-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v14.x backport] crypto: make FIPS related options always awailable #40241
Conversation
There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes nodejs#34903 Backport-PR-URL: nodejs#40241 PR-URL: nodejs#36341 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
209db1c
to
2b35f7b
Compare
I made a mistake when resolving the conflict in this test and this commmit fixes it.
@@ -623,8 +623,8 @@ added: v6.9.0 | |||
--> | |||
|
|||
Load an OpenSSL configuration file on startup. Among other uses, this can be | |||
used to enable FIPS-compliant crypto if Node.js is built with | |||
`./configure --openssl-fips`. | |||
used to enable FIPS-compliant crypto if Node.js is built |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will ./configure --openssl-fips
still be accepted. Want to understand if this could break existing workflows/builds
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it will still be accepted at configuration time to specify the directory where the FIPS fipscanister.o is located.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mhdawson The ubi81_sharedlibs_openssl111fips_x64 CI job runs with configure --openssl-is-fips
(we didn't update the job when #36341 landed).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick confirmation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah sorry confused --open-is-fips
with --openssl-fips
configure options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think --openssl-fips
works before on Node.js 14 based on configure.py
?
Lines 1382 to 1383 in 95b9240
if options.openssl_fips or options.openssl_fips == '': | |
error('FIPS is not supported in this version of Node.js') |
(--openssl-is-fips
does work and is tested in the CI.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I recall correctly it is not possible to enable FIPS with the OpenSSL version that is statically linked with Node.js. This is still the case with upstream/master.
But it is possible to dynamically link to an OpenSSL version that does support FIPS (which is the use case at Red Hat).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@danbev that is my understanding as well.
@@ -6866,7 +6875,6 @@ void InitCryptoOnce() { | |||
settings = nullptr; | |||
#endif | |||
|
|||
#ifdef NODE_FIPS_MODE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There were changes in the original PR that don't seem to have made it into this block. In crypto_util.cc ->
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 34058d2dcae9..0d44d0bb4e16 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -142,10 +142,9 @@ void InitCryptoOnce() {
}
}
if (0 != err) {
- fprintf(stderr,
- "openssl fips failed: %s\n",
- ERR_error_string(err, nullptr));
- UNREACHABLE();
+ auto* isolate = Isolate::GetCurrent();
+ auto* env = Environment::GetCurrent(isolate);
+ return ThrowCryptoError(env, err);
}
@danbev was that intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was not intentional 😞 I'll take a closer look add it tomorrow. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've pushed a commit with the missing code now, please take a look.
This commit adds code that I missed when backporting.
Fix lint issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
One more comment there is a typo in the original commit comment. Assume we can fix up when landing. |
8216d46
to
ec3bd72
Compare
There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes: #34903 Backport-PR-URL: #40241 PR-URL: #36341 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Landed in 060c962. |
There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes: #34903 Backport-PR-URL: #40241 PR-URL: #36341 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
FIPS_mode()
function.This makes the user experience more consistent, because the OpenSSL
library is always queried and the
crypto.getFips()
always returnsOpenSSL settings.
Fixes #34903
Backport-PR-URL: #40241
PR-URL: #36341
Reviewed-By: Anna Henningsen anna@addaleax.net
Reviewed-By: Michael Dawson midawson@redhat.com
Reviewed-By: Daniel Bevenius daniel.bevenius@gmail.com