Skip to content

build,src,test,doc: enable FIPS for OpenSSL 3.0 #38633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
danbev wants to merge 4 commits into from
Closed

build,src,test,doc: enable FIPS for OpenSSL 3.0 #38633

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d664951
build,src,test,doc: enable FIPS for OpenSSL 3.0
danbev Apr 26, 2021
3695a5c
squash! build,src,test,doc: enable FIPS for OpenSSL 3.0
danbev May 11, 2021
21b475c
squash! build,src,test,doc: enable FIPS for OpenSSL 3.0
danbev May 12, 2021
ccb63c0
squash! build,src,test,doc: enable FIPS for OpenSSL 3.0
danbev May 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
squash! build,src,test,doc: enable FIPS for OpenSSL 3.0
  • Loading branch information
@danbev
danbev committed May 12, 2021
commit ccb63c06ea29be40b17a9afc6a73884ace7906c9
30 changes: 15 additions & 15 deletions BUILDING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -763,15 +763,15 @@ The current version of Node.js does not support FIPS when statically linking
(the default) with OpenSSL 1.1.1 but for dynamically linking it is possible
to enable FIPS using the configuration flag `--openssl-is-fips`.

### Configuring and Building quictls/openssl for FIPS
### Configuring and building quictls/openssl for FIPS

For quictls/openssl 3.0 it is possible to enable FIPS when dynamically linking.
Node.js currently uses openssl-3.0.0+quic which can be configured as
follows:
```console
$ git clone git@github.com:quictls/openssl.git
$ cd openssl
$ ./config -Werror --strict-warnings --debug --prefix=/path/to/install/dir/ shared enable-fips linux-x86_64
$ ./config --prefix=/path/to/install/dir/ shared enable-fips linux-x86_64
```
This can be compiled and installed using the following commands:
```console
Expand All @@ -790,7 +790,7 @@ use the generated FIPS configuration file (`fipsmodule.cnf`):
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# included /path/to/install/dir/ssl/fipsmodule.cnf.
fips = fips_sect

[default_sect]
Expand All @@ -816,16 +816,16 @@ $ make -j8
Verify the produced executable:
```console
$ ldd ./node
linux-vdso.so.1 (0x00007ffd7917b000)
libcrypto.so.81.3 => /path/to/install/dir/lib/libcrypto.so.81.3 (0x00007fd911321000)
libssl.so.81.3 => /path/to/install/dir/lib/libssl.so.81.3 (0x00007fd91125e000)
libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007fd911232000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fd911039000)
libm.so.6 => /usr/lib64/libm.so.6 (0x00007fd910ef3000)
libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007fd910ed9000)
libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007fd910eb5000)
libc.so.6 => /usr/lib64/libc.so.6 (0x00007fd910cec000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd9117f2000)
linux-vdso.so.1 (0x00007ffd7917b000)
libcrypto.so.81.3 => /path/to/install/dir/lib/libcrypto.so.81.3 (0x00007fd911321000)
libssl.so.81.3 => /path/to/install/dir/lib/libssl.so.81.3 (0x00007fd91125e000)
libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007fd911232000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fd911039000)
libm.so.6 => /usr/lib64/libm.so.6 (0x00007fd910ef3000)
libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007fd910ed9000)
libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007fd910eb5000)
libc.so.6 => /usr/lib64/libc.so.6 (0x00007fd910cec000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd9117f2000)
```
Copy link
Copy Markdown
Member

@richardlau richardlau May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can also run process.report.getReport() in Node.js and look at the sharedObjects section to see loaded libraries.

Copy link
Copy Markdown
Contributor Author

@danbev danbev May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add a note about using it. I think it might be useful to keep the ldd command just as a way to make sure the libraries can be found or node will note be able to run.

Copy link
Copy Markdown
Member

@richardlau richardlau May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for keeping the ldd command. I'm pointing out an alternative... we could possibly also use the report in tests in the future as additional verification.

If the `ldd` command says that `libcrypto` cannot be found one needs to set
`LD_LIBRARY_PATH` to point to the directory used above for
Expand All @@ -834,7 +834,7 @@ If the `ldd` command says that `libcrypto` cannot be found one needs to set
Verify the OpenSSL version:
```console
$ ./node -p process.versions.openssl
3.0.0-alpha15+quic
3.0.0-alpha16+quic
```

Verify that FIPS is available:
Expand Down Expand Up @@ -870,7 +870,7 @@ be updated. The following shows an example:
```console
openssl_conf = openssl_init

.include /path/to/install/dir/lib/ossl-modules/fips.so.cnf
.include /path/to/install/dir/ssl/fipsmodule.cnf

[openssl_init]
providers = prov
Expand Down
2 changes: 1 addition & 1 deletion src/crypto/crypto_util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
#endif // !OPENSSL_NO_ENGINE
// The FIPS-related functions are only available
// when the OpenSSL itself was compiled with FIPS support.
#ifdef OPENSSL_FIPS
#if defined(OPENSSL_FIPS) && OPENSSL_VERSION_MAJOR < 3
# include <openssl/fips.h>
#endif // OPENSSL_FIPS

Expand Down