Skip to content

Commit 8afa8a2

Browse files
committed
crypto: split OpenSSL 3, BoringSSL, and legacy backends
This separates the native crypto backend paths for OpenSSL >= 3, BoringSSL, and legacy OpenSSL. The OpenSSL >= 3 path now builds with `OPENSSL_API_COMPAT=30000` and `OPENSSL_NO_DEPRECATED`, moving normal crypto/TLS code away from APIs that OpenSSL 3.0.0 marks deprecated. BoringSSL remains on its own branch, and OpenSSL < 3 remains the legacy fallback. The exception is ENGINE support. ENGINE APIs are isolated into a dedicated compatibility target so they can remain available while the JS-facing engine APIs are runtime-deprecated in 27.x. That gives us a clear removal point for 28.x, without letting ENGINE usage leak back into the strict OpenSSL 3 path. The split also makes the eventual OpenSSL 1.1.1 removal easier to reason about. Once support for OpenSSL < 3 is dropped, the legacy branch can be removed in a focused follow-up, possibly targeting 27.x, instead of untangling mixed version guards throughout the crypto implementation. No public crypto or TLS API behavior is intentionally changed. Assisted-by: Codex:gpt-5 Signed-off-by: Filip Skokan <panva.ip@gmail.com>
1 parent bee4016 commit 8afa8a2

19 files changed

Lines changed: 2148 additions & 192 deletions

common.gypi

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
'node_module_version%': '',
2525
'node_with_ltcg%': '',
2626
'node_shared_openssl%': 'false',
27+
'openssl_is_boringssl%': 'false',
2728

2829
'node_tag%': '',
2930
'uv_library%': 'static_library',

configure.py

Lines changed: 51 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1440,6 +1440,48 @@ def get_gas_version(cc):
14401440
warn(f'Could not recognize `gas`: {gas_ret}')
14411441
return '0.0'
14421442

1443+
def get_openssl_macros(o):
1444+
"""Extract OpenSSL preprocessor macros from the configured headers."""
1445+
1446+
# Use the C compiler to extract preprocessor macros from OpenSSL headers.
1447+
# crypto.h is included because BoringSSL declares OPENSSL_IS_BORINGSSL there.
1448+
args = ['-E', '-dM',
1449+
'-include', 'openssl/opensslv.h',
1450+
'-include', 'openssl/crypto.h',
1451+
'-']
1452+
if not options.shared_openssl:
1453+
args = ['-I', 'deps/openssl/openssl/include'] + args
1454+
elif options.shared_openssl_includes:
1455+
args = ['-I', options.shared_openssl_includes] + args
1456+
else:
1457+
for dir in o['include_dirs']:
1458+
args = ['-I', dir] + args
1459+
1460+
proc = subprocess.Popen(
1461+
shlex.split(CC) + args,
1462+
stdin=subprocess.PIPE,
1463+
stdout=subprocess.PIPE,
1464+
stderr=subprocess.PIPE
1465+
)
1466+
with proc:
1467+
proc.stdin.write(b'\n')
1468+
out = to_utf8(proc.communicate()[0])
1469+
1470+
if proc.returncode != 0:
1471+
warn('Failed to extract OpenSSL macros from headers')
1472+
return {}
1473+
1474+
macros = {}
1475+
for line in out.split('\n'):
1476+
if line.startswith('#define OPENSSL_'):
1477+
parts = line.split()
1478+
if len(parts) >= 2:
1479+
macro_name = parts[1]
1480+
macro_value = parts[2] if len(parts) >= 3 else '1'
1481+
macros[macro_name] = macro_value
1482+
1483+
return macros
1484+
14431485
def get_openssl_version(o):
14441486
"""Parse OpenSSL version from opensslv.h header file.
14451487
@@ -1449,39 +1491,7 @@ def get_openssl_version(o):
14491491
"""
14501492

14511493
try:
1452-
# Use the C compiler to extract preprocessor macros from opensslv.h
1453-
args = ['-E', '-dM', '-include', 'openssl/opensslv.h', '-']
1454-
if not options.shared_openssl:
1455-
args = ['-I', 'deps/openssl/openssl/include'] + args
1456-
elif options.shared_openssl_includes:
1457-
args = ['-I', options.shared_openssl_includes] + args
1458-
else:
1459-
for dir in o['include_dirs']:
1460-
args = ['-I', dir] + args
1461-
1462-
proc = subprocess.Popen(
1463-
shlex.split(CC) + args,
1464-
stdin=subprocess.PIPE,
1465-
stdout=subprocess.PIPE,
1466-
stderr=subprocess.PIPE
1467-
)
1468-
with proc:
1469-
proc.stdin.write(b'\n')
1470-
out = to_utf8(proc.communicate()[0])
1471-
1472-
if proc.returncode != 0:
1473-
warn('Failed to extract OpenSSL version from opensslv.h header')
1474-
return 0
1475-
1476-
# Parse the macro definitions
1477-
macros = {}
1478-
for line in out.split('\n'):
1479-
if line.startswith('#define OPENSSL_VERSION_'):
1480-
parts = line.split()
1481-
if len(parts) >= 3:
1482-
macro_name = parts[1]
1483-
macro_value = parts[2]
1484-
macros[macro_name] = macro_value
1494+
macros = get_openssl_macros(o)
14851495

14861496
# Extract version components
14871497
major = int(macros.get('OPENSSL_VERSION_MAJOR', '0'))
@@ -1511,6 +1521,13 @@ def get_openssl_version(o):
15111521
warn(f'Failed to determine OpenSSL version from header: {e}')
15121522
return 0
15131523

1524+
def get_openssl_is_boringssl(o):
1525+
try:
1526+
return b('OPENSSL_IS_BORINGSSL' in get_openssl_macros(o))
1527+
except (OSError, ValueError, subprocess.SubprocessError) as e:
1528+
warn(f'Failed to determine whether OpenSSL headers are BoringSSL: {e}')
1529+
return 'false'
1530+
15141531
def get_cargo_version(cargo):
15151532
try:
15161533
proc = subprocess.Popen(shlex.split(cargo) + ['--version'],
@@ -2315,6 +2332,7 @@ def without_ssl_error(option):
23152332
configure_library('openssl', o)
23162333

23172334
o['variables']['openssl_version'] = get_openssl_version(o)
2335+
o['variables']['openssl_is_boringssl'] = get_openssl_is_boringssl(o)
23182336

23192337
def configure_lief(o):
23202338
if options.without_lief:

deps/ncrypto/engine.cc

Lines changed: 24 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,17 @@
11
#include "ncrypto.h"
22

3+
#if !defined(OPENSSL_NO_ENGINE) && \
4+
(NCRYPTO_ENGINE_COMPAT || NCRYPTO_USE_LEGACY_OPENSSL)
5+
#include <openssl/engine.h>
6+
#endif
7+
38
namespace ncrypto {
49

510
// ============================================================================
611
// Engine
712

813
#ifndef OPENSSL_NO_ENGINE
9-
EnginePointer::EnginePointer(ENGINE* engine_, bool finish_on_exit_)
14+
EnginePointer::EnginePointer(void* engine_, bool finish_on_exit_)
1015
: engine(engine_), finish_on_exit(finish_on_exit_) {}
1116

1217
EnginePointer::EnginePointer(EnginePointer&& other) noexcept
@@ -24,21 +29,22 @@ EnginePointer& EnginePointer::operator=(EnginePointer&& other) noexcept {
2429
return *new (this) EnginePointer(std::move(other));
2530
}
2631

27-
void EnginePointer::reset(ENGINE* engine_, bool finish_on_exit_) {
32+
void EnginePointer::reset(void* engine_, bool finish_on_exit_) {
2833
if (engine != nullptr) {
34+
ENGINE* current = static_cast<ENGINE*>(engine);
2935
if (finish_on_exit) {
3036
// This also does the equivalent of ENGINE_free.
31-
ENGINE_finish(engine);
37+
ENGINE_finish(current);
3238
} else {
33-
ENGINE_free(engine);
39+
ENGINE_free(current);
3440
}
3541
}
3642
engine = engine_;
3743
finish_on_exit = finish_on_exit_;
3844
}
3945

40-
ENGINE* EnginePointer::release() {
41-
ENGINE* ret = engine;
46+
void* EnginePointer::release() {
47+
void* ret = engine;
4248
engine = nullptr;
4349
finish_on_exit = false;
4450
return ret;
@@ -52,8 +58,9 @@ EnginePointer EnginePointer::getEngineByName(const char* name,
5258
// Engine not found, try loading dynamically.
5359
engine = EnginePointer(ENGINE_by_id("dynamic"));
5460
if (engine) {
55-
if (!ENGINE_ctrl_cmd_string(engine.get(), "SO_PATH", name, 0) ||
56-
!ENGINE_ctrl_cmd_string(engine.get(), "LOAD", nullptr, 0)) {
61+
ENGINE* current = static_cast<ENGINE*>(engine.engine);
62+
if (!ENGINE_ctrl_cmd_string(current, "SO_PATH", name, 0) ||
63+
!ENGINE_ctrl_cmd_string(current, "LOAD", nullptr, 0)) {
5764
engine.reset();
5865
}
5966
}
@@ -64,19 +71,24 @@ EnginePointer EnginePointer::getEngineByName(const char* name,
6471
bool EnginePointer::setAsDefault(uint32_t flags, CryptoErrorList* errors) {
6572
if (engine == nullptr) return false;
6673
ClearErrorOnReturn clear_error_on_return(errors);
67-
return ENGINE_set_default(engine, flags) != 0;
74+
return ENGINE_set_default(static_cast<ENGINE*>(engine), flags) != 0;
6875
}
6976

7077
bool EnginePointer::init(bool finish_on_exit) {
7178
if (engine == nullptr) return false;
7279
if (finish_on_exit) setFinishOnExit();
73-
return ENGINE_init(engine) == 1;
80+
return ENGINE_init(static_cast<ENGINE*>(engine)) == 1;
7481
}
7582

7683
EVPKeyPointer EnginePointer::loadPrivateKey(const char* key_name) {
7784
if (engine == nullptr) return EVPKeyPointer();
78-
return EVPKeyPointer(
79-
ENGINE_load_private_key(engine, key_name, nullptr, nullptr));
85+
return EVPKeyPointer(ENGINE_load_private_key(
86+
static_cast<ENGINE*>(engine), key_name, nullptr, nullptr));
87+
}
88+
89+
bool EnginePointer::setClientCertEngine(SSL_CTX* ctx) {
90+
if (engine == nullptr || ctx == nullptr) return false;
91+
return SSL_CTX_set_client_cert_engine(ctx, static_cast<ENGINE*>(engine)) == 1;
8092
}
8193

8294
void EnginePointer::initEnginesOnce() {

0 commit comments

Comments
 (0)