Skip to content

Commit

Permalink
crypto: support FIPS mode of OpenSSL
Browse files Browse the repository at this point in the history
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
   (NOTE: On OS X, you may want to run
    ``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
    build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)

Fix: nodejs/node-v0.x-archive#25463
PR-URL: nodejs#1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
  • Loading branch information
indutny committed Jun 10, 2015
1 parent 53a4eb3 commit 0f68377
Show file tree
Hide file tree
Showing 8 changed files with 112 additions and 3 deletions.
23 changes: 23 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

io.js
=====

Expand Down Expand Up @@ -249,6 +250,28 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
> vcbuild full-icu
```

# Building io.js with FIPS-compliant OpenSSL

NOTE: Windows is not yet supported

It is possible to build io.js with
[OpenSSL FIPS module](https://www.openssl.org/docs/fips/fipsnotes.html).

Instructions:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)

## Resources for Newcomers

* [CONTRIBUTING.md](./CONTRIBUTING.md)
Expand Down
5 changes: 5 additions & 0 deletions common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@
'OBJ_DIR': '<(PRODUCT_DIR)/obj.target',
'V8_BASE': '<(PRODUCT_DIR)/obj.target/deps/v8/tools/gyp/libv8_base.a',
}],
['openssl_fips != ""', {
'OPENSSL_PRODUCT': 'libcrypto.a',
}, {
'OPENSSL_PRODUCT': 'libopenssl.a',
}],
['OS=="mac"', {
'clang%': 1,
}, {
Expand Down
28 changes: 27 additions & 1 deletion configure
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,11 @@ parser.add_option("--openssl-no-asm",
dest="openssl_no_asm",
help="Do not build optimized assembly for OpenSSL")

parser.add_option('--openssl-fips',
action='store',
dest='openssl_fips',
help='Build OpenSSL using FIPS canister .o file in supplied folder')

shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
Expand Down Expand Up @@ -720,6 +725,16 @@ def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_global_settings'] = [
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
o['variables']['openssl_fips'] = ''


if options.without_ssl:
return
Expand Down Expand Up @@ -1025,10 +1040,21 @@ configure_fullystatic(output)
# move everything else to target_defaults
variables = output['variables']
del output['variables']

# make_global_settings should be a root level element too
if 'make_global_settings' in output:
make_global_settings = output['make_global_settings']
del output['make_global_settings']
else:
make_global_settings = False

output = {
'variables': variables,
'target_defaults': output
'target_defaults': output,
}
if make_global_settings:
output['make_global_settings'] = make_global_settings

pprint.pprint(output, indent=2)

write('config.gypi', do_not_edit +
Expand Down
15 changes: 15 additions & 0 deletions deps/openssl/fips/fipscc
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/sh
ARGS=
CXX=${CXX:-g++}

while [ "x$1" != "x" ]; do
ARG=$1
shift
case $ARG in
*fips_premain.c) ARGS="$ARGS -x c $ARG -x none";;
*) ARGS="$ARGS $ARG";;
esac
done

echo $CXX $ARGS
${CXX} $ARGS
8 changes: 8 additions & 0 deletions deps/openssl/fips/fipsld
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/sh

# NOTE: Just a wrapper around normal fipsld
FIPSLD=$1
shift

DIR=`dirname $0`
FIPSLD_CC=$DIR/fipscc $FIPSLD $@
23 changes: 23 additions & 0 deletions deps/openssl/openssl.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
'openssl_no_asm%': 0,
'llvm_version%': 0,
'gas_version%': 0,
'openssl_fips%': 'false',
},
'targets': [
{
Expand All @@ -21,6 +22,28 @@
['exclude', 'store/.*$']
],
'conditions': [
# FIPS
['openssl_fips != ""', {
'defines': [
'OPENSSL_FIPS',
],
'include_dirs': [
'<(openssl_fips)/include',
],

# Trick fipsld, it expects to see libcrypto.a
'product_name': 'crypto',

'direct_dependent_settings': {
'defines': [
'OPENSSL_FIPS',
],
'include_dirs': [
'<(openssl_fips)/include',
],
},
}],

['openssl_no_asm!=0', {
# Disable asm
'defines': [
Expand Down
4 changes: 2 additions & 2 deletions node.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -234,13 +234,13 @@
[ 'node_target_type!="static_library"', {
'xcode_settings': {
'OTHER_LDFLAGS': [
'-Wl,-force_load,<(PRODUCT_DIR)/libopenssl.a',
'-Wl,-force_load,<(PRODUCT_DIR)/<(OPENSSL_PRODUCT)',
],
},
'conditions': [
['OS in "linux freebsd"', {
'ldflags': [
'-Wl,--whole-archive <(PRODUCT_DIR)/libopenssl.a',
'-Wl,--whole-archive <(PRODUCT_DIR)/<(OPENSSL_PRODUCT)',
'-Wl,--no-whole-archive',
],
}],
Expand Down
9 changes: 9 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5097,6 +5097,15 @@ void InitCryptoOnce() {
CRYPTO_set_locking_callback(crypto_lock_cb);
CRYPTO_THREADID_set_callback(crypto_threadid_cb);

#ifdef OPENSSL_FIPS
if (!FIPS_mode_set(1)) {
int err = ERR_get_error();
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
UNREACHABLE();
}
#endif // OPENSSL_FIPS


// Turn off compression. Saves memory and protects against CRIME attacks.
#if !defined(OPENSSL_NO_COMP)
#if OPENSSL_VERSION_NUMBER < 0x00908000L
Expand Down

0 comments on commit 0f68377

Please sign in to comment.