Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: fix native module compilation with FIPS #4023

Closed
wants to merge 1 commit into from

Conversation

stefanmb
Copy link
Contributor

When using a FIPS build of Node.js we cannot build and install native npm modules unless the original OpenSSL source is available at the same location where it was present during the Node executable's build. This issue occurs because OpenSSL's FIPS capsule requires linking with a special 'fipsld' utility. When configuring with --openssl-fips a global LD override is used that is then propagated to config.gypi. This file (config.gypi) is encoded into the Node executable itself (see node_natives.h) and is accessible via process.config. Node-gyp then appends all of process.config to each module's configuration (see configure.js).

There are multiple ways to fix this problem, I've opted to simply separate out the special FIPS link flag so it's only used during the Node.js executable's compilation, and not propagated to modules. While it is not strictly 'correct' to exclude the LD flag from process.config, doing so avoids having node-gyp be aware of special FIPS configuration exceptions.

Resolves #3815.

@mscdex mscdex added crypto Issues and PRs related to the crypto subsystem. build Issues and PRs related to build files or the CI. labels Nov 25, 2015
@mscdex
Copy link
Contributor

mscdex commented Nov 25, 2015

/cc @nodejs/crypto

@indutny
Copy link
Member

indutny commented Nov 25, 2015

Mmmm... @stefanmb why is FIPSLD needed for addons? They are shared modules after all.

@stefanmb
Copy link
Contributor Author

@indutny I don't think it is needed, but right now due to the way node-gyp works the addons will be compiled with the exact same settings as the Node executable you're running npm with. Meaning they get the special LD env variable which, as far as I can tell, is not needed and won't even work if you're missing the OpenSSL source. The purpose of my commit was to remove fipsld from the addons entirely.

@indutny
Copy link
Member

indutny commented Nov 25, 2015

Aaaah, I get it now. Thought you were proposing to use fipsld in addons. Makes sense now!

@indutny
Copy link
Member

indutny commented Nov 25, 2015

LGTM, but I haven't seen if it builds. Could somebody from @nodejs/crypto please confirm it?

@indutny
Copy link
Member

indutny commented Nov 25, 2015

@stefanmb thank you for an awesome work!

@stefanmb
Copy link
Contributor Author

@indutny Yeah, it's a bit confusing. What I'm proposing may not be the best way to do it, but it's one way I found that works. I'm open to any and all suggestions. :)

@mhdawson
Copy link
Member

Issue was reported against 4.x so should consider for LTS

@mhdawson
Copy link
Member

LGTM to me as well provided these CI runs are ok:

Run in regular mode: https://ci.nodejs.org/job/node-test-pull-request/852/
Build in FIPS capable mode (ubuntu 14 only so far) and on fork, not merged branch : https://ci.nodejs.org/job/node-test-commit-linux-fips/16/console

The second is the candidate subjob that I'm hoping to add to the regular regression runs. It builds/tests in FIPS capable mode. What it probably does not test is whether native modules will now build ok as it passed before, probably because I don't delete the src/build for the fipscanister in order to speed up the build time and or because native module compilation is not part of the standard tests.

@mhdawson
Copy link
Member

CI runs look clean to me (arm has one platform to complete but everything else is good).

@shigeki
Copy link
Contributor

shigeki commented Nov 26, 2015

Is it always necessary to create config_fips.gypi even for non-fips build? While icu_config.gypi also does it, most of users are not using fips mode and the file is unnecessary. If we give up stale check of config_fips.gypi in Makefile, it can be created only when options.openssl_fips exists.

Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.
@stefanmb stefanmb force-pushed the fips-module-compile-fix branch from 9ad8943 to 1fc485b Compare November 26, 2015 18:06
@stefanmb
Copy link
Contributor Author

@shigeki Okay, I modified the Makefile and configure with your suggestions. Thanks!

@stefanmb
Copy link
Contributor Author

stefanmb commented Dec 2, 2015

@shigeki Have you had a chance to review the updated version? Are there any other concerns? Thank you!

@shigeki
Copy link
Contributor

shigeki commented Dec 3, 2015

shigeki pushed a commit that referenced this pull request Dec 3, 2015
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
@shigeki
Copy link
Contributor

shigeki commented Dec 3, 2015

The results of CI are fine except on CentOS and some Windows. The faults are nothing to do with this. Landed in 181816e. Thanks.

@shigeki shigeki closed this Dec 3, 2015
rvagg pushed a commit that referenced this pull request Dec 5, 2015
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
@rvagg rvagg mentioned this pull request Dec 17, 2015
MylesBorins pushed a commit that referenced this pull request Dec 29, 2015
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins pushed a commit that referenced this pull request Jan 19, 2016
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
@MylesBorins MylesBorins mentioned this pull request Jan 19, 2016
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: nodejs#3815
PR-URL: nodejs#4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

node 4.2: FIPS-compliance can not compile native libraries after install
7 participants