Currently using the --openssl-is-fips configuration option in
combination with --ninja is broken.
This commit fixes two issues, one being an issue with the linker/version
script path variable. The second is that the locations of built
artifacts that differ for ninja and make.
ninja:
$ ./configure --openssl-is-fips --ninja
$ ninja -C out/Release
$ ./node --enable-fips -p 'crypto.getFips()'
1
make:
$ ./configure --openssl-is-fips
$ make -j8
$ ./node --enable-fips -p 'crypto.getFips()'
1
PR-URL: https://github.com/nodejs/node/pull/40518
Refs: https://github.com/nodejs/node/issues/40509
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
This commit add the missing legacy provider source code which is
requried for statically linking the OpenSSL legacy provider.
Co-authored-by: Richard Lau <rlau@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/40478
Refs: https://github.com/nodejs/node/issues/40455
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This pull request updates the OpenSSL version that is statically
linked with Node.js from OpenSSl 1.1.1 to quictls OpenSSL 3.0.0+quic.
This pull request will replace the OpenSSL version that is currently
in the deps directory and when performing a normal build
OpenSSL 3.0+quic will be statically linked to the Node.js executable.
We will still be able to dynamically link to OpenSSL 1.1.1 and we have
a CI job which dynamically links to OpenSSL 1.1.1 which is run for
every pull request to make sure that we maintain backward compatibility.
PR-URL: https://github.com/nodejs/node/pull/38512
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Make `distutils.version.StrictVersion` available as a helper to
gyp expressions so they can do proper version checks and update
the gyp files accordingly.
Caveat emptor: `StrictVersion` does *not* like empty strings so
this commit adds truthiness guards. The helper could deal with
those but I felt it better to make it explicit.
Fixes: https://github.com/nodejs/node/issues/29927
PR-URL: https://github.com/nodejs/node/pull/29931
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
If GYP finds a string variable that can be converted to an integer,
it will do it when the variable is expanded. Use "0.0" instead of "0"
to force strings and be able to use comparison operations such as
`gas_version >= "2.26"` in Python 3.
PR-URL: https://github.com/nodejs/node/pull/29897
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
This adds ARM64 Windows support in the OpenSSL build system.
Since OpenSSL's ARM64 Windows support does not have support for ASM--
that is, VC-WIN64-ARM inherits from VC-noCE-common which has no ASM
files--`openssl_no_asm.gypi` is always used for building. This
essentially forces the 'no-asm' Configure flag.
PR-URL: https://github.com/nodejs/node/pull/26001
Fixes: https://github.com/nodejs/node/issues/25998
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
OpenSSL-1.1.1 has new support of AVX-512 but AVX-2 asm files still need
to be generated for the older assembler support to keep backward
compatibilities.
PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
There is reason to believe the generated assembly isn't working
correctly so let's disable it for now pending further investigation.
PR-URL: https://github.com/nodejs/node/pull/24270
Refs: https://github.com/nodejs/node/issues/23913
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit has a new binding scheme in builing OpenSSL-1.1.0 library
with Node. OpenSSL-1.1.0 uses a new build system with perl for various
supported platforms. See `Configurations/README` and
`Configurations/README.design` in the OpenSSL source for details.
In order to build OpenSSL library without perl in the build of Node
for various supported platforms, platform dependent files (e.g. asm
and header files ) are pre-generated and stored into the `config/arch`
directory.
- Makefile and generate_gypi.pl
Makefile has supported platform list and generates and copies platform
dependent files (e.g. asm files) into arch directory with
generate_gypi.pl. Platform dependent gypi files also created obtaining
build information from `configdata.pm` that is generated with
`Configure` in the OpenSSL build system.
For Windows, `Configure` generates makefile that is only available to
nmake command. Since nmake is not supported in Linux,
`Makefile_VC-WIN32` and `Makefile_VC-WIN64A` are made created by hand
for the use of GNU make. If make rules or targets are changed in the
version up of OpenSSL, they should be also updated.
The following files are used in upgrading openssl-1.1.0.
- gyp and gypi files
openssl.gyp has two targets of openssl and openssl-cli referred from
node.gyp. They includes asm and no_asm gypi files with arch dependent
gypi according to its build options and platforms . The gyp data which
is common with asm and no_asm are stored in openssl_common.gypi.
- header files
bn_conf.h, dso_conf.h and opensslconf.h are platform dependent in the
OpenSSL sources. They are replaced with *.h.tmpl files to include the
file in the `../../../config/` and referred to each arch files that
depends on asm and no-asm option.
Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
We already disable `-Wmissing-field-initializers` on other Unices but
not on MacOS.
PR-URL: https://github.com/nodejs/node/pull/19046
Fixes: https://github.com/nodejs/node/issues/18983
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
BSD build with GCC was broken because it was checking for the
llvm_version variable on common.gypi, even though llvm wasn't
installed (or needed).
PR-URL: https://github.com/nodejs/node/pull/16737
Fixes: https://github.com/nodejs/node/issues/16257
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Use `msvs_settings.MASM.UseSafeExceptionHandlers` when building OpenSSL
assembly code on Windows. This option appends `/safeseh` to the list of
assembler flags when building `.asm` files on Windows.
Having this option in place, separate rules in `masm_compile.gypi` are
no longer needed.
Fix: #7426
PR-URL: https://github.com/nodejs/node/pull/7427
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Bert Belder <bertbelder@gmail.com>
Use the "Apple LLVM" version number since the banner has changed in
newer versions of Mac OS X, resulting in the obsolete assembler path
being used to compile OpenSSL.
PR-URL: https://github.com/nodejs/node/pull/5553
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
These are the core changes that allow AIX to compile. There
are still some test failures as there are some patches needed for
libuv and npm that we'll need to contribute through those
communities but this set allows node to be built on AIX and
pass most of the core tests
The change in js2c is because AIX does not support $ in
identifier names. See the discussion/agreement in
https://github.com/nodejs/node/issues/2272
PR-URL: https://github.com/nodejs/node/pull/2364
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
Reviewed-By: Rod Vagg <r@va.gg>
These are the core changes that allow pLinux BE/LE compile. They
don't include all of the changes needed for AIX which will follow
once we have pLinux up and running in the builds
PR-URL: https://github.com/nodejs/io.js/pull/2124
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
Reviewed-By: Johan Bergstrom <bugs@bergstroem.nu>
Support building and running with FIPS-compliant OpenSSL. The process is
following:
1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
Fix: https://github.com/joyent/node/issues/25463
PR-URL: https://github.com/nodejs/io.js/pull/1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Asm files for OpenSSL depends on the version of assembler.
We provide two sets of asm files, one is asm_latest(avx2 and addx
supported) and the other asm_obsolute(without avx1/2 and addx)
The asm_latest needs the version of gas >= 2.23, llvm >= 3.3
or ml64 >= 12 as defined in
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha512-x86_64.pl#L112-L129
, otherwise asm_obsolute are used.
We take MSVS_VERSION in gyp as a version check of assembler on
Windows because the path to ml64.exe was set after configure in
vcbuild.bat and executing ml64.exe was failed in configure.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Update gyp sources for openssl-1.0.2a. The source list was extracted
from Makefiles in `deps/openssl/openssl/{crypto/ssl/engines}`.
Defines are created by referring the table in
`deps/openssl/doc/openssl_define_list.pdf` that was derived from
Makefile entries and outputs of
`deps/openssl/openssl/Configure TABLE`.
Renamed the variable of openssl_sources_arm_elf_gas to
openssl_sources_arm_void_gas to be consistent with PERLASM_SCHEME.
This also includes arm64 support.
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Updated gyp has "else if" syntax in condition. Use this for
target_arch and OS switches. Several sources, defines, rules and
libraries variables moved to gypi files.
PR-URL: https://github.com/iojs/io.js/pull/1325
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
SSLv2 has been deprecated and known broken for nearly twenty years now.
I made SSLv2 support opt-in well over a year ago in commit 39aa894 and
now this commit removes it entirely.
PR-URL: https://github.com/iojs/io.js/pull/290
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This patch disables two (categories of) warnings:
* deprecation of GetVersionExA
* possible loss of data in implicit conversion of scalar types
These warnings don't seem to point out serious problems, and avoiding
them in openssl is somebody else's business.
PR-URL: https://github.com/iojs/io.js/pull/261
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
After much investigation it turns out that the affected servers are
buggy. user-service.condenastdigital.com:443 in particular seems to
reject large TLS handshake records. Cutting down the number of
advertised ciphers or disabling SNI fixes the issue.
Similarly, passing { secureOptions: constants.SSL_OP_NO_TLSv1_2 }
seems to fix most connection issues with IIS servers.
Having to work around buggy servers is annoying for our users but not
a reason to downgrade OpenSSL. Therefore, revert it.
This reverts commit 4fdb8acdae.
Several people have reported issues with IIS and Resin servers (or maybe
SSL terminators sitting in front of those servers) that are fixed by
downgrading OpenSSL. The AESNI performance improvements were nice but
stability is more important. Downgrade OpenSSL from 1.0.1e to 1.0.0f.
Fixes#5360 (and others).
Microsoft's IIS doesn't support it, and is not replying with ServerHello
after receiving ClientHello which contains it.
The good way might be allowing to opt-out this at runtime from
javascript-land, but unfortunately OpenSSL doesn't support it right now.
see #5119
Commit 8632af3 ("tools: update gyp to r1601") broke the Windows build.
Older versions of GYP link to kernel32.lib, user32.lib, etc. but that
was changed in r1584. See https://codereview.chromium.org/12256017
Fix the build by explicitly linking to the required libraries.
There are no unsafe structured exception handlers in object files
generated from hand-crafted assembly - because they contain no exception
handlers at all.
This patch brings the openssl library that is built with gyp closer
to what the standard build system produces.
All opensslconf.h versions are now merged into a single file, which
makes it easier for compiled addons to locate this file.
This reverts commit 1c88c3b3b5.
It breaks the "read a password from stdin" functionality that OpenSSL provides.
Fixes#4059, #4143.
Conflicts:
deps/openssl/openssl.gyp
