mirror of
https://github.com/nodejs/node.git
synced 2024-11-24 12:10:08 +01:00
build: add OpenSSL-1.1.0 support
- For Windows, nasm is new build requirements and openssl_no_asm is set to 1 with warning if it is not installed. - For use of openssl assemble codes, either gas_version >= 2.23, xcode_version >= 5.0 ,llvm_version >= 3.3 or nasm_version >= 2.10 is needed. Otherwise, openssl_no_asm is set to 1 with warning. - FIPS is not supported in OpenSSL-1.1.0 so that it leads an error when openssl_fips options is enabled in configure. Fixes: https://github.com/nodejs/node/issues/4270 PR-URL: https://github.com/nodejs/node/pull/19794 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This commit is contained in:
parent
7812ec735b
commit
08af7dba2a
56
BUILDING.md
56
BUILDING.md
@ -88,6 +88,23 @@ Depending on host platform, the selection of toolchains may vary.
|
||||
|
||||
* Visual Studio 2017 or the Build Tools thereof
|
||||
|
||||
#### OpenSSL asm support
|
||||
|
||||
OpenSSL-1.1.0 requires the following asssembler version for use of asm
|
||||
support.
|
||||
|
||||
* gas (GNU assembler) version 2.23 or higher
|
||||
* xcode version 5.0 or higher
|
||||
* llvm version 3.3 or higher
|
||||
* nasm version 2.10 or higher in Windows
|
||||
|
||||
Otherwise, `--openssl-no-asm` is added with warning in configure.
|
||||
|
||||
*Note:* The forthcoming OpenSSL-1.1.1 will require higher
|
||||
version. Please refer
|
||||
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_ia32cap.html for
|
||||
details.
|
||||
|
||||
## Building Node.js on supported platforms
|
||||
|
||||
*Note:* All prerequisites can be easily installed by following
|
||||
@ -377,44 +394,7 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
|
||||
|
||||
## Building Node.js with FIPS-compliant OpenSSL
|
||||
|
||||
It is possible to build Node.js with the
|
||||
[OpenSSL FIPS module](https://www.openssl.org/docs/fipsnotes.html) on POSIX
|
||||
systems. Windows is not supported.
|
||||
|
||||
Building in this way does not mean the runtime is FIPS 140-2 validated, but
|
||||
rather that the runtime uses a validated module. In addition, the validation for
|
||||
the underlying module is only valid if it is deployed in accordance with its
|
||||
[security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
|
||||
If you need FIPS validated cryptography it is recommended that you read both
|
||||
the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
|
||||
and [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).
|
||||
|
||||
### Instructions
|
||||
|
||||
1. Obtain a copy of openssl-fips-x.x.x.tar.gz.
|
||||
To comply with the security policy you must ensure the path
|
||||
through which you get the file complies with the requirements
|
||||
for a "secure installation" as described in section 6.6 in
|
||||
the [user guide](https://openssl.org/docs/fips/UserGuide-2.0.pdf).
|
||||
For evaluation/experimentation, you can simply download and verify
|
||||
`openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/
|
||||
2. Extract source to `openssl-fips` folder and `cd openssl-fips`
|
||||
3. `./config`
|
||||
4. `make`
|
||||
5. `make install`
|
||||
(NOTE: to comply with the security policy you must use the exact
|
||||
commands in steps 3-5 without any additional options as per
|
||||
Appendix A in the [security policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf).
|
||||
The only exception is that `./config no-asm` can be
|
||||
used in place of `./config`, and the FIPSDIR environment variable
|
||||
may be used to specify a non-standard install folder for the
|
||||
validated module, as per User Guide sections 4.2.1, 4.2.2, and 4.2.3.
|
||||
6. Get into Node.js checkout folder
|
||||
7. `./configure --openssl-fips=/path/to/openssl-fips/installdir`
|
||||
For example on ubuntu 12 the installation directory was
|
||||
`/usr/local/ssl/fips-2.0`
|
||||
8. Build Node.js with `make -j`
|
||||
9. Verify with `node -p "process.versions.openssl"` (for example `1.0.2a-fips`)
|
||||
This version of Node.js does not support FIPS.
|
||||
|
||||
## Building Node.js with external core modules
|
||||
|
||||
|
67
configure
vendored
67
configure
vendored
@ -639,6 +639,25 @@ def get_version_helper(cc, regexp):
|
||||
else:
|
||||
return 0
|
||||
|
||||
def get_nasm_version(asm):
|
||||
try:
|
||||
proc = subprocess.Popen(shlex.split(asm) + ['-v'],
|
||||
stdin=subprocess.PIPE, stderr=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE)
|
||||
except OSError:
|
||||
warn('''No acceptable ASM compiler found!
|
||||
Please make sure you have installed nasm from http://www.nasm.us
|
||||
and refer BUILDING.md.''')
|
||||
return 0
|
||||
|
||||
match = re.match(r"NASM version ([2-9]\.[0-9][0-9]+)",
|
||||
proc.communicate()[0])
|
||||
|
||||
if match:
|
||||
return match.group(1)
|
||||
else:
|
||||
return 0
|
||||
|
||||
def get_llvm_version(cc):
|
||||
return get_version_helper(
|
||||
cc, r"(^(?:FreeBSD )?clang version|based on LLVM) ([3-9]\.[0-9]+)")
|
||||
@ -677,6 +696,11 @@ def get_gas_version(cc):
|
||||
# quite prepared to go that far yet.
|
||||
def check_compiler(o):
|
||||
if sys.platform == 'win32':
|
||||
if not options.openssl_no_asm:
|
||||
nasm_version = get_nasm_version('nasm')
|
||||
o['variables']['nasm_version'] = nasm_version
|
||||
if nasm_version == 0:
|
||||
o['variables']['openssl_no_asm'] = 1
|
||||
return
|
||||
|
||||
ok, is_clang, clang_version, gcc_version = try_check_compiler(CXX, 'c++')
|
||||
@ -1039,32 +1063,35 @@ def configure_v8(o):
|
||||
|
||||
|
||||
def configure_openssl(o):
|
||||
o['variables']['node_use_openssl'] = b(not options.without_ssl)
|
||||
o['variables']['node_shared_openssl'] = b(options.shared_openssl)
|
||||
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
|
||||
variables = o['variables']
|
||||
variables['node_use_openssl'] = b(not options.without_ssl)
|
||||
variables['node_shared_openssl'] = b(options.shared_openssl)
|
||||
variables['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
|
||||
if options.use_openssl_ca_store:
|
||||
o['defines'] += ['NODE_OPENSSL_CERT_STORE']
|
||||
if options.openssl_system_ca_path:
|
||||
o['variables']['openssl_system_ca_path'] = options.openssl_system_ca_path
|
||||
o['variables']['node_without_node_options'] = b(options.without_node_options)
|
||||
variables['openssl_system_ca_path'] = options.openssl_system_ca_path
|
||||
variables['node_without_node_options'] = b(options.without_node_options)
|
||||
if options.without_node_options:
|
||||
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']
|
||||
|
||||
# supported asm compiler for AVX2. See https://github.com/openssl/openssl/
|
||||
# blob/OpenSSL_1_1_0-stable/crypto/modes/asm/aesni-gcm-x86_64.pl#L52-L69
|
||||
openssl110_asm_supported = \
|
||||
('gas_version' in variables and variables['gas_version'] >= '2.23') or \
|
||||
('xcode_version' in variables and variables['xcode_version'] >= '5.0') or \
|
||||
('llvm_version' in variables and variables['llvm_version'] >= '3.3') or \
|
||||
('nasm_version' in variables and variables['nasm_version'] >= '2.10')
|
||||
|
||||
if not openssl110_asm_supported and variables['openssl_no_asm'] == 0:
|
||||
warn('''openssl_no_asm is enabled due to missed or old assembler.
|
||||
Please refer BUILDING.md''')
|
||||
variables['openssl_no_asm'] = 1
|
||||
|
||||
if options.openssl_fips:
|
||||
o['variables']['openssl_fips'] = options.openssl_fips
|
||||
fips_dir = os.path.join('deps', 'openssl', 'fips')
|
||||
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
|
||||
# LINK is for Makefiles, LD/LDXX is for ninja
|
||||
o['make_fips_settings'] = [
|
||||
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
|
||||
['LD', fips_ld + ' <(openssl_fips)/bin/fipsld'],
|
||||
['LDXX', fips_ld + ' <(openssl_fips)/bin/fipsld'],
|
||||
]
|
||||
else:
|
||||
o['variables']['openssl_fips'] = ''
|
||||
try:
|
||||
os.remove('config_fips.gypi')
|
||||
except OSError:
|
||||
pass
|
||||
print('Error: FIPS is not supported yet in this version')
|
||||
exit(1)
|
||||
variables['openssl_fips'] = ''
|
||||
|
||||
if options.without_ssl:
|
||||
def without_ssl_error(option):
|
||||
|
4
node.gyp
4
node.gyp
@ -609,8 +609,8 @@
|
||||
{
|
||||
'action_name': 'mkssldef',
|
||||
'inputs': [
|
||||
'deps/openssl/openssl/util/libeay.num',
|
||||
'deps/openssl/openssl/util/ssleay.num',
|
||||
'deps/openssl/openssl/util/libcrypto.num',
|
||||
'deps/openssl/openssl/util/libssl.num',
|
||||
],
|
||||
'outputs': ['<(SHARED_INTERMEDIATE_DIR)/openssl.def'],
|
||||
'action': [
|
||||
|
@ -26,7 +26,7 @@ if __name__ == '__main__':
|
||||
|
||||
for filename in filenames:
|
||||
for line in open(filename).readlines():
|
||||
name, _, meta, _ = re.split('\s+', line)
|
||||
name, _, _, meta, _ = re.split('\s+', line)
|
||||
if any(map(lambda p: p.match(name), excludes)): continue
|
||||
meta = meta.split(':')
|
||||
assert meta[0] in ('EXIST', 'NOEXIST')
|
||||
|
Loading…
Reference in New Issue
Block a user