1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: support FIPS mode of OpenSSL

Browse Source 
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
   (NOTE: On OS X, you may want to run
    ``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
    build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)

Fix: https://github.com/joyent/node/issues/25463
PR-URL: https://github.com/nodejs/io.js/pull/1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
This commit is contained in:
Fedor Indutny 2015-06-01 23:49:43 +02:00
parent 53a4eb3198
commit 0f68377f69
8 changed files with 112 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -1,3 +1,4 @@
io.js io.js
===== =====
@ -249,6 +250,28 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
> vcbuild full-icu > vcbuild full-icu
``` ```
# Building io.js with FIPS-compliant OpenSSL
NOTE: Windows is not yet supported
It is possible to build io.js with
[OpenSSL FIPS module](https://www.openssl.org/docs/fips/fipsnotes.html).
Instructions:
1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
## Resources for Newcomers ## Resources for Newcomers
* [CONTRIBUTING.md](./CONTRIBUTING.md) * [CONTRIBUTING.md](./CONTRIBUTING.md)

5
common.gypi
View File

@ -38,6 +38,11 @@
'OBJ_DIR': '<(PRODUCT_DIR)/obj.target', 'OBJ_DIR': '<(PRODUCT_DIR)/obj.target',
'V8_BASE': '<(PRODUCT_DIR)/obj.target/deps/v8/tools/gyp/libv8_base.a', 'V8_BASE': '<(PRODUCT_DIR)/obj.target/deps/v8/tools/gyp/libv8_base.a',
}], }],
['openssl_fips != ""', {
'OPENSSL_PRODUCT': 'libcrypto.a',
}, {
'OPENSSL_PRODUCT': 'libopenssl.a',
}],
['OS=="mac"', { ['OS=="mac"', {
'clang%': 1, 'clang%': 1,
}, { }, {

28
configure vendored
View File

@ -88,6 +88,11 @@ parser.add_option("--openssl-no-asm",
dest="openssl_no_asm", dest="openssl_no_asm",
help="Do not build optimized assembly for OpenSSL") help="Do not build optimized assembly for OpenSSL")
parser.add_option('--openssl-fips',
action='store',
dest='openssl_fips',
help='Build OpenSSL using FIPS canister .o file in supplied folder')
shared_optgroup.add_option('--shared-http-parser', shared_optgroup.add_option('--shared-http-parser',
action='store_true', action='store_true',
dest='shared_http_parser', dest='shared_http_parser',
@ -720,6 +725,16 @@ def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl) o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl) o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_global_settings'] = [
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
o['variables']['openssl_fips'] = ''
if options.without_ssl: if options.without_ssl:
return return
@ -1025,10 +1040,21 @@ configure_fullystatic(output)
# move everything else to target_defaults # move everything else to target_defaults
variables = output['variables'] variables = output['variables']
del output['variables'] del output['variables']
# make_global_settings should be a root level element too
if 'make_global_settings' in output:
make_global_settings = output['make_global_settings']
del output['make_global_settings']
else:
make_global_settings = False
output = { output = {
'variables': variables, 'variables': variables,
'target_defaults': output 'target_defaults': output,
} }
if make_global_settings:
output['make_global_settings'] = make_global_settings
pprint.pprint(output, indent=2) pprint.pprint(output, indent=2)
write('config.gypi', do_not_edit + write('config.gypi', do_not_edit +

15
deps/openssl/fips/fipscc vendored Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
ARGS=
CXX=${CXX:-g++}
while [ "x$1" != "x" ]; do
ARG=$1
shift
case $ARG in
*fips_premain.c) ARGS="$ARGS -x c $ARG -x none";;
*) ARGS="$ARGS $ARG";;
esac
done
echo $CXX $ARGS
${CXX} $ARGS

8
deps/openssl/fips/fipsld vendored Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# NOTE: Just a wrapper around normal fipsld
FIPSLD=$1
shift
DIR=`dirname $0`
FIPSLD_CC=$DIR/fipscc $FIPSLD $@

23
deps/openssl/openssl.gyp vendored
View File

@ -9,6 +9,7 @@
'openssl_no_asm%': 0, 'openssl_no_asm%': 0,
'llvm_version%': 0, 'llvm_version%': 0,
'gas_version%': 0, 'gas_version%': 0,
'openssl_fips%': 'false',
}, },
'targets': [ 'targets': [
{ {
@ -21,6 +22,28 @@
['exclude', 'store/.*$'] ['exclude', 'store/.*$']
], ],
'conditions': [ 'conditions': [
# FIPS
['openssl_fips != ""', {
'defines': [
'OPENSSL_FIPS',
],
'include_dirs': [
'<(openssl_fips)/include',
],
# Trick fipsld, it expects to see libcrypto.a
'product_name': 'crypto',
'direct_dependent_settings': {
'defines': [
'OPENSSL_FIPS',
],
'include_dirs': [
'<(openssl_fips)/include',
],
},
}],
['openssl_no_asm!=0', { ['openssl_no_asm!=0', {
# Disable asm # Disable asm
'defines': [ 'defines': [

4
node.gyp
View File

@ -234,13 +234,13 @@
[ 'node_target_type!="static_library"', { [ 'node_target_type!="static_library"', {
'xcode_settings': { 'xcode_settings': {
'OTHER_LDFLAGS': [ 'OTHER_LDFLAGS': [
'-Wl,-force_load,<(PRODUCT_DIR)/libopenssl.a', '-Wl,-force_load,<(PRODUCT_DIR)/<(OPENSSL_PRODUCT)',
], ],
}, },
'conditions': [ 'conditions': [
['OS in "linux freebsd"', { ['OS in "linux freebsd"', {
'ldflags': [ 'ldflags': [
'-Wl,--whole-archive <(PRODUCT_DIR)/libopenssl.a', '-Wl,--whole-archive <(PRODUCT_DIR)/<(OPENSSL_PRODUCT)',
'-Wl,--no-whole-archive', '-Wl,--no-whole-archive',
], ],
}], }],

9
src/node_crypto.cc
View File

@ -5097,6 +5097,15 @@ void InitCryptoOnce() {
CRYPTO_set_locking_callback(crypto_lock_cb); CRYPTO_set_locking_callback(crypto_lock_cb);
CRYPTO_THREADID_set_callback(crypto_threadid_cb); CRYPTO_THREADID_set_callback(crypto_threadid_cb);
#ifdef OPENSSL_FIPS
if (!FIPS_mode_set(1)) {
int err = ERR_get_error();
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
UNREACHABLE();
}
#endif // OPENSSL_FIPS
// Turn off compression. Saves memory and protects against CRIME attacks. // Turn off compression. Saves memory and protects against CRIME attacks.
#if !defined(OPENSSL_NO_COMP) #if !defined(OPENSSL_NO_COMP)
#if OPENSSL_VERSION_NUMBER < 0x00908000L #if OPENSSL_VERSION_NUMBER < 0x00908000L