src: initialize openssl only once

sam-github · targos · commit 70c46d19af90 · 2019-11-10T14:50:13.000+01:00
For compatibility with OpenSSL 1.1.0 and 1.0.1 a series of initialization wrappers were being called, many deprecated, and many calling each other internally already. Compatibility is unnecessary in 12.x and later, which support only OpenSSL 1.1.1, and the multiple calls cause the configuration file to be loaded multiple times. Fixes: #29702 See: - https://mta.openssl.org/pipermail/openssl-users/2019-October/011303.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html PR-URL: #29999 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shelley Vohr <codebytere@gmail.com>
diff --git a/src/node.cc b/src/node.cc
@@ -785,13 +785,6 @@ int InitializeNodeWithArgs(std::vector<std::string>* argv,
                             &default_env_options->redirect_warnings);
   }
 
-#if HAVE_OPENSSL
-  std::string* openssl_config = &per_process::cli_options->openssl_config;
-  if (openssl_config->empty()) {
-    credentials::SafeGetenv("OPENSSL_CONF", openssl_config);
-  }
-#endif
-
 #if !defined(NODE_WITHOUT_NODE_OPTIONS)
   std::string node_options;
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -6961,30 +6961,19 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
 }
 
 void InitCryptoOnce() {
-  SSL_load_error_strings();
-  OPENSSL_no_config();
+#ifndef OPENSSL_IS_BORINGSSL
+  OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
 
   // --openssl-config=...
   if (!per_process::cli_options->openssl_config.empty()) {
-    OPENSSL_load_builtin_modules();
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_load_builtin_engines();
-#endif
-    ERR_clear_error();
-    CONF_modules_load_file(per_process::cli_options->openssl_config.c_str(),
-                           nullptr,
-                           CONF_MFLAGS_DEFAULT_SECTION);
-    int err = ERR_get_error();
-    if (0 != err) {
-      fprintf(stderr,
-              "openssl config failed: %s\n",
-              ERR_error_string(err, nullptr));
-      CHECK_NE(err, 0);
-    }
+    const char* conf = per_process::cli_options->openssl_config.c_str();
+    OPENSSL_INIT_set_config_filename(settings, conf);
   }
 
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
+  OPENSSL_init_ssl(0, settings);
+  OPENSSL_INIT_free(settings);
+  settings = nullptr;
+#endif
 
 #ifdef NODE_FIPS_MODE
   /* Override FIPS settings in cnf file, if needed. */
