From 3397f29a37e80055b290572d661d5f0b473fe70d Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 9 Jan 2019 11:54:08 +0100 Subject: [PATCH 1/2] build: introduce --openssl-is-fips flag This commit introduces a new configuration flag named --openssl-is-fips which is intended to be used when linking against an OpenSSL library that is FIPS compatible. The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8) comes with OpenSSL 1.1.1 and includes FIPS support, and we would like to be able to dynamically link against this version and also have FIPS features enabled in node, like would be done when statically linking and using the --openssl-fips flag. The suggestion here is to introduce a new flag: $ ./configure --help ... --openssl-is-fips specifies that the shared OpenSSL version is FIPS compatible This flag could be used in combination with the shared-openssl flag: $ ./configure --shared-openssl ---openssl-is-fips This will enable FIPS support in node and the runtime flags will be availalbe to enable FIPS (--enable-fips, --force-fips). --- configure.py | 6 ++++++ node.gypi | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/configure.py b/configure.py index 90630f7bd0cda4..8cb4c58c21809b 100755 --- a/configure.py +++ b/configure.py @@ -173,6 +173,11 @@ dest='openssl_fips', help='Build OpenSSL using FIPS canister .o file in supplied folder') +parser.add_option('--openssl-is-fips', + action='store_true', + dest='openssl_is_fips', + help='specifies that the OpenSSL library is FIPS compatible') + parser.add_option('--openssl-use-def-ca-store', action='store_true', dest='use_openssl_ca_store', @@ -1187,6 +1192,7 @@ def configure_openssl(o): variables = o['variables'] variables['node_use_openssl'] = b(not options.without_ssl) variables['node_shared_openssl'] = b(options.shared_openssl) + variables['openssl_is_fips'] = b(options.openssl_is_fips) variables['openssl_fips'] = '' if options.openssl_no_asm: diff --git a/node.gypi b/node.gypi index f6787e5ad8f317..d4b3c9c8d7dd1f 100644 --- a/node.gypi +++ b/node.gypi @@ -315,7 +315,7 @@ [ 'node_use_openssl=="true"', { 'defines': [ 'HAVE_OPENSSL=1' ], 'conditions': [ - ['openssl_fips != ""', { + ['openssl_fips != "" or openssl_is_fips=="true"', { 'defines': [ 'NODE_FIPS_MODE' ], }], [ 'node_shared_openssl=="false"', { From 885697980d103bdb89194af06cc00d4669e3eab4 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 9 Jan 2019 11:43:41 +0100 Subject: [PATCH 2/2] src: fix FIPS section in Sign::SignFinal Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors. --- src/node_crypto.cc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 296b15de5bee38..bda172e2810a7a 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -4505,9 +4505,14 @@ Sign::SignResult Sign::SignFinal( #ifdef NODE_FIPS_MODE /* Validate DSA2 parameters from FIPS 186-4 */ - if (FIPS_mode() && EVP_PKEY_DSA == pkey->type) { - size_t L = BN_num_bits(pkey->pkey.dsa->p); - size_t N = BN_num_bits(pkey->pkey.dsa->q); + if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(pkey.get())) { + DSA* dsa = EVP_PKEY_get0_DSA(pkey.get()); + const BIGNUM* p; + DSA_get0_pqg(dsa, &p, nullptr, nullptr); + size_t L = BN_num_bits(p); + const BIGNUM* q; + DSA_get0_pqg(dsa, nullptr, &q, nullptr); + size_t N = BN_num_bits(q); bool result = false; if (L == 1024 && N == 160) @@ -4520,7 +4525,7 @@ Sign::SignResult Sign::SignFinal( result = true; if (!result) { - return kSignPrivateKey; + return SignResult(kSignPrivateKey); } } #endif // NODE_FIPS_MODE