using --enable-fips or --force-fips with crypto.fips=1 fails #11849
Comments
|
/cc @nodejs/crypto |
|
cc @mhdawson |
|
also |
|
Steve had mentioned this to me, its known that there could be an improvement in this area. |
|
Michael provided this work round to protect the app from failing when using fips = 1 and the command line options... if (crypto.fips === 0) { crypto.fips = 1; }to test if fips is off before setting so doesn't try to override in the failing case |
|
I'd have to check the code on the Node.js side, but my first guess is that we get those from openssl and openssl is not very good at filtering/failing gracefully when algs are disabled when FIPs is enabled. We did fix up a few of the low hanging cases in terms of returning better errors, but still far from optimal. |
|
I didn't test but wouldn't this patch resolve it? It calls FIPS_mode_set() only when the desired mode is different from the active mode. diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 7005080..4b0e405 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -6002,21 +6002,24 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
} else {
args.GetReturnValue().Set(0);
}
}
void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
#ifdef NODE_FIPS_MODE
- bool mode = args[0]->BooleanValue();
+ const bool enabled = FIPS_mode();
+ const bool enable = args[0]->BooleanValue();
+ if (enable == enabled)
+ return; // No action needed.
if (force_fips_crypto) {
return env->ThrowError(
"Cannot set FIPS mode, it was forced with --force-fips at startup.");
- } else if (!FIPS_mode_set(mode)) {
+ } else if (!FIPS_mode_set(enable)) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
return ThrowCryptoError(env, err);
}
#else
return env->ThrowError("Cannot set FIPS mode in a non-FIPS build.");
#endif /* NODE_FIPS_MODE */
}
|
|
it does look like we pass through the request to openssl in /src/node_crypto.cc and so may not be easily filtered to the current available set void GetHashes(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
CipherPushContext ctx(env);
EVP_MD_do_all_sorted(array_push_back<EVP_MD>, &ctx);
args.GetReturnValue().Set(ctx.arr);
} |
|
#12210 raised with @bnoordhuis's patch. Note that this only fixes the original issue raised in this PR. If that lands I'll reopen to address the second issue:
|
|
@gibfahn Are you still planning to get the resolution to these two issues across the finish line? If so, maybe let's add you as the assignee? And if not, perhaps we can add a |
|
Reopening, the first issue was fixed but I don't think there's a good way to get the list of available ciphers.
|
|
This got closed by updating master in a private repo. Thanks GitHub. |
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
When using a fips enabled build of node:
crypto.fips = 0or1works as expected--enable-fipsandcrypto.fips=0- working as expected (FIPS disabled)--force-fipsandcrypto.fips=0- working as expected with following errorI'm trying to build a migration plan for adopting fips and having both
crypto.fips = 1in the application and--enable-fipsor--force-fipsseems like a valid use case to me ?The text was updated successfully, but these errors were encountered: