node 4.2: FIPS-compliance can not compile native libraries after install #3815
Comments
mscdex
added
tls
|
Ok, so after a couple hours of testing/work I at least have a work-around that is functioning. I installed the wrappers in deps/openssl/fips/{fipsld,fipscc} into /usr/include/node/openssl/fips/, then when I built I ran configure with --openssl-fips as normal, but edited the config.gypi file before running make to change the BUILDDIR/deps/openssl/fips/fipsld line to /usr/include/node/openssl/fips/fipsld. I am creating/created RPMs so I did this all a bit more dynamically with specfiles, but essentially this works. I attempted originally to edit the install.py script to push the fipsld/fipscc wrappers out with the make install command only if openssl_fips was set, which worked, but since that was after nodejs binary was already built with the other settings, process.config still returned the build path which still caused the same npm install failures. This is certainly not an ideal solution, I think a more ideal solution is going to require a lot more refactoring on how to build for FIPS-compliance. |
|
This is... unfortunate. I haven't been running into this problem because I was compiling Node and installing it on the same machine as OpenSSL, so the paths were resolving correctly. I'll try to look at this next week, if you don't beat me to it. :) |
Prevent OpenSSL's fipsld from being used to link native modules because this requires the original OpenSSL source to be available after Node's installation. Fixes: #3815 PR-URL: #4023 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Prevent OpenSSL's fipsld from being used to link native modules because this requires the original OpenSSL source to be available after Node's installation. Fixes: #3815 PR-URL: #4023 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Prevent OpenSSL's fipsld from being used to link native modules because this requires the original OpenSSL source to be available after Node's installation. Fixes: #3815 PR-URL: #4023 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Prevent OpenSSL's fipsld from being used to link native modules because this requires the original OpenSSL source to be available after Node's installation. Fixes: nodejs#3815 PR-URL: nodejs#4023 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
When configuring NodeJS with FIPS-compliance, the configure script adds make_global_options that includes a fipsld and fipscc wrapper script around the standard fipsld script when creating the config.gypi file. This works fine to compile NodeJS and install initially; however, when using npm to install native libraries, the compile fails because it does not have access to those initial wrappers scripts.
I am looking for a work-around here, but it seems to me that ideally these wrappers need to be part of the installed files when openssl-fips is enabled in the building of NodeJS and the process.config (which node-gyp reads later to process native library installation) needs to be updated/reflected by this installed location.
The text was updated successfully, but these errors were encountered: