Ubuntu
nodejs package

Merge ~sergiodj/ubuntu/+source/nodejs:backport-openssl-legacy into ubuntu/+source/nodejs:ubuntu/devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/nodejs
  3. backport-openssl-legacy
  4. Merge into ubuntu/devel
Proposed by Sergio Durigan Junior
Status: Needs review
Proposed branch: ~sergiodj/ubuntu/+source/nodejs:backport-openssl-legacy
Merge into: ubuntu/+source/nodejs:ubuntu/devel
Diff against target: 202 lines (+180/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/v16.x-backport-src-add-openssl-legacy-provider-optio.patch (+172/-0)
Reviewer Review Type Date Requested Status
Athos Ribeiro (community) Approve
Gianfranco Costamagna Pending
Canonical Server packageset reviewers Pending
Review via email: mp+423043@code.launchpad.net

Description of the change

This MP adds support for the --openssl-legacy-provider option to nodejs.

This is hopefully the end of a rabbit hole that I got myself into after starting investigating why glewlwyd was FTBFSing during the openldap-2.6 transition mass test rebuild.

As it turns out, glewlwyd's FTBFS isn't related to openldap. What happens is that, during its build phase, it invokes webpack, and the webpack version we carry on Kinetic doesn't support newer crypto hashes. This means that, when it runs, it failes with:

(cd webapp-src && webpack --config webpack.config.js)
node:internal/crypto/hash:67
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/usr/share/nodejs/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/usr/share/nodejs/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/usr/share/nodejs/webpack/lib/NormalModule.js:471:10)
    at /usr/share/nodejs/webpack/lib/NormalModule.js:503:5
    at /usr/share/nodejs/webpack/lib/NormalModule.js:358:12
    at /usr/share/nodejs/loader-runner/lib/LoaderRunner.js:406:3
    at iterateNormalLoaders (/usr/share/nodejs/loader-runner/lib/LoaderRunner.js:232:10)
    at iterateNormalLoaders (/usr/share/nodejs/loader-runner/lib/LoaderRunner.js:239:10)
    at /usr/share/nodejs/loader-runner/lib/LoaderRunner.js:254:3
    at context.callback (/usr/share/nodejs/loader-runner/lib/LoaderRunner.js:124:13)
    at /<<PKGBUILDDIR>>/webapp-src/node_modules/babel-loader/lib/index.js:61:71 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

I opened a bug against glewlwyd here: bug #1974107.

Anyway, in order to make openssl happy we need to enable legacy cyphers before we run webpack. One of the ways to do it is by specifying the option --openssl-legacy-provider to nodejs (via the NODE_OPTIONS env var), but unfortunately our version of nodejs (16) doesn't support this option yet. Fortunately, there is a PR available to implement this feature, and it's even been approved by upstream (but hasn't been merged yet).

I went ahead and backported the patch, which is relatively simple. There's a PPA with the proposed patch here:

https://launchpad.net/~sergiodj/+archive/ubuntu/nodejs-glewlwyd-openssl-fix

There you will find a built version of glewlwyd as well.

dep8 tests are still running, I will update this MP once I have the results.

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Adding a review spot for Gianfranco since he's been working on nodejs lately.

Reply
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

LGTM, as long as the armhf build and your dep8 tests are OK :)

For the DEP3 headers, you are missing the value for "Bug-Ubuntu" there.

Thanks for backporting this one!

review: Approve
Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Thursday, May 19 2022, Athos Ribeiro wrote:

> LGTM, as long as the armhf build and your dep8 tests are OK :)

Thanks for the review, Athos.

I'm waiting on the armhf build (it'll take several hours, I'm afraid).
The ppc64el test failed, but I'm retriggering it here.

> For the DEP3 headers, you are missing the value for "Bug-Ubuntu" there.

Should be good now :-).

Cheers,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Thursday, May 19 2022, Sergio Durigan Junior wrote:

> On Thursday, May 19 2022, Athos Ribeiro wrote:
>
>> LGTM, as long as the armhf build and your dep8 tests are OK :)
>
> Thanks for the review, Athos.
>
> I'm waiting on the armhf build (it'll take several hours, I'm afraid).
> The ppc64el test failed, but I'm retriggering it here.

Everything seems to be fine, so I went ahead and uploaded it:

$ dput nodejs_16.14.2+dfsg1-1ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/nodejs/nodejs_16.14.2+dfsg1-1ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/nodejs/nodejs_16.14.2+dfsg1-1ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading nodejs_16.14.2+dfsg1-1ubuntu3.dsc: done.
  Uploading nodejs_16.14.2+dfsg1-1ubuntu3.debian.tar.xz: done.
  Uploading nodejs_16.14.2+dfsg1-1ubuntu3_source.buildinfo: done.
  Uploading nodejs_16.14.2+dfsg1-1ubuntu3_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Reply

Unmerged commits

835d45b... by Sergio Durigan Junior

changelog for 16.14.2+dfsg1-1ubuntu3

7713e69... by Sergio Durigan Junior

  * d/p/v16.x-backport-src-add-openssl-legacy-provider-optio.patch:
    Add support for --openssl-legacy-provider option. (LP: #1974226)

dad720b... by Gianfranco Costamagna

16.14.2+dfsg1-1ubuntu2 (patches unapplied)

Imported using git-ubuntu import.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 6d2d2b2..b23f69b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+nodejs (16.14.2+dfsg1-1ubuntu3) kinetic; urgency=medium
7+
8+ * d/p/v16.x-backport-src-add-openssl-legacy-provider-optio.patch:
9+ Add support for --openssl-legacy-provider option. (LP: #1974226)
10+
11+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 19 May 2022 14:48:24 -0400
12+
13 nodejs (16.14.2+dfsg1-1ubuntu2) kinetic; urgency=medium
14
15 * Merge from Debian unstable. Remaining changes:
16diff --git a/debian/patches/series b/debian/patches/series
17index eaad66a..bbb00e5 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -19,3 +19,4 @@ mips/mipsel_is_32.patch
21 build/skip-buffer-nan-internal-check.patch
22 build/skip-crypto-engine-check.patch
23 build/flaky-cpu-prof-riscv64.patch
24+v16.x-backport-src-add-openssl-legacy-provider-optio.patch
25diff --git a/debian/patches/v16.x-backport-src-add-openssl-legacy-provider-optio.patch b/debian/patches/v16.x-backport-src-add-openssl-legacy-provider-optio.patch
26new file mode 100644
27index 0000000..c630c26
28--- /dev/null
29+++ b/debian/patches/v16.x-backport-src-add-openssl-legacy-provider-optio.patch
30@@ -0,0 +1,172 @@
31+From: Daniel Bevenius <daniel.bevenius@gmail.com>
32+Date: Sat, 16 Oct 2021 08:50:16 +0200
33+Subject: [v16.x backport] src: add --openssl-legacy-provider option
34+MIME-Version: 1.0
35+Content-Type: text/plain; charset="utf-8"
36+Content-Transfer-Encoding: 8bit
37+
38+This commit adds an option to Node.js named --openssl-legacy-provider
39+and if specified will load OpenSSL 3.0 Legacy provider when dynamically
40+linking Node.js v16.x with OpenSSL 3.0.
41+
42+Building:
43+$ ./configure --shared-openssl \
44+ --shared-openssl-libpath=/path/openssl_quic-3.0/lib64 \
45+ --shared-openssl-includes=/path/openssl_quic-3.0/include \
46+ --shared-openssl-libname=crypto,ssl
47+$ make -j8
48+
49+Verify options is available:
50+$ ./node --help
51+...
52+--openssl-legacy-provider enable OpenSSL 3.0 legacy provider
53+
54+Usage:
55+$ export LD_LIBRARY_PATH=/path/openssl_quic-3.0/lib64
56+$ export OPENSSL_MODULES=/path/openssl_quic-3.0/lib64/ossl-modules/
57+$ export OPENSSL_CONF=/path/openssl_quic-3.0/ssl/openssl.cnf
58+$ ./node --openssl-legacy-provider -p 'crypto.createHash("md4")'
59+Hash {
60+ _options: undefined,
61+ [Symbol(kHandle)]: Hash {},
62+ [Symbol(kState)]: { [Symbol(kFinalized)]: false }
63+}
64+
65+Fixes: https://github.com/nodejs/node/issues/40948
66+
67+Refs: https://github.com/nodejs/node/issues/40455
68+PR-URL: https://github.com/nodejs/node/pull/40478
69+Reviewed-By: Richard Lau <rlau@redhat.com>
70+Reviewed-By: Tobias Nießen <tniessen@tnie.de>
71+
72+Forwarded: yes, https://github.com/nodejs/node/pull/42972
73+Bug: https://github.com/nodejs/node/issues/40948
74+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/glewlwyd/+bug/1974107
75+Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com>
76+---
77+ doc/api/cli.md | 11 +++++++++++
78+ src/crypto/crypto_util.cc | 10 ++++++++++
79+ src/node_options.cc | 3 +++
80+ src/node_options.h | 7 +++++++
81+ .../parallel/test-process-env-allowed-flags-are-documented.js | 5 +++++
82+ 5 files changed, 36 insertions(+)
83+
84+diff --git a/doc/api/cli.md b/doc/api/cli.md
85+index 6c469ae..8c71f5d 100644
86+--- a/doc/api/cli.md
87++++ b/doc/api/cli.md
88+@@ -714,6 +714,15 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
89+ used to enable FIPS-compliant crypto if Node.js is built
90+ against FIPS-enabled OpenSSL.
91+
92++### `--openssl-legacy-provider`
93++
94++<!-- YAML
95++added: REPLACEME
96++-->
97++
98++Enable OpenSSL 3.0 legacy provider when dynamically linking to OpenSSL 3.x.
99++For more information please see [OSSL\_PROVIDER-legacy][OSSL_PROVIDER-legacy].
100++
101+ ### `--pending-deprecation`
102+
103+ <!-- YAML
104+@@ -1571,6 +1580,7 @@ Node.js options that are allowed are:
105+ * `--no-warnings`
106+ * `--node-memory-debug`
107+ * `--openssl-config`
108++* `--openssl-legacy-provider`
109+ * `--pending-deprecation`
110+ * `--policy-integrity`
111+ * `--preserve-symlinks-main`
112+@@ -1930,6 +1940,7 @@ $ node --max-old-space-size=1536 index.js
113+ [CommonJS]: modules.md
114+ [ECMAScript module loader]: esm.md#loaders
115+ [Modules loaders]: packages.md#modules-loaders
116++[OSSL_PROVIDER-legacy]: https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
117+ [REPL]: repl.md
118+ [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
119+ [Source Map]: https://sourcemaps.info/spec.html
120+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
121+index e1ef170..e93edd4 100644
122+--- a/src/crypto/crypto_util.cc
123++++ b/src/crypto/crypto_util.cc
124+@@ -148,6 +148,16 @@ void InitCryptoOnce() {
125+ }
126+ #endif
127+
128++#if OPENSSL_VERSION_MAJOR >= 3
129++ // --openssl-legacy-provider
130++ if (per_process::cli_options->openssl_legacy_provider) {
131++ OSSL_PROVIDER* legacy_provider = OSSL_PROVIDER_load(nullptr, "legacy");
132++ if (legacy_provider == nullptr) {
133++ fprintf(stderr, "Unable to load legacy provider.\n");
134++ }
135++ }
136++#endif
137++
138+ OPENSSL_init_ssl(0, settings);
139+ OPENSSL_INIT_free(settings);
140+ settings = nullptr;
141+diff --git a/src/node_options.cc b/src/node_options.cc
142+index cd537ad..e24fb3d 100644
143+--- a/src/node_options.cc
144++++ b/src/node_options.cc
145+@@ -4,6 +4,9 @@
146+ #include "env-inl.h"
147+ #include "node_binding.h"
148+ #include "node_internals.h"
149++#if HAVE_OPENSSL
150++#include "openssl/opensslv.h"
151++#endif
152+
153+ #include <errno.h>
154+ #include <sstream>
155+diff --git a/src/node_options.h b/src/node_options.h
156+index 5cf2bb4..90c6ce3 100644
157+--- a/src/node_options.h
158++++ b/src/node_options.h
159+@@ -11,6 +11,10 @@
160+ #include "node_mutex.h"
161+ #include "util.h"
162+
163++#if HAVE_OPENSSL
164++#include "openssl/opensslv.h"
165++#endif
166++
167+ namespace node {
168+
169+ class HostPort {
170+@@ -251,6 +255,9 @@ class PerProcessOptions : public Options {
171+ bool enable_fips_crypto = false;
172+ bool force_fips_crypto = false;
173+ #endif
174++#if OPENSSL_VERSION_MAJOR >= 3
175++ bool openssl_legacy_provider = false;
176++#endif
177+
178+ // Per-process because reports can be triggered outside a known V8 context.
179+ bool report_on_fatalerror = false;
180+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
181+index a2738f0..f4dd77e 100644
182+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
183++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
184+@@ -43,6 +43,10 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
185+ }
186+ }
187+
188++if (!common.hasOpenSSL3) {
189++ documented.delete('--openssl-legacy-provider');
190++}
191++
192+ // Filter out options that are conditionally present.
193+ const conditionalOpts = [
194+ {
195+@@ -50,6 +54,7 @@ const conditionalOpts = [
196+ filter: (opt) => {
197+ return [
198+ '--openssl-config',
199++ common.hasOpenSSL3 ? '--openssl-legacy-provider' : '',
200+ '--tls-cipher-list',
201+ '--use-bundled-ca',
202+ '--use-openssl-ca',

Subscribers

People subscribed via source and target branches