Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v14.x backport] crypto: make FIPS related options always awailable #40241

Closed

Conversation

danbev
Copy link
Contributor

@danbev danbev commented Sep 28, 2021

There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
FIPS_mode() function.

This makes the user experience more consistent, because the OpenSSL
library is always queried and the crypto.getFips() always returns
OpenSSL settings.

Fixes #34903

Backport-PR-URL: #40241
PR-URL: #36341
Reviewed-By: Anna Henningsen anna@addaleax.net
Reviewed-By: Michael Dawson midawson@redhat.com
Reviewed-By: Daniel Bevenius daniel.bevenius@gmail.com

There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
`FIPS_mode()` function.

This makes the user experience more consistent, because the OpenSSL
library is always queried and the `crypto.getFips()` always returns
OpenSSL settings.

Fixes nodejs#34903

Backport-PR-URL: nodejs#40241
PR-URL: nodejs#36341
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v14.x labels Sep 28, 2021
@danbev danbev force-pushed the backport-f392ac0bbe-to-v14.x branch from 209db1c to 2b35f7b Compare September 28, 2021 09:52
@nodejs-github-bot
Copy link
Collaborator

I made a mistake when resolving the conflict in this test and this
commmit fixes it.
@@ -623,8 +623,8 @@ added: v6.9.0
-->

Load an OpenSSL configuration file on startup. Among other uses, this can be
used to enable FIPS-compliant crypto if Node.js is built with
`./configure --openssl-fips`.
used to enable FIPS-compliant crypto if Node.js is built
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will ./configure --openssl-fips still be accepted. Want to understand if this could break existing workflows/builds

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it will still be accepted at configuration time to specify the directory where the FIPS fipscanister.o is located.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mhdawson The ubi81_sharedlibs_openssl111fips_x64 CI job runs with configure --openssl-is-fips (we didn't update the job when #36341 landed).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick confirmation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah sorry confused --open-is-fips with --openssl-fips configure options.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think --openssl-fips works before on Node.js 14 based on configure.py?

node/configure.py

Lines 1382 to 1383 in 95b9240

if options.openssl_fips or options.openssl_fips == '':
error('FIPS is not supported in this version of Node.js')

(--openssl-is-fips does work and is tested in the CI.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I recall correctly it is not possible to enable FIPS with the OpenSSL version that is statically linked with Node.js. This is still the case with upstream/master.
But it is possible to dynamically link to an OpenSSL version that does support FIPS (which is the use case at Red Hat).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danbev that is my understanding as well.

@@ -6866,7 +6875,6 @@ void InitCryptoOnce() {
settings = nullptr;
#endif

#ifdef NODE_FIPS_MODE
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There were changes in the original PR that don't seem to have made it into this block. In crypto_util.cc ->

diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 34058d2dcae9..0d44d0bb4e16 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -142,10 +142,9 @@ void InitCryptoOnce() {
     }
   }
   if (0 != err) {
-    fprintf(stderr,
-            "openssl fips failed: %s\n",
-            ERR_error_string(err, nullptr));
-    UNREACHABLE();
+    auto* isolate = Isolate::GetCurrent();
+    auto* env = Environment::GetCurrent(isolate);
+    return ThrowCryptoError(env, err);
   }

@danbev was that intentional?

Copy link
Contributor Author

@danbev danbev Sep 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was not intentional 😞 I'll take a closer look add it tomorrow. Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pushed a commit with the missing code now, please take a look.

@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mhdawson
Copy link
Member

One more comment there is a typo in the original commit comment. Assume we can fix up when landing.

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

richardlau pushed a commit that referenced this pull request Nov 25, 2021
There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
`FIPS_mode()` function.

This makes the user experience more consistent, because the OpenSSL
library is always queried and the `crypto.getFips()` always returns
OpenSSL settings.

Fixes: #34903
Backport-PR-URL: #40241
PR-URL: #36341
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@richardlau
Copy link
Member

Landed in 060c962.

@richardlau richardlau closed this Nov 25, 2021
@richardlau richardlau added the semver-minor PRs that contain new features and should be released in the next minor version. label Nov 25, 2021
richardlau pushed a commit that referenced this pull request Nov 30, 2021
There is no reason to hide FIPS functionality behind build flags.
OpenSSL always provide the information about FIPS availability via
`FIPS_mode()` function.

This makes the user experience more consistent, because the OpenSSL
library is always queried and the `crypto.getFips()` always returns
OpenSSL settings.

Fixes: #34903
Backport-PR-URL: #40241
PR-URL: #36341
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants