Skip to content

deps: update openssl to quictls/openssl 3.0.0+quic #38512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
danbev wants to merge 30 commits into from
Closed

deps: update openssl to quictls/openssl 3.0.0+quic #38512

Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
ccce47b
deps: update openssl/config files for OpenSSL 3.0
danbev Apr 14, 2021
79e0f36
build: update gyp files (needs more work)
danbev Apr 26, 2021
f84f775
doc: update maintaining-openssl.md for 3.0
danbev May 24, 2021
6559ac6
src: suppress compilation warning in inspector_socket.cc
danbev May 26, 2021
4e7b938
tools: fix execvp: printf: Argument list too long
danbev May 31, 2021
f925654
deps: add aix64-gcc-as architecture and p2align callback
danbev Jul 16, 2021
2b1d3ab
deps: add archs for aix64-gcc-as
danbev Jun 3, 2021
2061560
deps: update tmpl to use aix64-gcc-as and gen headers
danbev Jun 3, 2021
31b25f2
deps: update openssl gyp files to use aix64-gcc-as
danbev Jun 3, 2021
88fa91b
build: add fips target and fipsinstall action
danbev Jun 16, 2021
d42fbb5
tools,build: add PRODUCT_DIR_ABS default gyp var
danbev Jun 17, 2021
f513ee6
build: use PRODUCT_DIR_ABS for MODULESDIR
danbev Jun 17, 2021
a342a3a
deps: set OPENSSLDIR to obj_dir_abs/deps/openssl
danbev Jun 17, 2021
70193c7
build: add an action to revert openssl.cnf
danbev Jun 17, 2021
7466e13
deps: add makefile/Makefile.in to openssl .gitignore
danbev Jun 23, 2021
1f2d021
deps: update providers/common/include/prov paths
danbev Jun 23, 2021
e5180c8
deps: generate bn_conf and dso_conf headers
danbev Jun 24, 2021
c4db85e
test: use modulus size of 512 for OpenSSL3
danbev Jun 28, 2021
8c182ad
deps: add crypto/bn/asm/s390x.S for s390 arch
danbev Jun 29, 2021
b6ebe23
deps: fix include_no-asm template
danbev Jun 30, 2021
47987da
deps: update deps/openssl/README.md for 3.0.0
danbev Jul 20, 2021
cf7a0c2
deps: cleanup generate_headers.pl
danbev Jul 20, 2021
36df15e
build,tools: remove openssl_fips and config_fips.gypi
danbev Jul 20, 2021
d88ee14
doc: update BUILDING.md with static FIPS section
danbev Jul 20, 2021
4790e49
src,tools: include new quic.h header
danbev Jul 30, 2021
8022a2e
deps: upgrade openssl sources to quictls/openssl-3.0.0+quic
danbev Sep 8, 2021
e2f2a93
deps: update archs files for quictls/openssl-3.0.0+quic
danbev Sep 8, 2021
4297b2a
deps: regenerate linux64-riscv64 arch files
danbev Sep 21, 2021
c7795e9
squash! doc: update BUILDING.md with static FIPS section
danbev Oct 7, 2021
07ded8b
squash! tools,build: add PRODUCT_DIR_ABS default gyp var
danbev Oct 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
doc: update BUILDING.md with static FIPS section 
This commit adds a section with information about enabling FIPS support
when statically linking.
  • Loading branch information
@danbev
danbev committed Oct 10, 2021
commit d88ee148fef4ecaa3863451049837fe118b48310
46 changes: 41 additions & 5 deletions BUILDING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -764,11 +764,47 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)

## Building Node.js with FIPS-compliant OpenSSL

The current version of Node.js does not support FIPS when statically linking
(the default) with OpenSSL 1.1.1 but for dynamically linking it is possible
to enable FIPS using the configuration flag `--openssl-is-fips`.
The current version of Node.js supports FIPS when statically and
dynamically linking with OpenSSL 3.0.0 by using the configuration flag
`--openssl-is-fips`.

### Configuring and building quictls/openssl for FIPS
### FIPS support when statically linking OpenSSL
FIPS can be supported by specifying the configuration flag `--openssl-is-fips`:
Comment thread
danbev marked this conversation as resolved.
```console
$ ./configure --openssl-is-fips
$ make -j8
```

The above command will build and install the FIPS module into the out directory.
This includes building fips.so, running the `installfips` command that generates
the FIPS configuration file (fipsmodule.cnf), copying and updating openssl.cnf
to include the correct path to fipsmodule.cnf and finally uncomment the fips
section.

We can then run node specifying --enable-fips:
Comment thread
danbev marked this conversation as resolved.
Outdated
```console
$ ./node --enable-fips -p 'crypto.getFips()'
1
```
The above will use the Node.js default locations for OpenSSL 3.0:
```console
$ ./out/Release/openssl-cli version -m -d
OPENSSLDIR: "/nodejs/openssl/out/Release/obj.target/deps/openssl"
MODULESDIR: "/nodejs/openssl/out/Release/obj.target/deps/openssl/lib/openssl-modules"
```
The OpenSSL configuration files will be found in `OPENSSLDIR` directory above:
```console
$ ls -w 1 out/Release/obj.target/deps/openssl/*.cnf
out/Release/obj.target/deps/openssl/fipsmodule.cnf
out/Release/obj.target/deps/openssl/openssl.cnf
```
And the FIPS module will be located in the `MODULESDIR` directory:
```console
$ ls out/Release/obj.target/deps/openssl/lib/openssl-modules/
fips.so
```

### FIPS support when dynamically linking OpenSSL

For quictls/openssl 3.0 it is possible to enable FIPS when dynamically linking.
If you want to build Node.js using openssl-3.0.0+quic, you can follow these
Expand Down Expand Up @@ -811,7 +847,7 @@ find the `fipsmodule.cnf` file - let's add the following to the end of the
**alter openssl.cnf**

```text
.include fipsmodule.cnf
.include /absolute/path/to/fipsmodule.cnf

# List of providers to load
[provider_sect]
Expand Down