crypto: support OPENSSL_CONF again #11006
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
c++
|
@gibfahn @mhdawson @bnoordhuis PTAL |
sam-github
force-pushed
the
ossl-cfg-from-env
branch
from
1760079
to
57d5fe0
Compare
|
cc/ @rvagg |
|
|
Mostly cosmetic, but #10948 fixes misaligned options displayed by |
|
Will take another look once ci failures are resolved, but general concept looks good. |
|
I see, its because I'm not building with FIPS that I didn't notice that. @gibfahn (or anybody), how do I compile with FIPS? |
sam-github
force-pushed
the
ossl-cfg-from-env
branch
from
57d5fe0
to
efff1cf
Compare
|
Latest ci run: https://ci.nodejs.org/job/node-test-pull-request/6080/ |
|
@sam-github You need to give a path to a fips-compliant openssl version of fips in the configure stage with Then when you run you pass |
bnoordhuis
requested changes
Jan 28, 2017
src/node.cc
Outdated
| @@ -176,7 +176,7 @@ bool ssl_openssl_cert_store = | |||
| bool enable_fips_crypto = false; | |||
| bool force_fips_crypto = false; | |||
| # endif // NODE_FIPS_MODE | |||
| const char* openssl_config = nullptr; | |||
| const char* openssl_config = secure_getenv("OPENSSL_CONF"); | |||
There was a problem hiding this comment.
This is not safe, modifications to the environment will invalidate the pointer. Call secure_getenv() only when openssl_config is first needed and store a copy, not a pointer.
I see we're also mishandling icu_data_dir that way. I'll file a pull request.
|
@sam-github I see that @bnoordhuis has raised #11051, so presumably this PR will be dependent on it? |
sam-github
force-pushed
the
ossl-cfg-from-env
branch
from
efff1cf
to
1661a7d
Compare
sam-github
force-pushed
the
ossl-cfg-from-env
branch
from
1661a7d
to
223d032
Compare
|
I figured out how to do a FIPS build locally, and the tests pass for me. Waiting for ci: https://ci.nodejs.org/job/node-test-pull-request/6295/ @bnoordhuis PTAL |
bnoordhuis
approved these changes
Feb 9, 2017
| OPENSSL_load_builtin_modules(); | ||
| #ifndef OPENSSL_NO_ENGINE | ||
| ENGINE_load_builtin_engines(); | ||
| #endif | ||
| ERR_clear_error(); | ||
| CONF_modules_load_file( | ||
| openssl_config, | ||
| openssl_config.c_str(), |
There was a problem hiding this comment.
You can use .data() in C++11, it's interchangeable with .c_str() now (and one keystroke shorter.)
| @@ -92,10 +93,24 @@ testHelper( | |||
| compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, | |||
| 'require("crypto").fips', | |||
| process.env); | |||
| // OPENSSL_CONF should _not_ be able to turn on FIPS mode | |||
There was a problem hiding this comment.
Can you add blank lines before and after for legibility?
Allow it to be used anywhere in src/ that env variables with security implications are accessed.
sam-github
force-pushed
the
ossl-cfg-from-env
branch
from
223d032
to
f440e1d
Compare
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: nodejs#10938 PR-URL: nodejs#11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
sam-github
force-pushed
the
ossl-cfg-from-env
branch
from
f440e1d
to
59afa27
Compare
italoacasas
added a commit
to italoacasas/node
that referenced
this pull request
Mar 1, 2017
Notables changes: * child_process: spawnSync() exit code now is null when the child is killed via signal (cjihrig) [nodejs#11288](nodejs#11288) * http: new functions to access the headers for an outgoing HTTP message (Brian White) [nodejs#11562](nodejs#11562) * lib: deprecate node --debug at runtime (Josh Gavant) [nodejs#11275](nodejs#11275) * tls: new tls.TLSSocket() supports sec ctx options (Sam Roberts) [nodejs#11005](nodejs#11005) * url: adding URL.prototype.toJSON support (Michaël Zasso) [nodejs#11236](nodejs#11236) * doc: items in the API documentation may now have changelogs (Anna Henningsen) [nodejs#11489](nodejs#11489) * crypto: adding support for OPENSSL_CONF again (Sam Roberts) [nodejs#11006](nodejs#11006) * src: adding support for trace-event tracing (misterpoe) [nodejs#11106](nodejs#11106) PR-URL: nodejs#11553
italoacasas
added a commit
to italoacasas/node
that referenced
this pull request
Mar 1, 2017
Notables changes: * child_process: spawnSync() exit code now is null when the child is killed via signal (cjihrig) [nodejs#11288](nodejs#11288) * http: new functions to access the headers for an outgoing HTTP message (Brian White) [nodejs#11562](nodejs#11562) * lib: deprecate node --debug at runtime (Josh Gavant) [nodejs#11275](nodejs#11275) * tls: new tls.TLSSocket() supports sec ctx options (Sam Roberts) [nodejs#11005](nodejs#11005) * url: adding URL.prototype.toJSON support (Michaël Zasso) [nodejs#11236](nodejs#11236) * doc: items in the API documentation may now have changelogs (Anna Henningsen) [nodejs#11489](nodejs#11489) * crypto: adding support for OPENSSL_CONF again (Sam Roberts) [nodejs#11006](nodejs#11006) * src: adding support for trace-event tracing (misterpoe) [nodejs#11106](nodejs#11106) PR-URL: nodejs#11553
italoacasas
added a commit
to italoacasas/node
that referenced
this pull request
Mar 1, 2017
Notables changes: * child_process: spawnSync() exit code now is null when the child is killed via signal (cjihrig) [nodejs#11288](nodejs#11288) * http: new functions to access the headers for an outgoing HTTP message (Brian White) [nodejs#11562](nodejs#11562) * lib: deprecate node --debug at runtime (Josh Gavant) [nodejs#11275](nodejs#11275) * tls: new tls.TLSSocket() supports sec ctx options (Sam Roberts) [nodejs#11005](nodejs#11005) * url: adding URL.prototype.toJSON support (Michaël Zasso) [nodejs#11236](nodejs#11236) * doc: items in the API documentation may now have changelogs (Anna Henningsen) [nodejs#11489](nodejs#11489) * crypto: adding support for OPENSSL_CONF again (Sam Roberts) [nodejs#11006](nodejs#11006) * src: adding support for trace-event tracing (misterpoe) [nodejs#11106](nodejs#11106) PR-URL: nodejs#11553
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Mar 2, 2017
Notables changes:
* child_process: spawnSync() exit code now is null when the child is killed via signal (cjihrig)
[#11288](nodejs/node#11288)
* http: new functions to access the headers for an outgoing HTTP message (Brian White)
[#11562](nodejs/node#11562)
* lib: deprecate node --debug at runtime (Josh Gavant)
[#11275](nodejs/node#11275)
* tls: new tls.TLSSocket() supports sec ctx options (Sam Roberts)
[#11005](nodejs/node#11005)
* url: adding URL.prototype.toJSON support (Michaël Zasso)
[#11236](nodejs/node#11236)
* doc: items in the API documentation may now have changelogs (Anna Henningsen)
[#11489](nodejs/node#11489)
* crypto: adding support for OPENSSL_CONF again (Sam Roberts)
[#11006](nodejs/node#11006)
* src: adding support for trace-event tracing (misterpoe)
[#11106](nodejs/node#11106)
PR-URL: nodejs/node#11553
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Apr 17, 2017
Allow it to be used anywhere in src/ that env variables with security implications are accessed. PR-URL: nodejs#11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Apr 17, 2017
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: nodejs#10938 PR-URL: nodejs#11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
31 tasks
MylesBorins
pushed a commit
that referenced
this pull request
May 16, 2017
Allow it to be used anywhere in src/ that env variables with security implications are accessed. PR-URL: #11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins
pushed a commit
that referenced
this pull request
May 16, 2017
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: #10938 PR-URL: #11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins
pushed a commit
that referenced
this pull request
May 18, 2017
Allow it to be used anywhere in src/ that env variables with security implications are accessed. PR-URL: #11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins
pushed a commit
that referenced
this pull request
May 18, 2017
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: #10938 PR-URL: #11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Merged
MylesBorins
added a commit
that referenced
this pull request
Jun 6, 2017
This LTS release comes with 126 commits. This includes 40 which
are test related, 32 which are doc related, 12 which are
build / tool related and 4 commits which are updates to
dependencies.
Notable Changes:
* build:
- support for building mips64el (nanxiongchao)
#10991
* cluster:
- disconnect() now returns a reference to the disconnected
worker. (Sean Villars)
#10019
* crypto:
- ability to select cert store at runtime (Adam Majer)
#8334
- Use system CAs instead of using bundled ones (Adam Majer)
#8334
- The `Decipher` methods `setAuthTag()` and `setAAD` now return
`this`. (Kirill Fomichev)
#9398
- adding support for OPENSSL_CONF again (Sam Roberts)
#11006
- make LazyTransform compabile with Streams1 (Matteo Collina)
#12380
* deps:
- upgrade libuv to 1.11.0 (cjihrig)
#11094
- upgrade libuv to 1.10.2 (cjihrig)
#10717
- upgrade libuv to 1.10.1 (cjihrig)
#9647
- upgrade libuv to 1.10.0 (cjihrig)
#9267
* dns:
- Implemented `{ttl: true}` for `resolve4()` and `resolve6()`
(Ben Noordhuis)
#9296
* process:
- add NODE_NO_WARNINGS environment variable (cjihrig)
#10842
* readline:
- add option to stop duplicates in history (Danny Nemer)
#2982
* src:
- support "--" after "-e" as end-of-options (John Barboza)
#10651
* tls:
- new tls.TLSSocket() supports sec ctx options (Sam Roberts)
#11005
- Allow obvious key/passphrase combinations. (Sam Roberts)
#10294
PR-URL: #13059
MylesBorins
added a commit
that referenced
this pull request
Jun 6, 2017
This LTS release comes with 126 commits. This includes 40 which
are test related, 32 which are doc related, 12 which are
build / tool related and 4 commits which are updates to
dependencies.
Notable Changes:
* build:
- support for building mips64el (nanxiongchao)
#10991
* cluster:
- disconnect() now returns a reference to the disconnected
worker. (Sean Villars)
#10019
* crypto:
- ability to select cert store at runtime (Adam Majer)
#8334
- Use system CAs instead of using bundled ones (Adam Majer)
#8334
- The `Decipher` methods `setAuthTag()` and `setAAD` now return
`this`. (Kirill Fomichev)
#9398
- adding support for OPENSSL_CONF again (Sam Roberts)
#11006
- make LazyTransform compabile with Streams1 (Matteo Collina)
#12380
* deps:
- upgrade libuv to 1.11.0 (cjihrig)
#11094
- upgrade libuv to 1.10.2 (cjihrig)
#10717
- upgrade libuv to 1.10.1 (cjihrig)
#9647
- upgrade libuv to 1.10.0 (cjihrig)
#9267
* dns:
- Implemented `{ttl: true}` for `resolve4()` and `resolve6()`
(Ben Noordhuis)
#9296
* process:
- add NODE_NO_WARNINGS environment variable (cjihrig)
#10842
* readline:
- add option to stop duplicates in history (Danny Nemer)
#2982
* src:
- support "--" after "-e" as end-of-options (John Barboza)
#10651
* tls:
- new tls.TLSSocket() supports sec ctx options (Sam Roberts)
#11005
- Allow obvious key/passphrase combinations. (Sam Roberts)
#10294
PR-URL: #13059
andrew749
pushed a commit
to michielbaird/node
that referenced
this pull request
Jul 19, 2017
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: nodejs/node#10938 PR-URL: nodejs/node#11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
andrew749
pushed a commit
to michielbaird/node
that referenced
this pull request
Jul 19, 2017
This LTS release comes with 126 commits. This includes 40 which
are test related, 32 which are doc related, 12 which are
build / tool related and 4 commits which are updates to
dependencies.
Notable Changes:
* build:
- support for building mips64el (nanxiongchao)
nodejs/node#10991
* cluster:
- disconnect() now returns a reference to the disconnected
worker. (Sean Villars)
nodejs/node#10019
* crypto:
- ability to select cert store at runtime (Adam Majer)
nodejs/node#8334
- Use system CAs instead of using bundled ones (Adam Majer)
nodejs/node#8334
- The `Decipher` methods `setAuthTag()` and `setAAD` now return
`this`. (Kirill Fomichev)
nodejs/node#9398
- adding support for OPENSSL_CONF again (Sam Roberts)
nodejs/node#11006
- make LazyTransform compabile with Streams1 (Matteo Collina)
nodejs/node#12380
* deps:
- upgrade libuv to 1.11.0 (cjihrig)
nodejs/node#11094
- upgrade libuv to 1.10.2 (cjihrig)
nodejs/node#10717
- upgrade libuv to 1.10.1 (cjihrig)
nodejs/node#9647
- upgrade libuv to 1.10.0 (cjihrig)
nodejs/node#9267
* dns:
- Implemented `{ttl: true}` for `resolve4()` and `resolve6()`
(Ben Noordhuis)
nodejs/node#9296
* process:
- add NODE_NO_WARNINGS environment variable (cjihrig)
nodejs/node#10842
* readline:
- add option to stop duplicates in history (Danny Nemer)
nodejs/node#2982
* src:
- support "--" after "-e" as end-of-options (John Barboza)
nodejs/node#10651
* tls:
- new tls.TLSSocket() supports sec ctx options (Sam Roberts)
nodejs/node#11005
- Allow obvious key/passphrase combinations. (Sam Roberts)
nodejs/node#10294
PR-URL: nodejs/node#13059
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A side-effect of https://github.com/nodejs/node-private/pull/82
was to remove support for OPENSSL_CONF, as well as removing the default
read of a configuration file on startup.
Partly revert this, allowing OPENSSL_CONF to be used to specify a
configuration file to read on startup, but do not read a file by
default.
If the --openssl-config command line option is provided, its value is
used, not the OPENSSL_CONF environment variable.
Fix: #10938
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
crypto