diff options
| author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2021-04-26 06:52:16 +0300 |
|---|---|---|
| committer | Michael Dawson <mdawson@devrus.com> | 2021-05-14 23:15:19 +0300 |
| commit | 0d7644fddaba7979b08805c6c8fff4ab0677a72e (patch) | |
| tree | db7ef4623300d31036a7e7bad3bbe71bc401a08b /src | |
| parent | 35b445d089682aa08f18e383cbc7acc9e5ac956d (diff) | |
build,src,test,doc: enable FIPS for OpenSSL 3.0
This commit enables FIPS when Node.js is dynamically linking against
quictls/openssl-3.0.
BUILDING.md has been updated with instructions to configure and build
quictls/openssl 3.0.0-alpha-15 and includes a couple of work-arounds
which I believe are fixed in alpha-16 and can be removed when alpha-16
is available. The information might be a little too detailed/verbose
but I thought it would be helpful to at least initially include all the
steps.
PR-URL: https://github.com/nodejs/node/pull/38633
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/crypto_util.cc | 15 | ||||
| -rw-r--r-- | src/crypto/crypto_util.h | 2 |
2 files changed, 16 insertions, 1 deletions
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc index 9c35a7cabbf..0d533ce4253 100644 --- a/src/crypto/crypto_util.cc +++ b/src/crypto/crypto_util.cc @@ -14,6 +14,12 @@ #include "math.h" +#ifdef OPENSSL_FIPS +#if OPENSSL_VERSION_MAJOR >= 3 +#include "openssl/provider.h" +#endif +#endif + namespace node { using v8::ArrayBuffer; @@ -197,7 +203,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) { void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) { #ifdef OPENSSL_FIPS +#if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = nullptr; + if (OSSL_PROVIDER_available(nullptr, "fips")) { + fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + } + const auto enabled = fips_provider == nullptr ? 0 : + OSSL_PROVIDER_self_test(fips_provider) ? 1 : 0; +#else const auto enabled = FIPS_selftest() ? 1 : 0; +#endif #else // OPENSSL_FIPS const auto enabled = 0; #endif // OPENSSL_FIPS diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h index 27bb6310b88..f2f61aa4518 100644 --- a/src/crypto/crypto_util.h +++ b/src/crypto/crypto_util.h @@ -24,7 +24,7 @@ #endif // !OPENSSL_NO_ENGINE // The FIPS-related functions are only available // when the OpenSSL itself was compiled with FIPS support. -#ifdef OPENSSL_FIPS +#if defined(OPENSSL_FIPS) && OPENSSL_VERSION_MAJOR < 3 # include <openssl/fips.h> #endif // OPENSSL_FIPS |