Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: support FIPS mode of OpenSSL #1890

Closed
wants to merge 7 commits into from
Closed
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

io.js
=====

Expand Down Expand Up @@ -249,6 +250,28 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
> vcbuild full-icu
```

# Building io.js with FIPS-compliant OpenSSL

NOTE: Windows is not yet supported

It is possible to build io.js with
[OpenSSL FIPS module](https://www.openssl.org/docs/fips/fipsnotes.html).

Instructions:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have OS X, so I couldn't confirm this. Is ./Configure with a capital C, correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I have OS X. So I can confirm it ;)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, then :-) I just thought it was a typo.

build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)

## Resources for Newcomers

* [CONTRIBUTING.md](./CONTRIBUTING.md)
Expand Down
5 changes: 5 additions & 0 deletions common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@
'OBJ_DIR': '<(PRODUCT_DIR)/obj.target',
'V8_BASE': '<(PRODUCT_DIR)/obj.target/deps/v8/tools/gyp/libv8_base.a',
}],
['openssl_fips != ""', {
'OPENSSL_PRODUCT': 'libcrypto.a',
}, {
'OPENSSL_PRODUCT': 'libopenssl.a',
}],
['OS=="mac"', {
'clang%': 1,
}, {
Expand Down
28 changes: 27 additions & 1 deletion configure
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,11 @@ parser.add_option("--openssl-no-asm",
dest="openssl_no_asm",
help="Do not build optimized assembly for OpenSSL")

parser.add_option("--openssl-fips",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very minor. Everywhere else in the PR, ' is used and only here " is used. Is there any convention followed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just copied and changed previous line :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, even that is not consistent with the previous add_option calls. This shouldn't matter anyway.

action="store",
dest="openssl_fips",
help="Build OpenSSL using FIPS canister .o file in supplied folder")

shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
Expand Down Expand Up @@ -720,6 +725,16 @@ def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_global_settings'] = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using make_global_settings like that is a horrible and not very portable hack.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, what would be your suggestion to override the linker command?

['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
o['variables']['openssl_fips'] = ''


if options.without_ssl:
return
Expand Down Expand Up @@ -1025,10 +1040,21 @@ configure_fullystatic(output)
# move everything else to target_defaults
variables = output['variables']
del output['variables']

# make_global_settings should be a root level element too
if 'make_global_settings' in output:
make_global_settings = output['make_global_settings']
del output['make_global_settings']
else:
make_global_settings = False

output = {
'variables': variables,
'target_defaults': output
'target_defaults': output,
}
if make_global_settings:
output['make_global_settings'] = make_global_settings

pprint.pprint(output, indent=2)

write('config.gypi', do_not_edit +
Expand Down
15 changes: 15 additions & 0 deletions deps/openssl/fips/fipscc
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/sh
ARGS=
CXX=${CXX:-g++}

while [ "x$1" != "x" ]; do
ARG=$1
shift
case $ARG in
*fips_premain.c) ARGS="$ARGS -x c $ARG -x none";;
*) ARGS="$ARGS $ARG";;
esac
done

echo $CXX $ARGS
${CXX} $ARGS
8 changes: 8 additions & 0 deletions deps/openssl/fips/fipsld
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/sh

# NOTE: Just a wrapper around normal fipsld
FIPSLD=$1
shift

DIR=`dirname $0`
FIPSLD_CC=$DIR/fipscc $FIPSLD $@
23 changes: 23 additions & 0 deletions deps/openssl/openssl.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
'openssl_no_asm%': 0,
'llvm_version%': 0,
'gas_version%': 0,
'openssl_fips%': 'false',
},
'targets': [
{
Expand All @@ -21,6 +22,28 @@
['exclude', 'store/.*$']
],
'conditions': [
# FIPS
['openssl_fips != ""', {
'defines': [
'OPENSSL_FIPS',
],
'include_dirs': [
'<(openssl_fips)/include',
],

# Trick fipsld, it expects to see libcrypto.a
'product_name': 'crypto',

'direct_dependent_settings': {
'defines': [
'OPENSSL_FIPS',
],
'include_dirs': [
'<(openssl_fips)/include',
],
},
}],

['openssl_no_asm!=0', {
# Disable asm
'defines': [
Expand Down
4 changes: 2 additions & 2 deletions node.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -233,13 +233,13 @@
[ 'node_target_type!="static_library"', {
'xcode_settings': {
'OTHER_LDFLAGS': [
'-Wl,-force_load,<(PRODUCT_DIR)/libopenssl.a',
'-Wl,-force_load,<(PRODUCT_DIR)/<(OPENSSL_PRODUCT)',
],
},
'conditions': [
['OS in "linux freebsd"', {
'ldflags': [
'-Wl,--whole-archive <(PRODUCT_DIR)/libopenssl.a',
'-Wl,--whole-archive <(PRODUCT_DIR)/<(OPENSSL_PRODUCT)',
'-Wl,--no-whole-archive',
],
}],
Expand Down
9 changes: 9 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5071,6 +5071,15 @@ void InitCryptoOnce() {
CRYPTO_set_locking_callback(crypto_lock_cb);
CRYPTO_THREADID_set_callback(crypto_threadid_cb);

#ifdef OPENSSL_FIPS
if (!FIPS_mode_set(1)) {
int err = ERR_get_error();
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
UNREACHABLE();
}
#endif // OPENSSL_FIPS


// Turn off compression. Saves memory and protects against CRIME attacks.
#if !defined(OPENSSL_NO_COMP)
#if OPENSSL_VERSION_NUMBER < 0x00908000L
Expand Down