-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows vcbuild is missing FIPS support, like ./configure --openssl-fips #14115
Comments
@refack I've started digging into this, trying to figure out how FIPS builds work on any platform. Is the |
It's a really boring process, but surreptitiously we've declared an impromptu "Windows ❤️ " hackathon for this weekend #4603 (comment), hopefully I'll wrap up the powershell goop. tl;dr find out what comes after the |
Does anybody know (@refack?) whether the
will also have an effect on Windows .sln files? Its not clear to me whether its possible to replace the Windows linker with a different command using gyp. |
@joaocgreis maybe you know something of this? I'm trying to convince the sln files (via gyp) to do what is described in section 5.3.2 of https://www.openssl.org/docs/fips/UserGuide-2.0.pdf, which seems to be covered by defining the LINK property for Makefile based builds, but I'm having trouble seeing if it does anying on sln based builds. |
@sam-github I don't think it does. Linking is done by msbuild. Maybe you can persuade GYP to invoke it with The ninja generator lets you override it through (LD is not a typo, the ninja generator doesn't call it LINK for some reason.) |
@bnoordhuis thanks! I'll try ninja, I'd just convinced myself that |
Notes for those coming after...
|
"Holy ___________, Batman!"
|
The ninja builds fail for linux with FIPS, they need to define diff --git a/configure b/configure
index e0369f3..be9166d 100755
--- a/configure
+++ b/configure
@@ -987,6 +987,8 @@ def configure_openssl(o):
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_fips_settings'] = [
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
+ ['LD', fips_ld + ' <(openssl_fips)/bin/fipsld'],
+ ['LDXX', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
o['variables']['openssl_fips'] = '' I tested by manually hacking up the build.ninja to do |
Doesn't LINK work? I thought it let you override the C++ linker (on Linux, not on Windows.) Does this patch make a difference? diff --git a/tools/gyp/pylib/gyp/generator/ninja.py b/tools/gyp/pylib/gyp/generator/ninja.py
index 1f67c94..91082c9 100644
--- a/tools/gyp/pylib/gyp/generator/ninja.py
+++ b/tools/gyp/pylib/gyp/generator/ninja.py
@@ -1931,6 +1931,10 @@ def GenerateOutputForConfig(target_list, target_dicts, data, params,
ld = os.path.join(build_to_root, value)
if key == 'LD.host':
ld_host = os.path.join(build_to_root, value)
+ if key == 'LINK':
+ ldxx = os.path.join(build_to_root, value)
+ if key == 'LINK.host':
+ ldxx_host = os.path.join(build_to_root, value)
if key == 'NM':
nm = os.path.join(build_to_root, value)
if key == 'NM.host': |
@refack any idea why the configure script would be dying with |
It's a |
P.S.
|
@refack thanks a lot! I'm not trying to cross compile, maybe I should be using |
Assuming you're using the machine you were using before (mania) then it's 64-bit. |
I believe @sam-github's conclusion was that Windows FIPS support is basically unattainable. I'll close this out, reopen if I'm mistaken. |
@sam-github do post a post-mortem please... |
Sam is on holiday but the big blocker was the CRT to link against - /MT vs. /MD - which you are not allowed to change if you want to be FIPS-compliant (and compliance is the point of this exercise.) https://mta.openssl.org/pipermail/openssl-users/2017-July/006097.html for the interested. |
@sam-github Is there any followup to this? I am about to embark on a similar journey, trying to compile FIPS openssl into a windows build of node. Compiling FIPS+openssl is an endeavor into itself, and you seem to have taken a deep dive into this effort before. If there is any wisdom you can share (including whether "Windows FIPS support is basically unattainable") it would be greatly appreciated 🙏 |
I hit a dead end. AFAICT, the fips stub is compiled against the single-threaded runtime, which cannot be changed without invalidating the FIPS cert, and node is compiled against multi-threaded, and must be. This seemed irreconcileable to me, though maybe those are all just warnings, and can be ignored. Also, gyp is horrible, and nmake is bad. Trying to get gyp to output the correct nmake files using the perl link script seems impossible, so I used the ninja output. I didn't try to get gyp to output correct ninja build rules for FIPS, I just directly hacked the .ninja files to try to build, figuring if I could get success at that (I didn't), I could then backtrack and try to figure out how to get gyp to output the correct .ninja files. |
@sam-github Thank you so much for sharing these insights 😲
That makes sense to me, but then how does the 'nix built FIPS+node reconcile those differences? Is that because 'nix executables can interact between singlethreaded/multithreaded runtimes while windows executables cannot? (I also recognize that both node and openssl were originally linux made with their windows counterparts developed as second-class citizens, so it's no surprise that the build process here is hellacious). Edit: I just found https://mta.openssl.org/pipermail/openssl-users/2017-July/006126.html I'm still going to take my own stab at this endeavor over this next week, so I'll report back my own attempts. I have never heard of the ninja build system. Is it worth it to try that approach? |
Yes. Immensely simpler than MSBuild, and even simpler from make (also more performant as it uses hashes and not timestamps for build cache invalidation). |
They don't exist on unixen, there is no equivalent. |
node can be linked against a FIPS cannister with
./configure --openssl-fips=...
, butvcbuild.bat
has no equivalent option.The text was updated successfully, but these errors were encountered: