Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

node 4.2: FIPS-compliance can not compile native libraries after install #3815

Closed
ayohrling opened this issue Nov 13, 2015 · 2 comments
Closed
Labels
build Issues and PRs related to build files or the CI. crypto Issues and PRs related to the crypto subsystem. tls Issues and PRs related to the tls subsystem.

Comments

@ayohrling
Copy link

When configuring NodeJS with FIPS-compliance, the configure script adds make_global_options that includes a fipsld and fipscc wrapper script around the standard fipsld script when creating the config.gypi file. This works fine to compile NodeJS and install initially; however, when using npm to install native libraries, the compile fails because it does not have access to those initial wrappers scripts.

I am looking for a work-around here, but it seems to me that ideally these wrappers need to be part of the installed files when openssl-fips is enabled in the building of NodeJS and the process.config (which node-gyp reads later to process native library installation) needs to be updated/reflected by this installed location.

@mscdex mscdex added tls Issues and PRs related to the tls subsystem. crypto Issues and PRs related to the crypto subsystem. build Issues and PRs related to build files or the CI. labels Nov 13, 2015
@ayohrling
Copy link
Author

Ok, so after a couple hours of testing/work I at least have a work-around that is functioning. I installed the wrappers in deps/openssl/fips/{fipsld,fipscc} into /usr/include/node/openssl/fips/, then when I built I ran configure with --openssl-fips as normal, but edited the config.gypi file before running make to change the BUILDDIR/deps/openssl/fips/fipsld line to /usr/include/node/openssl/fips/fipsld.

I am creating/created RPMs so I did this all a bit more dynamically with specfiles, but essentially this works. I attempted originally to edit the install.py script to push the fipsld/fipscc wrappers out with the make install command only if openssl_fips was set, which worked, but since that was after nodejs binary was already built with the other settings, process.config still returned the build path which still caused the same npm install failures.

This is certainly not an ideal solution, I think a more ideal solution is going to require a lot more refactoring on how to build for FIPS-compliance.

@stefanmb
Copy link
Contributor

This is... unfortunate. I haven't been running into this problem because I was compiling Node and installing it on the same machine as OpenSSL, so the paths were resolving correctly. I'll try to look at this next week, if you don't beat me to it. :)

@shigeki shigeki closed this as completed in 181816e Dec 3, 2015
rvagg pushed a commit that referenced this issue Dec 5, 2015
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins pushed a commit that referenced this issue Dec 29, 2015
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins pushed a commit that referenced this issue Jan 19, 2016
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
scovetta pushed a commit to scovetta/node that referenced this issue Apr 2, 2016
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: nodejs#3815
PR-URL: nodejs#4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. crypto Issues and PRs related to the crypto subsystem. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants