src: only initialize openssl once

sam-github · sam-github · commit 12cbdcbdf7ef · 2019-10-17T11:09:09.000-07:00
For compatibility with OpenSSL 1.1.0 and 1.0.1 a series of initialization wrappers were being called, many deprecated, and many calling each other internally already. Compatibility is unnecessary in 12.x and later, which support only OpenSSL 1.1.1, and the multiple calls cause the configuration file to be loaded multiple times. Fixes: nodejs#29702 See: - https://mta.openssl.org/pipermail/openssl-users/2019-October/011303.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html - https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
diff --git a/src/node.cc b/src/node.cc
@@ -833,13 +833,6 @@ int InitializeNodeWithArgs(std::vector<std::string>* argv,
                             &default_env_options->redirect_warnings);
   }
 
-#if HAVE_OPENSSL
-  std::string* openssl_config = &per_process::cli_options->openssl_config;
-  if (openssl_config->empty()) {
-    credentials::SafeGetenv("OPENSSL_CONF", openssl_config);
-  }
-#endif
-
 #if !defined(NODE_WITHOUT_NODE_OPTIONS)
   std::string node_options;
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -6975,30 +6975,19 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
 }
 
 void InitCryptoOnce() {
-  SSL_load_error_strings();
-  OPENSSL_no_config();
+#ifndef OPENSSL_IS_BORINGSSL
+  OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
 
   // --openssl-config=...
   if (!per_process::cli_options->openssl_config.empty()) {
-    OPENSSL_load_builtin_modules();
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_load_builtin_engines();
-#endif
-    ERR_clear_error();
-    CONF_modules_load_file(per_process::cli_options->openssl_config.c_str(),
-                           nullptr,
-                           CONF_MFLAGS_DEFAULT_SECTION);
-    int err = ERR_get_error();
-    if (0 != err) {
-      fprintf(stderr,
-              "openssl config failed: %s\n",
-              ERR_error_string(err, nullptr));
-      CHECK_NE(err, 0);
-    }
+    const char* conf = per_process::cli_options->openssl_config.c_str();
+    OPENSSL_INIT_set_config_filename(settings, conf);
   }
 
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
+  OPENSSL_init_ssl(0, settings);
+  OPENSSL_INIT_free(settings);
+  settings = nullptr;
+#endif
 
 #ifdef NODE_FIPS_MODE
   /* Override FIPS settings in cnf file, if needed. */
