Support building and running with FIPS-compliant OpenSSL. The process is
following:
1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
Fix: https://github.com/joyent/node/issues/25463
PR-URL: https://github.com/nodejs/io.js/pull/1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
The delay-load hook allows node.exe/iojs.exe to be renamed. See efadffe
for more background.
PR-URL: https://github.com/iojs/io.js/pull/1433
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Every npm version bump requires a few patches to be floated on
node-gyp for io.js compatibility. These patches are found in
03d199276e,
5de334c230, and
da730c76e9. This commit squashes
them into a single commit.
PR-URL: https://github.com/iojs/io.js/pull/990
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit c0e7bf2d8c.
There are a few edge cases that can cause a crash
and need to be properly handled.
PR-URL: https://github.com/nodejs/io.js/pull/1862
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Options have been moved into the NodeOptions class.
A new global, node_options now exists and is used
to access the options after the command line arguments
have been parsed.
PR-URL: https://github.com/nodejs/io.js/pull/1804
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Every npm version bump requires a few patches to be floated on
node-gyp for io.js compatibility. These patches are found in
03d199276e,
5de334c230, and
da730c76e9. This commit squashes
them into a single commit.
PR-URL: https://github.com/iojs/io.js/pull/990
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Every npm version bump requires a few patches to be floated on
node-gyp for io.js compatibility. These patches are found in
03d199276e,
5de334c230, and
da730c76e9. This commit squashes
them into a single commit.
PR-URL: https://github.com/iojs/io.js/pull/990
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
On Windows, when compiling with `UNICODE` defined, `LoadLibrary` becomes
`LoadLibraryW`. When an ASCII string is passed to that function it
crashes.
PR-URL: https://github.com/iojs/io.js/pull/226
Reviewed-By: Bert Belder <bertbelder@gmail.com>
The delay-load hook allows node.exe/iojs.exe to be renamed. See efadffe
for more background.
PR-URL: https://github.com/iojs/io.js/pull/1433
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
On Windows, when node or io.js attempts to dynamically load a compiled
addon, the compiled addon tries to load node.exe or iojs.exe again -
depending on which import library the module used when it was linked.
This causes many compiled addons to break when node.exe or iojs.exe are
renamed, because when the binary has been renamed the addon DLL can't
find the (right) .exe file to load its imports from.
This patch gives compiled addon developers an option to overcome this
restriction by compiling a delay-load hook into their binary. The
delay-load hook ensures that whenever a module tries to load imports
from node.exe/iojs.exe, it'll just look at the process image, thereby
making the addon work regardless of what name the node/iojs binary has.
To enable this feature, the addon developer must set the
'win_delay_load_hook' option to 'true' in their binding.gyp file, like
this:
```
{
'targets': [
{
'target_name': 'ernie',
'win_delay_load_hook': 'true',
...
```
Bug: https://github.com/iojs/io.js/issues/751
Bug: https://github.com/iojs/io.js/issues/965
Upstream PR: https://github.com/TooTallNate/node-gyp/pull/599
PR-URL: https://github.com/iojs/io.js/pull/1251
Reviewed-By: Rod Vagg <rod@vagg.org>
PR-URL: https://github.com/iojs/io.js/pull/1266
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Every npm version bump requires a few patches to be floated on
node-gyp for io.js compatibility. These patches are found in
03d199276e,
5de334c230, and
da730c76e9. This commit squashes
them into a single commit.
PR-URL: https://github.com/iojs/io.js/pull/990
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit applies a secondary change in order to make `make test`
pass cleanly, specifically re-disabling post-mortem debugging in
common.gypi.
PR-URL: https://github.com/iojs/io.js/pull/1506
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This includes the out-of-tree patch (but fixed in upstream HEAD) from
commit 41c00a2 ("deps: enable v8 postmortem debugging again".)
PR-URL: https://github.com/iojs/io.js/pull/1399
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This commit applies some secondary changes in order to make `make test`
pass cleanly:
* disable broken postmortem debugging in common.gypi
* drop obsolete strict mode test in parallel/test-repl
* drop obsolete test parallel/test-v8-features
PR-URL: https://github.com/iojs/io.js/pull/1232
Reviewed-By: Fedor Indutny <fedor@indutny.com>
The delay-load hook allows node.exe/iojs.exe to be renamed. See efadffe
for more background.
PR-URL: https://github.com/iojs/io.js/pull/1433
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
On Windows, when node or io.js attempts to dynamically load a compiled
addon, the compiled addon tries to load node.exe or iojs.exe again -
depending on which import library the module used when it was linked.
This causes many compiled addons to break when node.exe or iojs.exe are
renamed, because when the binary has been renamed the addon DLL can't
find the (right) .exe file to load its imports from.
This patch gives compiled addon developers an option to overcome this
restriction by compiling a delay-load hook into their binary. The
delay-load hook ensures that whenever a module tries to load imports
from node.exe/iojs.exe, it'll just look at the process image, thereby
making the addon work regardless of what name the node/iojs binary has.
To enable this feature, the addon developer must set the
'win_delay_load_hook' option to 'true' in their binding.gyp file, like
this:
```
{
'targets': [
{
'target_name': 'ernie',
'win_delay_load_hook': 'true',
...
```
Bug: https://github.com/iojs/io.js/issues/751
Bug: https://github.com/iojs/io.js/issues/965
Upstream PR: https://github.com/TooTallNate/node-gyp/pull/599
PR-URL: https://github.com/iojs/io.js/pull/1251
Reviewed-By: Rod Vagg <rod@vagg.org>
PR-URL: https://github.com/iojs/io.js/pull/1266
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Every npm version bump requires a few patches to be floated on
node-gyp for io.js compatibility. These patches are found in
03d199276e,
5de334c230, and
da730c76e9. This commit squashes
them into a single commit.
PR-URL: https://github.com/iojs/io.js/pull/990
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Remove Readme.md, as the subsequent npm update commit creates a
README.md. Combining the create and delete operations into the
same commit leads to OSX machines running into issues – they
don't detect it as a rename, instead trying to create a new
README.md, which fails because Readme.md hasn't been deleted yet.
This causes the entire operation to fail spectacularly. Thus,
the delete operation is performed first, in this commit, then
the create operation follows in the npm update commit.
PR-URL: https://github.com/iojs/io.js/pull/1456
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
asm files are generated as
- In `deps/openssl/asm/`, make with CC=gcc and ASM=nasm
- In `deps/openssl/asm_obsolute/`, make with no envs for compilers
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Asm files for OpenSSL depends on the version of assembler.
We provide two sets of asm files, one is asm_latest(avx2 and addx
supported) and the other asm_obsolute(without avx1/2 and addx)
The asm_latest needs the version of gas >= 2.23, llvm >= 3.3
or ml64 >= 12 as defined in
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha512-x86_64.pl#L112-L129
, otherwise asm_obsolute are used.
We take MSVS_VERSION in gyp as a version check of assembler on
Windows because the path to ml64.exe was set after configure in
vcbuild.bat and executing ml64.exe was failed in configure.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This includes following changes,
- Updated asm files for each platforms which are required in
openssl-1.0.2a.
- Some perl files need CC and ASM envs. Added a check if these envs
exist. Followed asm files are to be generated with CC=gcc and
ASM=nasm on Linux. See
`deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl`
- Added new 32bit targets/rules with a sse2 flag (OPENSSL_IA32_SSE2)
to generate asm for use SSE2.
- Generating sha512 asm files in x86_64 need output filename which
has 512. Added new rules so as not to use stdout for outputs.
- PERLASM_SCHEME of linux-armv4 is `void` as defined in openssl
Configure. Changed its target/rule and all directories are moved from
arm-elf-gas to arm-void-gas.
deps: add arm64 support in openssl/asm/Makefile
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Update gyp sources for openssl-1.0.2a. The source list was extracted
from Makefiles in `deps/openssl/openssl/{crypto/ssl/engines}`.
Defines are created by referring the table in
`deps/openssl/doc/openssl_define_list.pdf` that was derived from
Makefile entries and outputs of
`deps/openssl/openssl/Configure TABLE`.
Renamed the variable of openssl_sources_arm_elf_gas to
openssl_sources_arm_void_gas to be consistent with PERLASM_SCHEME.
This also includes arm64 support.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
linux-x32 and linux-aarch64(arm64) are officially supported in
openssl-1.0.2. With this fix opensslconf.h for these new architectures
can be generated by Makefile.
The patch for opensslconf.h of linux-x32 with Makefile was removed.
For the fix of opensslconf.h in WIN32/WIN64, adding defines of
OPENSSL_NO_DYNAMIC_ENGINE and OPENSSL_NO_CAPIENG move to openssl.gypi
so that we no longer need insert a patch with Makefile and removed it.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Change all openssl/include/openssl/*.h to include resolved symbolic
links and openssl/crypto/opensslconf.h to refer config/opensslconf.h
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This a backport of da084a5ec6cebd67ae27f2463ebe4a50bb840fa5 in
https://github.com/openssl/openssl by Matt Caswell <matt@openssl.org> as
In certain situations the server provided certificate chain may no
longer be valid. However the issuer of the leaf, or some intermediate
cert is in fact in the trust store.
When building a trust chain if the first attempt fails, then try to
see if alternate chains could be constructed that are trusted.
deps: backport openssl patch of alt cert chains 2
This a backport of 15dba5be6a4482a9ad7e5b846291f31e97e338ca in
https://github.com/openssl/openssl by Matt Caswell <matt@openssl.org> as
Add flag to inhibit checking for alternate certificate chains. Setting this
behaviour will force behaviour as per previous versions of OpenSSL
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>