Skip to content

Commit

Permalink
build: add OpenSSL-1.1.0 support
Browse files Browse the repository at this point in the history
- For Windows, nasm is new build requirements and openssl_no_asm is
  set to 1 with warning if it is not installed.
- For use of openssl assemble codes, either gas_version >= 2.23,
  xcode_version >= 5.0 ,llvm_version >= 3.3 or nasm_version >= 2.10 is
  needed. Otherwise, openssl_no_asm is set to 1 with warning.
- FIPS is not supported in OpenSSL-1.1.0 so that it leads an error
  when openssl_fips options is enabled in configure.
  • Loading branch information
shigeki committed Apr 4, 2018
1 parent 68d11bf commit 9e38498
Show file tree
Hide file tree
Showing 4 changed files with 68 additions and 61 deletions.
56 changes: 18 additions & 38 deletions BUILDING.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,23 @@ Depending on host platform, the selection of toolchains may vary.

* Visual Studio 2017 or the Build Tools thereof

#### OpenSSL asm support

OpenSSL-1.1.0 requires the following asssember version for use of asm
support.

* gas (GNU assembler) version 2.23 or higher
* xcode version 5.0 or higher
* llvm version 3.3 or higher
* nasm version 2.10 or higher in Windows

Otherwise, `--openssl-no-asm` is added with warning in configure.

*Note:* The forthcoming OpenSSL-1.1.1 will require more higher
version. Please refer
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for
details.

## Building Node.js on supported platforms

*Note:* All prerequisites can be easily installed by following
Expand Down Expand Up @@ -377,44 +394,7 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)

## Building Node.js with FIPS-compliant OpenSSL

It is possible to build Node.js with the
[OpenSSL FIPS module](https://www.openssl.org/docs/fipsnotes.html) on POSIX
systems. Windows is not supported.

Building in this way does not mean the runtime is FIPS 140-2 validated, but
rather that the runtime uses a validated module. In addition, the validation for
the underlying module is only valid if it is deployed in accordance with its
[security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
If you need FIPS validated cryptography it is recommended that you read both
the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
and [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).

### Instructions

1. Obtain a copy of openssl-fips-x.x.x.tar.gz.
To comply with the security policy you must ensure the path
through which you get the file complies with the requirements
for a "secure installation" as described in section 6.6 in
the [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).
For evaluation/experimentation, you can simply download and verify
`openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder and `cd openssl-fips`
3. `./config`
4. `make`
5. `make install`
(NOTE: to comply with the security policy you must use the exact
commands in steps 3-5 without any additional options as per
Appendix A in the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
The only exception is that `./config no-asm` can be
used in place of `./config`, and the FIPSDIR environment variable
may be used to specify a non-standard install folder for the
validated module, as per User Guide sections 4.2.1, 4.2.2, and 4.2.3.
6. Get into Node.js checkout folder
7. `./configure --openssl-fips=/path/to/openssl-fips/installdir`
For example on ubuntu 12 the installation directory was
`/usr/local/ssl/fips-2.0`
8. Build Node.js with `make -j`
9. Verify with `node -p "process.versions.openssl"` (for example `1.0.2a-fips`)
This version of Node.js does not support FIPS.

## Building Node.js with external core modules

Expand Down
67 changes: 47 additions & 20 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,25 @@ def get_version_helper(cc, regexp):
else:
return 0

def get_nasm_version(asm):
try:
proc = subprocess.Popen(shlex.split(asm) + ['-v'],
stdin=subprocess.PIPE, stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
except OSError:
warn('''No acceptable ASM compiler found!
Please make sure you have installed nasm from http://www.nasm.us
and refer BUILDING.md.''')
return 0

match = re.match(r"NASM version ([2-9]\.[0-9][0-9]+)",
proc.communicate()[0])

if match:
return match.group(1)
else:
return 0

def get_llvm_version(cc):
return get_version_helper(
cc, r"(^(?:FreeBSD )?clang version|based on LLVM) ([3-9]\.[0-9]+)")
Expand Down Expand Up @@ -677,6 +696,11 @@ def get_gas_version(cc):
# quite prepared to go that far yet.
def check_compiler(o):
if sys.platform == 'win32':
if not options.openssl_no_asm:
nasm_version = get_nasm_version('nasm')
o['variables']['nasm_version'] = nasm_version
if nasm_version == 0:
o['variables']['openssl_no_asm'] = 1
return

ok, is_clang, clang_version, gcc_version = try_check_compiler(CXX, 'c++')
Expand Down Expand Up @@ -1039,32 +1063,35 @@ def configure_v8(o):


def configure_openssl(o):
o['variables']['node_use_openssl'] = b(not options.without_ssl)
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
variables = o['variables'];
variables['node_use_openssl'] = b(not options.without_ssl)
variables['node_shared_openssl'] = b(options.shared_openssl)
variables['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.use_openssl_ca_store:
o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_system_ca_path:
o['variables']['openssl_system_ca_path'] = options.openssl_system_ca_path
o['variables']['node_without_node_options'] = b(options.without_node_options)
variables['openssl_system_ca_path'] = options.openssl_system_ca_path
variables['node_without_node_options'] = b(options.without_node_options)
if options.without_node_options:
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']

# supported asm compiler for AVX2. See https://github.com/openssl/openssl/
# blob/OpenSSL_1_1_0-stable/crypto/modes/asm/aesni-gcm-x86_64.pl#L52-L69
openssl110_asm_supported = \
('gas_version' in variables and variables['gas_version'] >= '2.23') or \
('xcode_version' in variables and variables['xcode_version'] >= '5.0') or \
('llvm_version' in variables and variables['llvm_version'] >= '3.3') or \
('nasm_version' in variables and variables['nasm_version'] >= '2.10')

if not openssl110_asm_supported and variables['openssl_no_asm'] == 0:
warn('''openssl_no_asm is enabled due to missed or old assembler.
Please refer BUILDING.md''')
variables['openssl_no_asm'] = 1

if options.openssl_fips:
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join('deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
# LINK is for Makefiles, LD/LDXX is for ninja
o['make_fips_settings'] = [
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
['LD', fips_ld + ' <(openssl_fips)/bin/fipsld'],
['LDXX', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
o['variables']['openssl_fips'] = ''
try:
os.remove('config_fips.gypi')
except OSError:
pass
print('Error: FIPS is not supported yet in this version')
exit(1)
variables['openssl_fips'] = ''

if options.without_ssl:
def without_ssl_error(option):
Expand Down
4 changes: 2 additions & 2 deletions node.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -608,8 +608,8 @@
{
'action_name': 'mkssldef',
'inputs': [
'deps/openssl/openssl/util/libeay.num',
'deps/openssl/openssl/util/ssleay.num',
'deps/openssl/openssl/util/libcrypto.num',
'deps/openssl/openssl/util/libssl.num',
],
'outputs': ['<(SHARED_INTERMEDIATE_DIR)/openssl.def'],
'action': [
Expand Down
2 changes: 1 addition & 1 deletion tools/mkssldef.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

for filename in filenames:
for line in open(filename).readlines():
name, _, meta, _ = re.split('\s+', line)
name, _, _, meta, _ = re.split('\s+', line)
if any(map(lambda p: p.match(name), excludes)): continue
meta = meta.split(':')
assert meta[0] in ('EXIST', 'NOEXIST')
Expand Down

0 comments on commit 9e38498

Please sign in to comment.