crypto: support FIPS mode of OpenSSL #1890
Conversation
|
R= @nodejs/crypto |
indutny
force-pushed
the
feature/fips-mode
branch
from
c4b3183
to
c133579
Compare
|
Aye, made a mistake in instructions. Force pushed! |
| @@ -720,6 +725,14 @@ def configure_openssl(o): | |||
| o['variables']['node_use_openssl'] = b(not options.without_ssl) | |||
| o['variables']['node_shared_openssl'] = b(options.shared_openssl) | |||
| o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0 | |||
| if options.openssl_fips: | |||
| o['variables']['openssl_fips'] = options.openssl_fips | |||
| o['make_global_settings'] = [ | |||
There was a problem hiding this comment.
Using make_global_settings like that is a horrible and not very portable hack.
There was a problem hiding this comment.
Ok, what would be your suggestion to override the linker command?
|
@indutny I reckon those instructions should go in to the README rather than being lost in this issue, unless you can think of a better place for it? |
|
Just figured out I could do it better and remove the need to patch |
|
@rvagg agree! |
|
The sources of openssl-fips-2.0.9 are about 8.4M bytes. |
| } | ||
| if make_global_settings != False: |
There was a problem hiding this comment.
It is not very pythonic. Recommended way is if not make_global_settings:
|
I'm not very familiar to fips, but if it ends up being built as a library we should support building against a shared .so as well. |
|
@shigeki sorry, but there are some complications with this FIPS thing. I'm not sure if it can be included in our source tree. Unless someone knows for sure. |
|
@indutny No, problem, you can take your choice. |
indutny
force-pushed
the
feature/fips-mode
branch
4 times, most recently
from
9338069
to
c9802dc
Compare
|
Everything addressed, removed the need to patch OpenSSL FIPS checkout. PTAL (cc @bnoordhuis @rvagg @shigeki ) |
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
indutny
force-pushed
the
feature/fips-mode
branch
from
c9802dc
to
282d4c9
Compare
| if (!FIPS_mode_set(1)) { | ||
| int r; | ||
| r = ERR_get_error(); | ||
| fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(r, NULL)); |
There was a problem hiding this comment.
Why don't we directly do ERR_error_string(ERR_get_error(), NULL)?
There was a problem hiding this comment.
It won't fit into 80 columns. Anyway, merged two previous lines into one. Thanks!
There was a problem hiding this comment.
Oh, okay. I would have done
fprintf(stderr, "openssl fips failed: %s\n",
ERR_error_string(ERR_get_error(), NULL));
Can we use that?
There was a problem hiding this comment.
Yes, but what is the point? It is harder to read, and takes the same two lines.
There was a problem hiding this comment.
True, I was thinking along the lines of saving some memory. But, as Donald Knuth said, "Premature optimization is the root of all evil". So, this should be fine I guess :-)
There was a problem hiding this comment.
It won't save anything, in both JS and C/C++. Compiler are smart enough to figure it out ;)
There was a problem hiding this comment.
@indutny Oh, I didn't know that even JS Engine could do that. Thanks :-)
| @@ -0,0 +1,19 @@ | |||
| # Building io.js with FIPS-compliant OpenSSL | |||
There was a problem hiding this comment.
could we have a link to this from the README? Perhaps at the bottom of the build section:
See also: [Building io.js with FIPS-compliant OpenSSL](./deps/openssl/doc/FIPS.md)
|
There seems a fix needed to build on my Ubuntu because diff --git a/deps/openssl/fips/fipsld b/deps/openssl/fips/fipsld
index 513982a..4c345cd 100755
--- a/deps/openssl/fips/fipsld
+++ b/deps/openssl/fips/fipsld
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
# NOTE: Just a wrapper around normal fipsld
FIPSLD=$1And without CXX env, build was faild , so I set it manually. I can't say whether this is really FIPS compliance or not because I've not read all of contents in OpenSSL handbook. I wonder if patched openssl can be allowed. Tests also show a lot of fips errors for their forbidden rules. |
|
@shigeki I think this is quite unusual. Is there any reason to replace |
|
@shigeki thanks for checking it out! |
|
I'll read the FIPS guide to be sure, but here is an excerpt that I think should answer the question of compliance: |
|
I think it should be pretty much correct to use FIPS module with patched OpenSSL: and IANAL, but OpenSSL was never FIPS compliant, and regardless of any patches it won't became one :) |
|
In Ubuntu, /bin/sh is linked to dash by default. https://wiki.ubuntu.com/DashAsBinSh I understand OpenSSL was never FIPS compliant. It needs so much requirements. Thanks for clarification. |
|
Gosh. Please forgive my ignorance, @shigeki . I was completely unaware of dash. Maybe we can fix the script to make it POSIX compliant, instead of forcing the |
|
@shigeki please take another look, it still requires CXX, but should work with dash. |
| 5. Get into io.js checkout folder | ||
| 6. `./configure --openssl-fips=/path/to/openssl-fips/out` | ||
| 7. Build io.js with `make -j` | ||
|
|
There was a problem hiding this comment.
I think it is better to add some descriptions to the doc as
- supported platform: Windows is not supported. Only build on MacOS and Linux are confirmed.
- CXX env is needed.
- confirmation of result of fips build as
$ ./iojs -e "console.log(process.versions.openssl)"
1.0.2a-fips
|
Builds on my Ubuntu and MacOS are fine. Add some comments on the doc. LGTM. |
|
docs lgtm |
| 2. Extract source to `openssl-fips` folder | ||
| 3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`` | ||
| (NOTE: On OS X, you may want to run | ||
| ``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to |
There was a problem hiding this comment.
I don't have OS X, so I couldn't confirm this. Is ./Configure with a capital C, correct?
There was a problem hiding this comment.
Yeah, I have OS X. So I can confirm it ;)
There was a problem hiding this comment.
Cool, then :-) I just thought it was a typo.
|
Since no one else has mentioned shared library support I'll just have a look at what can be done after this lands. |
|
You mean shared OpenSSL? This will certainly work, except that it won't have patches that we have applied to it. Namely: |
|
@indutny great; I'll have a look at it later then (especially for the FIPS scenario). |
|
Ok, cool. I tested it on OS X and Ubuntu, assuming that it is working and landing. Thanks everyone for the feedback! |
|
Landed in 0f68377, thank you everyone! |
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`` (NOTE: On OS X, you may want to run ``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to build x64-mode io.js) 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` 8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`) Fix: nodejs/node-v0.x-archive#25463 PR-URL: #1890 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Notable Changes: * libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details. (Saúl Ibarra Corretgé) #1905 #1889. Highlights include: - Fix TTY becoming blocked on OS X - Fix UDP send callbacks to not to be synchronous - Add uv_os_homedir() (exposed as os.homedir(), see below) * npm: See full release notes for details. (Kat Marchán) #1899. Highlight: - Use GIT_SSH_COMMAND (available as of Git 2.3) * openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection (Logjam) and fixes malformed ECParameters causing infinite loop (CVE-2015-1788). See the security advisory for full details. (Shigeki Ohtsu) #1950 #1958 - Support FIPS mode of OpenSSL, see README for instructions. (Fedor Indutny) #1890 * os: Add os.homedir() method. (Colin Ihrig) #1791 * smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822 * Add new collaborators: - Alex Kocharin (@rlidwka) - Christopher Monsanto (@monsanto) - Ali Ijaz Sheikh (@ofrobots) - Oleg Elifantiev (@Olegas) - Domenic Denicola (@domenic) - Rich Trott (@Trott)
Support building and running with FIPS-compliant OpenSSL. The process is
following:
openssl-fips-x.x.x.tar.gzfromhttps://www.openssl.org/source/
openssl-fipsfoldercd openssl-fips && ./config fipscanisterbuild --prefix=pwd/outmake -j && make install./configure --openssl-fips=/path/to/openssl-fips/outmake -jFix: nodejs/node-v0.x-archive#25463