ENGINE*>(engine), flags) != 0;
6876
}
6977

7078
bool EnginePointer::init(bool finish_on_exit) {
7179
if (engine == nullptr) return false;
7280
if (finish_on_exit) setFinishOnExit();
73-
return ENGINE_init(engine) == 1;
81+
return ENGINE_init(static_cast<ENGINE*>(engine)) == 1;
7482
}
7583

7684
EVPKeyPointer EnginePointer::loadPrivateKey(const char* key_name) {
7785
if (engine == nullptr) return EVPKeyPointer();
78-
return EVPKeyPointer(
79-
ENGINE_load_private_key(engine, key_name, nullptr, nullptr));
86+
return EVPKeyPointer(ENGINE_load_private_key(
87+
static_cast<ENGINE*>(engine), key_name, nullptr, nullptr));
88+
}
89+
90+
bool EnginePointer::setClientCertEngine(SSL_CTX* ctx) {
91+
if (engine == nullptr || ctx == nullptr) return false;
92+
return SSL_CTX_set_client_cert_engine(ctx, static_cast<ENGINE*>(engine)) == 1;
8093
}
8194

8295
void EnginePointer::initEnginesOnce() {

0 commit comments

Comments
 (0)