[v14.x backport] crypto: make FIPS related options always awailable#40241
[v14.x backport] crypto: make FIPS related options always awailable#40241danbev wants to merge 4 commits intonodejs:v14.x-stagingfrom
Conversation
There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes nodejs#34903 Backport-PR-URL: nodejs#40241 PR-URL: nodejs#36341 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
nodejs-github-bot
added
c++
danbev
force-pushed
the
backport-f392ac0bbe-to-v14.x
branch
from
209db1c to
2b35f7b
Compare
I made a mistake when resolving the conflict in this test and this commmit fixes it.
| Load an OpenSSL configuration file on startup. Among other uses, this can be | ||
| used to enable FIPS-compliant crypto if Node.js is built with | ||
| `./configure --openssl-fips`. | ||
| used to enable FIPS-compliant crypto if Node.js is built |
There was a problem hiding this comment.
Will ./configure --openssl-fips still be accepted. Want to understand if this could break existing workflows/builds
There was a problem hiding this comment.
Yeah, it will still be accepted at configuration time to specify the directory where the FIPS fipscanister.o is located.
There was a problem hiding this comment.
@mhdawson The ubi81_sharedlibs_openssl111fips_x64 CI job runs with configure --openssl-is-fips (we didn't update the job when #36341 landed).
There was a problem hiding this comment.
Thanks for the quick confirmation.
There was a problem hiding this comment.
ah sorry confused --open-is-fips with --openssl-fips configure options.
There was a problem hiding this comment.
I don't think --openssl-fips works before on Node.js 14 based on configure.py?
Lines 1382 to 1383 in 95b9240
(--openssl-is-fips does work and is tested in the CI.)
There was a problem hiding this comment.
If I recall correctly it is not possible to enable FIPS with the OpenSSL version that is statically linked with Node.js. This is still the case with upstream/master.
But it is possible to dynamically link to an OpenSSL version that does support FIPS (which is the use case at Red Hat).
| settings = nullptr; | ||
| #endif | ||
|
|
||
| #ifdef NODE_FIPS_MODE |
There was a problem hiding this comment.
There were changes in the original PR that don't seem to have made it into this block. In crypto_util.cc ->
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 34058d2dcae9..0d44d0bb4e16 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -142,10 +142,9 @@ void InitCryptoOnce() {
}
}
if (0 != err) {
- fprintf(stderr,
- "openssl fips failed: %s\n",
- ERR_error_string(err, nullptr));
- UNREACHABLE();
+ auto* isolate = Isolate::GetCurrent();
+ auto* env = Environment::GetCurrent(isolate);
+ return ThrowCryptoError(env, err);
}
@danbev was that intentional?
There was a problem hiding this comment.
That was not intentional 😞 I'll take a closer look add it tomorrow. Thanks!
There was a problem hiding this comment.
I've pushed a commit with the missing code now, please take a look.
This commit adds code that I missed when backporting.
Fix lint issue.
|
One more comment there is a typo in the original commit comment. Assume we can fix up when landing. |
danielleadams
force-pushed
the
v14.x-staging
branch
from
8216d46 to
ec3bd72
Compare
There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes: #34903 Backport-PR-URL: #40241 PR-URL: #36341 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
|
Landed in 060c962. |
richardlau
added
the
semver-minor
There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes: #34903 Backport-PR-URL: #40241 PR-URL: #36341 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
5 participants
There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
FIPS_mode()function.This makes the user experience more consistent, because the OpenSSL
library is always queried and the
crypto.getFips()always returnsOpenSSL settings.
Fixes #34903
Backport-PR-URL: #40241
PR-URL: #36341
Reviewed-By: Anna Henningsen anna@addaleax.net
Reviewed-By: Michael Dawson midawson@redhat.com
Reviewed-By: Daniel Bevenius daniel.bevenius@gmail.com