Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: Keep FIPS provider #48950

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Draft: Keep FIPS provider #48950

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
75efb42
src: report if CSPRNG fails to seed properly
khardix Jul 26, 2023
137735c
src: warn about FIPS options used with shared OpenSSL
khardix Aug 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 6 additions & 1 deletion node.gypi
View file
Open in desktop
Expand Up @@ -350,7 +350,10 @@
'defines': [ 'HAVE_OPENSSL=1' ],
'conditions': [
[ 'node_shared_openssl=="false"', {
'defines': [ 'OPENSSL_API_COMPAT=0x10100000L', ],
'defines': [
'OPENSSL_API_COMPAT=0x10100000L',
'NODE_OPENSSL_IS_SHARED=0',
],
'dependencies': [
'./deps/openssl/openssl.gyp:openssl',

Expand Down Expand Up @@ -392,6 +395,8 @@
],
}],
]
}, {
'defines': [ 'NODE_OPENSSL_IS_SHARED=1', ]
}],
[ 'openssl_quic=="true" and node_shared_ngtcp2=="false"', {
'dependencies': [ './deps/ngtcp2/ngtcp2.gyp:ngtcp2' ]
Expand Down
20 changes: 19 additions & 1 deletion src/node.cc
View file
Open in desktop
Expand Up @@ -1054,6 +1054,14 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
OPENSSL_init();
}
#endif
#if NODE_OPENSSL_IS_SHARED
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
result->errors_.emplace_back(
"Warning: FIPS options are not supported with shared OpenSSL library!"
);
}
#endif // NODE_OPENSSL_IS_SHARED
if (!crypto::ProcessFipsOptions()) {
// XXX: ERR_GET_REASON does not return something that is
// useful as an exit code at all.
Expand All @@ -1067,7 +1075,17 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
}

// Ensure CSPRNG is properly seeded.
CHECK(crypto::CSPRNG(nullptr, 0).is_ok());
if (!crypto::CSPRNG(nullptr, 0).is_ok()) {
// XXX: ERR_GET_REASON does not return something that is
// useful as an exit code at all.
result->exit_code_ =
static_cast<ExitCode>(ERR_GET_REASON(ERR_peek_error()));
result->early_return_ = true;
result->errors_.emplace_back(
"OpenSSL error when trying to seed CSPRNG:\n" +
GetOpenSSLErrorString());
return result;
}

V8::SetEntropySource([](unsigned char* buffer, size_t length) {
// V8 falls back to very weak entropy when this function fails
Expand Down