The `www-authenticate` library used for DIGEST authentication causes runtime crash in FIPS mode

[brycebaril]

Hi all!

We're helping a client get MarkLogic to use certificate-based authentication under FIPS mode. We've got the authentication working without FIPS, but once enabled the www-authenticate library used by marklogic immediately crashes the runtime in FIPS mode. The www-authenticate package (https://www.npmjs.com/package/www-authenticate) is abandoned, so we should not expect a change there. The issue there is quite simple:

https://github.com/randymized/www-authenticate/blob/master/lib/md5.js#L2 immediately creates a md5sum at require time (presumably as a functionality test)

This will crash under FIPS even if DIGEST auth is not being used, simply due to www-authenticate package being present at all. Simply removing that line is enough to resolve the issue under FIPS.

I was not able to immediately find a quick replacement package. As a potential solution I've put together a zero-dependency DIGEST implementation here: #962. Let me know if you have alternative approaches, but this is a blocker for our client.

[rjrudin]

@brycebaril To clarify - when you "under FIPS mode", are you referring to a configuration on the Node Client, a configuration on the MarkLogic side (i.e. the "SSL FIPS Enabled" flag on the cluster page), or both? Just want to make sure we can reproduce this accurately.

[brycebaril]

@rjrudin The Node Client; enabling FIPS in the application server communicating with MarkLogic. When running Node on a system with FIPS enabled, require('marklogic') is going to immediately abort due to require('www-authenticate') causing the Abort.

Sep 17 21:11:00 app-01 node[6656]:  opensslErrorStack: [
Sep 17 21:11:00 app-01 node[6656]:    'error:03000086:digital envelope routines::initialization error',
Sep 17 21:11:00 app-01 node[6656]:    'error:0308010C:digital envelope routines::unsupported'
Sep 17 21:11:00 app-01 node[6656]:  ],
Sep 17 21:11:00 app-01 node[6656]:  library: 'digital envelope routines',
Sep 17 21:11:00 app-01 node[6656]:  reason: 'unsupported',
Sep 17 21:11:00 app-01 node[6656]:  code: 'ERR_OSSL_EVP_UNSUPPORTED'
Sep 17 21:11:00 app-01 node[6656]: }

[rjrudin]

@brycebaril We actually looked at replacing this library over a year ago but did not find a suitable replacement. We're considering the following approach and wondering if you may have tried it as well:

1. Copy the 4 files comprising the www-authenticate library into the Node Client source code.
2. Remove the offending line from the md5.js library.
3. Remove www-authenticate as a 3rd party dependency.

Our initial tests look promising with this, and it seems to minimize the number of changes.

[anu3990]

@brycebaril Thank you for bringing this to our attention. Can you please confirm the OS you are using. This will help us in streamlining the solution.

[brycebaril]

@rjrudin that solution is also reasonable and should be the easiest way to keep feature-for-feature compatibility. Based on our tests that manually did the same removal of that line it should work.

edit: the code is MIT, so you should be able to bring it in if you bring in the license

@anu3990 RHEL 9 with FIPS enabled

[anu3990]

@brycebaril Node Client 3.7.1 was released earlier today - https://www.npmjs.com/package/marklogic with fix for this issue. Request you to try and let us know. The fix is also available in the master branch.

[brycebaril]

Awesome, thank you so much! I will have the team try it out now.

[brycebaril]

Everything is working well now, thank you for your prompt responses! Fixed as of release https://github.com/marklogic/node-client-api/releases/tag/3.7.1