Support building and running with FIPS-compliant OpenSSL. The process is
following:
1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
Fix: https://github.com/joyent/node/issues/25463
PR-URL: https://github.com/nodejs/io.js/pull/1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
asm files are generated as
- In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
- In `deps/openssl/asm_obsolute/`, make with no envs for compilers
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Asm files for OpenSSL depends on the version of assembler.
We provide two sets of asm files, one is asm_latest(avx2 and addx
supported) and the other asm_obsolute(without avx1/2 and addx)
The asm_latest needs the version of gas >= 2.23, llvm >= 3.3
or ml64 >= 12 as defined in
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha512-x86_64.pl#L112-L129
, otherwise asm_obsolute are used.
We take MSVS_VERSION in gyp as a version check of assembler on
Windows because the path to ml64.exe was set after configure in
vcbuild.bat and executing ml64.exe was failed in configure.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This includes following changes,
- Updated asm files for each platforms which are required in
openssl-1.0.2a.
- Some perl files need CC and ASM envs. Added a check if these envs
exist. Followed asm files are to be generated with CC=gcc and
ASM=nasm on Linux. See
`deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl`
- Added new 32bit targets/rules with a sse2 flag (OPENSSL_IA32_SSE2)
to generate asm for use SSE2.
- Generating sha512 asm files in x86_64 need output filename which
has 512. Added new rules so as not to use stdout for outputs.
- PERLASM_SCHEME of linux-armv4 is `void` as defined in openssl
Configure. Changed its target/rule and all directories are moved from
arm-elf-gas to arm-void-gas.
deps: add arm64 support in openssl/asm/Makefile
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Update gyp sources for openssl-1.0.2a. The source list was extracted
from Makefiles in `deps/openssl/openssl/{crypto/ssl/engines}`.
Defines are created by referring the table in
`deps/openssl/doc/openssl_define_list.pdf` that was derived from
Makefile entries and outputs of
`deps/openssl/openssl/Configure TABLE`.
Renamed the variable of openssl_sources_arm_elf_gas to
openssl_sources_arm_void_gas to be consistent with PERLASM_SCHEME.
This also includes arm64 support.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
linux-x32 and linux-aarch64(arm64) are officially supported in
openssl-1.0.2. With this fix opensslconf.h for these new architectures
can be generated by Makefile.
The patch for opensslconf.h of linux-x32 with Makefile was removed.
For the fix of opensslconf.h in WIN32/WIN64, adding defines of
OPENSSL_NO_DYNAMIC_ENGINE and OPENSSL_NO_CAPIENG move to openssl.gypi
so that we no longer need insert a patch with Makefile and removed it.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This a backport of da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 in
https://github.com/openssl/openssl by Matt Caswell <matt@openssl.org> as
In certain situations the server provided certificate chain may no
longer be valid. However the issuer of the leaf, or some intermediate
cert is in fact in the trust store.
When building a trust chain if the first attempt fails, then try to
see if alternate chains could be constructed that are trusted.
deps: backport openssl patch of alt cert chains 2
This a backport of 15dba5be6a4482a9ad7e5b846291f31e97e338ca in
https://github.com/openssl/openssl by Matt Caswell <matt@openssl.org> as
Add flag to inhibit checking for alternate certificate chains. Setting this
behaviour will force behaviour as per previous versions of OpenSSL
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This Makefile executes ../openssl/Configure {target} and copy
generated `../openssl/crypto/opensslconf.h` into
`archs/{target}/opensslconf.h`. with the target list that is defined
in ARCS. Several files are copied for backup and cleared so as not to
change the files in `../openssl`.
This also applies four fixes as below by using perl script so as to
meet iojs build requirements.
- all architectures
Remove define of OPENSSL_CPUID_OBJ because it is defined in
openssl.gypi so as to avoid build error with --openssl-no-asm
- VC-WIN32 and VC-WIN64A
OPENSSL_NO_DYNAMIC_ENGINE is needed for building static
library. OPENSSL_NO_CAPIENG is needed to avoid build errors on
Win. See the comments in `deps/openssl/openssl/engines/e_capi.c` for
detail.
- linux-x32
This fix was made by comparing define values of opensslconf.h which
was generated `Configure linux-x32' in openssl-1.0.2a
- darwin64-x86_64-cc
The current openssl release does not use RC4 asm since it explicitly
specified as `$asm=~s/rc4\-[^:]+//;` in
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/Configure#L584
But iojs has used RC4 asm on MacOS for long time. Fix type of RC4_INT
into `unsigned int` in opensslconf.h of darwin64-x86_64-cc to work on
the RC4 asm.
PR-URL: https://github.com/iojs/io.js/pull/1377
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In OpenSSL, opensslconf.h was generated by Configure script with
specifying a target argument, where it includes several defines that
depend on OS and architecture platform.
In iojs, we statically mapped --dest-os and --dest-cpu options in
configure to the target of Configure in OpenSSL and make
`deps/openssl/conf/openssconf.h` so as to include each file
according to its target by checking pre-defined compiler macros.
Included opnesslconf.h files for supported target architectures can
be generated by `Makefile` and stored under
`archs/{target}/opensslconf.h`. The Makefile alos fixes several
defines to meet iojs build requirements.
Here is a map table of configure options in iojs, target arch of
Configure in OpenSSL and CI support.
| --dest-os | --dest-cpu | OpenSSL target arch | CI |
| --------- | ---------- | -------------------- | --- |
| linux | ia32 | linux-elf | o |
| linux | x32 | patched linux-x86_64 | - |
| linux | x64 | linux-x86_64 | o |
| linux | arm | linux-armv4 | o |
| linux | arm64 | N/A | - |
| mac | ia32 | darwin-i386-cc | o |
| mac | x64 | darwin64-x86-cc | o |
| win | ia32 | VC-WIN32 | - |
| win | x64 | VC-WIN64A | o |
| solaris | ia32 | solaris-x86-gcc | o |
| solaris | x64 | solaris64-x86_64-gcc | o |
| freebsd | ia32 | BSD-x86 | o |
| freebsd | x64 | BSD-x86_64 | o |
| openbsd | ia32 | BSD-x86 | - |
| openbsd | x64 | BSD-x86_64 | - |
| others | others | linux-elf | - |
--dest-os and --dest-cpu are mapped to pre-defined macros.
| --dest-os | pre-defined macro |
| ------------------ | ------------------------- |
| win | _WIN32 |
| win(64bit) | _WIN64 |
| mac | __APPLE__ && __MACH__ |
| solaris | __sun |
| freebsd | __FreeBSD__ |
| openbsd | __OpenBSD__ |
| linux (not andorid)| __linux__ && !__ANDROID__ |
| android | __ANDROID__ |
| --dest-cpu | pre-defined macro |
| ---------- | ----------------- |
| arm | __arm__ |
| arm64 | __aarch64__ |
| ia32 | __i386__ |
| ia32(win) | _M_IX86 |
| mips | __mips__ |
| mipsel | __MIPSEL__ |
| x32 | __ILP32__ |
| x64 | __x86_64__ |
| x64(win) | _M_X64 |
These are the list which is not implemented yet.
| --dest-os | --dest-cpu | OpenSSL target arch | CI |
| --------- | ---------- | -------------------- | --- |
| linux | mips | linux-mips32,linux-mips64,linux64-mips64? | --- |
| linux | mipsel | ? | --- |
| android | ia32 | android-x86 | --- |
| android | arm | android-armv7 | --- |
| android | mips | android-mips | --- |
| android | mipsel | ? | --- |
Supported target arch list in OpenSSL can be obtained by typing
`deps/openssl/openssl/Configure LIST`.
This also contains to add two new defines for all platform in the
bottom for GOST and Padlock engines are not included in iojs.
PR-URL: https://github.com/iojs/io.js/pull/1377
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Updated gyp has "else if" syntax in condition. Use this for
target_arch and OS switches. Several sources, defines, rules and
libraries variables moved to gypi files.
PR-URL: https://github.com/iojs/io.js/pull/1325
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All sources are just extracted from tarball into deps/openssl/openssl.
change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h
sha256-x86_64.pl does not exist in the origin openssl distribution. It
was copied from sha512-x86_64.pl and both sha256/sha512 scripts were
modified so as to generates only one asm file specified as its key
hash length.
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid`
(and perhaps others) are requiring .686.
removed vpaesni-x86_64.asm in x64-win32-masm - it is no longer used.
Fixes: https://github.com/iojs/io.js/issues/1186
PR-URL: https://github.com/iojs/io.js/pull/1206
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit adds basic arm64 support to the build. Building the bundled
openssl is disabled pending an upgrade to openssl 1.2, the currently
bundled version has some hand-rolled assembly that is 32 bits only.
PR-URL: https://github.com/iojs/io.js/pull/1028
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
SSLv2 has been deprecated and known broken for nearly twenty years now.
I made SSLv2 support opt-in well over a year ago in commit 39aa894 and
now this commit removes it entirely.
PR-URL: https://github.com/iojs/io.js/pull/290
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This patch disables two (categories of) warnings:
* deprecation of GetVersionExA
* possible loss of data in implicit conversion of scalar types
These warnings don't seem to point out serious problems, and avoiding
them in openssl is somebody else's business.
PR-URL: https://github.com/iojs/io.js/pull/261
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
On Windows a long integer is always 32-bits, even when the target
architecture uses 64-bit pointers.
PR-URL: https://github.com/iojs/io.js/pull/124
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit 878cc3e532.
Reverted for breaking the x86_64 Linux build:
In file included from ../deps/openssl/openssl/include/openssl/bn.h:1:0,
from ../deps/openssl/openssl/crypto/bn/asm/../bn_lcl.h:115,
from ../deps/openssl/openssl/crypto/bn/asm/x86_64-gcc.c:1:
../deps/openssl/openssl/include/openssl/../../crypto/bn/bn.h:813:20: note: previous declaration of 'bn_add_words' was here
BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
^
../deps/openssl/openssl/crypto/bn/asm/x86_64-gcc.c:210:15: error: conflicting types for 'bn_sub_words'
BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int n)
On Windows (and potentially other LP64 platforms), a long integer is
always 32-bits, even when the target architecture uses 64-bit pointers.
Signed-off-by: Bert Belder <bertbelder@gmail.com>